Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Access for IAM users with prefix restriction #5731

Closed
cyberduck opened this issue Feb 26, 2011 · 7 comments
Closed

Access for IAM users with prefix restriction #5731

cyberduck opened this issue Feb 26, 2011 · 7 comments
Labels
bug s3 AWS S3 Protocol Implementation worksforme
Milestone

Comments

@cyberduck
Copy link
Collaborator

45f423f created the issue

We have some AIM users in Amazon S3 who are granted access only to specific directories in a bucket.
This configuration works fine in S3Fox organizer or other similar software, but Cyberduck does not allow these users to access their directory, even when specifying it in the path input box.
An error message is displayed: "Bucket not accessible:[bucket name]".

@cyberduck
Copy link
Collaborator Author

@dkocher commented

In 8fbc879. Removed test for bucket read permission. This should fix this issue if a path is given in the bookmark. Please try the latest snapshot build available.

@cyberduck
Copy link
Collaborator Author

@dkocher commented

This will still fail as we try to list all buckets upon login which will fail and lead to a login failure for IAM users.

@cyberduck
Copy link
Collaborator Author

@dkocher commented

I am in the process of setting up a wiki page for everything IAM related.

@cyberduck
Copy link
Collaborator Author

@dkocher commented

Can you paste the policy including the resource restriction you are using?

@cyberduck
Copy link
Collaborator Author

45f423f commented

Replying to [comment:4 dkocher]:

Can you paste the policy including the resource restriction you are using?

{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:*",
      "Resource": "arn:aws:s3:::bucketname/foldername/*",
      "Condition": {}
    }
  ]
}
 
{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:ListBucket",
      "Resource": "arn:aws:s3:::*",
      "Condition": {
        "StringLike": {
          "s3:prefix": "foldername/*"
        }
      }
    }
  ]
}

Please note that if we add the following policy, it works, but the user sees a list of all our buckets:

{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:ListAllMyBuckets",
      "Resource": "arn:aws:s3:::",
      "Condition": {}
    }
  ]
}

Thanks for the quick follow up.

@cyberduck
Copy link
Collaborator Author

@dkocher commented

Playing around with this, It looks to me you have to give explicit access to the bucket in another statement.

{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:*",
      "Resource": "arn:aws:s3:::bucketname",
      "Condition": {}
    }
  ]
}

Then you should be able to connect by specifying the bucketname in the hostname when connecting. Make sure to put bucketname.s3.amazonaws.com in the Server field of the bookmark.

@cyberduck
Copy link
Collaborator Author

45f423f commented

Thank you for the feedback.
I may miss something, but I don't think your solution works.
As mentioned in the original description, every user has a different folder in the bucket. Users should not be able to access other users' folders. From what I understand, your policy opens unrestricted access to all users to the whole bucket.

@iterate-ch iterate-ch locked as resolved and limited conversation to collaborators Nov 26, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
bug s3 AWS S3 Protocol Implementation worksforme
Projects
None yet
Development

No branches or pull requests

1 participant