Cyberduck Mountain Duck CLI

#5731 closed defect (worksforme)

Access for IAM users with prefix restriction

Reported by: tedp Owned by:
Priority: normal Milestone: 4.0
Component: s3 Version: 3.8.1
Severity: normal Keywords: S3 AIM
Cc: Architecture: Intel
Platform: Mac OS X 10.6

Description

We have some AIM users in Amazon S3 who are granted access only to specific directories in a bucket. This configuration works fine in S3Fox organizer or other similar software, but Cyberduck does not allow these users to access their directory, even when specifying it in the path input box. An error message is displayed: "Bucket not accessible:[bucket name]".

Change History (9)

comment:1 Changed on Feb 26, 2011 at 2:08:19 PM by dkocher

  • Component changed from core to s3
  • Milestone set to 4.0
  • Resolution set to fixed
  • Status changed from new to closed
  • Summary changed from Amazon S3 access for AIM users to Access for IAM users

In r8407. Removed test for bucket read permission. This should fix this issue if a path is given in the bookmark. Please try the latest snapshot build available.

comment:2 Changed on Feb 27, 2011 at 1:13:55 PM by dkocher

  • Resolution fixed deleted
  • Status changed from closed to reopened

This will still fail as we try to list all buckets upon login which will fail and lead to a login failure for IAM users.

comment:3 Changed on Feb 27, 2011 at 6:00:25 PM by dkocher

I am in the process of setting up a wiki page for everything IAM related.

comment:4 follow-up: Changed on Feb 28, 2011 at 5:45:40 PM by dkocher

Can you paste the policy including the resource restriction you are using?

comment:5 in reply to: ↑ 4 Changed on Feb 28, 2011 at 6:50:41 PM by tedp

Replying to dkocher:

Can you paste the policy including the resource restriction you are using?

{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:*",
      "Resource": "arn:aws:s3:::bucketname/foldername/*",
      "Condition": {}
    }
  ]
}
 
{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:ListBucket",
      "Resource": "arn:aws:s3:::*",
      "Condition": {
        "StringLike": {
          "s3:prefix": "foldername/*"
        }
      }
    }
  ]
}

Please note that if we add the following policy, it works, but the user sees a list of all our buckets:

{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:ListAllMyBuckets",
      "Resource": "arn:aws:s3:::",
      "Condition": {}
    }
  ]
}

Thanks for the quick follow up.

Last edited on Mar 1, 2011 at 10:11:06 AM by dkocher (previous) (diff)

comment:6 Changed on Mar 1, 2011 at 10:12:09 AM by dkocher

  • Summary changed from Access for IAM users to Access for IAM users with prefix restriction

comment:7 Changed on Mar 2, 2011 at 3:16:28 PM by dkocher

  • Milestone changed from 4.0 to 4.1

comment:8 Changed on Mar 7, 2011 at 8:45:47 PM by dkocher

  • Milestone changed from 4.1 to 4.0
  • Resolution set to worksforme
  • Status changed from reopened to closed

Playing around with this, It looks to me you have to give explicit access to the bucket in another statement.

{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:*",
      "Resource": "arn:aws:s3:::bucketname",
      "Condition": {}
    }
  ]
}

Then you should be able to connect by specifying the bucketname in the hostname when connecting. Make sure to put bucketname.s3.amazonaws.com in the Server field of the bookmark.

Last edited on Mar 7, 2011 at 8:46:13 PM by dkocher (previous) (diff)

comment:9 Changed on Mar 18, 2011 at 1:31:11 PM by tedp

Thank you for the feedback. I may miss something, but I don't think your solution works. As mentioned in the original description, every user has a different folder in the bucket. Users should not be able to access other users' folders. From what I understand, your policy opens unrestricted access to all users to the whole bucket.

Note: See TracTickets for help on using tickets.
swiss made software