Cant putObject to s3 from ECS container - amazon-s3

I have setup an ECS task containing two containers. The containers are fully responsive to request, but they need to put some items into s3, but I get Err foundAccessDenied: Access Denied.
I have attached a new policy as following to ecsTaskExecutionRole role.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:ListAllMyBuckets",
"s3:ListBucket"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": [
"*"
]
}
]
}
Also added the following env when creating docker images: ECS_ENABLE_TASK_IAM_ROLE=true
What am I missing here that all the time get the AccessDenied error?!

Related

How to restrict the S3 buckets listing in the Visual Studio AWS explorer

I am setting up the AWS toolkit in the Visual Studio. I have created an IAM user which will be used for development.
But for the IAM user I have configured I am seeing that it cannot see the S3 buckets in the explorer. It gives "Access denied".
This is the custom role assigned to the IAM user:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowListing",
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": "arn:aws:s3:::dev-buckets"
},
{
"Sid": "AllowReadWriteDel",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::dev-buckets/*"
}
]
}
The only way I can get it working is by adding "AmazonS3FullAccess" policy to the IAM user. But then it exposes all the buckets in the account. Not just the buckets meant for the developers.
Is it possible to do using a custom policy? I am a beginner.
You cannot only list specific bucket when trying to list buckets.
I think the following policy should help you out:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:ListAllMyBuckets"
],
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::dev-buckets",
"arn:aws:s3:::dev-buckets/*"
]
}
]
}

AWS restrict access to subfolder in s3

I am trying to restrict an IAM role to only be able to access a specific subfolder (key prefix) in an S3 bucket. Here's the policy JSON I'm using, but currently the user can still access other folders in the bucket:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::somebucket",
"arn:aws:s3:::somebucket/*"
]
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": [
"s3:ListBucketVersions",
"s3:ListBucketByTags",
"s3:GetBucketAcl"
],
"Resource": [
"arn:aws:s3:::mybucket"
]
},
{
"Sid": "VisualEditor3",
"Effect": "Allow",
"Action": [
"s3:GetObjectAcl",
"s3:GetObject",
"s3:GetObjectVersion"
],
"Resource": [
"arn:aws:s3:::mybucket/datasets/company1/*"
]
}
]
}
Currently, using this role I can still do, e.g.
aws s3 cp s3://mybucket/datasets/company2/dataset.csv
and download the dataset. What am I doing wrong?
When I try and simulate the policy it seems to be correct (trying to getObject on mybucket/datasets/company2/dataset.csv fails implicitly, but this does not happen in practice. There are no other policies attached to this user.

S3 Policy not working when resource is specified

I have a rails app set up to upload files to S3
I have an IAM user with an inline policy attached to the user.
When I use the following policy everything works just fine:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1494133349000",
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"*"
]
}
]
}
Now when I try to specify the ARN of my bucket, I get an access denied error in my app.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1494133349000",
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::my-bucket"
]
}
]
}
The ARN is copied directly from my bucket. No clue why the second policy doesnt work. It should according to everything i've read.
This is your bucket:
"Resource": [
"arn:aws:s3:::my-bucket"
]
This is your bucket and the objects in your bucket:
"Resource": [
"arn:aws:s3:::my-bucket",
"arn:aws:s3:::my-bucket/*"
]

How can I set a policy for an s3 bucket that allows authenticated users to list the bucket or get any file from the bucket

I have set a permission on the bucket that allows "Authenticated Users" to list, upload, and delete from a bucket I created. This seems to allow me to upload files to the bucket, but it appears that downloading files from the bucket is not covered by this permission, and I instead need to define a policy for the bucket. It's not clear to me how to set such a policy. I tried the policy generator with my best guesses at what I should fill in, but the result was not a valid policy when I pasted it in as a new policy for the bucket (it failed with the message Action does not apply to any resource(s) in statement - Action "s3:ListBucket" in Statement "Stmt-some-number"). Can someone explain what is wrong with the following policy and how to set it correctly to allow authenticated users to retrieve files from the bucket?
{
"Id": "Policy-some-number",
"Statement": [
{
"Sid": "Stmt-some-number",
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::my-bucket/*",
"Principal": {
"AWS": [
"*"
]
}
}
]
}
s3:GetObject applies to the objects in the bucket so the Resource is correct: "Resource": "arn:aws:s3:::my-bucket/*".
s3:ListBucket applies to the Bucket itself and so the Resource should be "Resource": "arn:aws:s3:::my-bucket"
your resulting policy should resemble:
{
"Id": "Policy-some-number",
"Statement": [
{
"Sid": "Stmt-some-number",
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::my-bucket/*",
"Principal": {
"AWS": [
"*"
]
}
},
{
"Sid": "Stmt-some-other-number",
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::my-bucket",
"Principal": {
"AWS": [
"*"
]
}
}
]
}
Just to compliment #c4urself answer. the answer help solve my issue as well, but there is some indication from AWS documentation, which you can add more than one resource, just use [] to make them a list.
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-endpoints.html#vpc-endpoints-s3-bucket-policies
{
"Statement": [
{
"Sid": "Access-to-specific-bucket-only",
"Principal": "*",
"Action": [
"s3:ListBucket",
"s3:GetObject",
"s3:PutObject"
],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::my_secure_bucket",
"arn:aws:s3:::my_secure_bucket/*"]
}
]
}
Update Bucket policy as below
{
"Version": "2012-10-17",
"Id": "Policy1546023103427",
"Statement": [
{
"Sid": "Stmt1546023101836",
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:ListBucket",
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::usagereports-atul",
"arn:aws:s3:::usagereports-atul/*"
]
}
]
}
Just make the resource and array/list of resources and add an item to the list with /* as s3:GetObject applies to arn:aws:s3:::my_secure_bucket/*. See below
"Resource": ["arn:aws:s3:::my_secure_bucket",
"arn:aws:s3:::my_secure_bucket/*"

s3 Policy has invalid action - s3:ListAllMyBuckets

I'm trying these policy through console.aws.amazon.com on my buckets:
{
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:ListBucketMultipartUploads"
],
"Resource": "arn:aws:s3:::itnighq",
"Condition": {}
},
{
"Effect": "Allow",
"Action": [
"s3:AbortMultipartUpload",
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:GetObject",
"s3:GetObjectAcl",
"s3:GetObjectVersion",
"s3:GetObjectVersionAcl",
"s3:PutObject",
"s3:PutObjectAcl",
"s3:PutObjectAclVersion"
],
"Resource": "arn:aws:s3:::itnighq/*",
"Condition": {}
},
{
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "*",
"Condition": {}
}
]
}
But I'm getting this error message:
Policy has invalid action - s3:ListAllMyBuckets
It doesn't seem to like "Resource": "*" , I've also tried to use **arn:aws:s3:::****, but it doesn't work either.
Anyone has any clue?
As zdev mentioned, you need to do this for the IAM. Go to the IAM console and navigate to Users > Permissions > Inline policies > Create > Custom, and enter this:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets"
],
"Resource": [
"arn:aws:s3:::*"
]
}
]
}
I figured out myself. It needs to be done in the IAM, not in S3 itself...
#dnlbrky You need to do this by setting the policy on for the IAM user/group/role and set it by either using the AWS console for the IAM user/group or by calling put_[role/user/group]_policy boto API call.
Anyone getting same issue:
S3 bucket Policy Actions are different from IAM policy actions.
Can reference to s3 actions from https://docs.aws.amazon.com/AmazonS3/latest/dev/using-with-s3-actions.html.
Or try with the following actions
"Action": [
"s3:DeleteObject",
"s3:GetObject",
"s3:PutObject"
],