search

marcel / aws-s3

AWS-S3 is a Ruby implementation of Amazon's S3 REST API
http://amazon.rubyforge.org
MIT License
774 stars 461 forks source link

Unable to attach IAM role in S3 bucket policy #117

Open rajasekaran07 opened 7 years ago

rajasekaran07 commented 7 years ago

Hi Team,

I am trying to provide my s3 bucket access to only specific IAM role instances. I applied below policy but it is not working.

{ "Version": "2008-10-17", "Statement": [ { "Sid": "Stmt1371012493903", "Effect": "Deny", "NotPrincipal": { "AWS": "arn:aws:iam::(Account-no):role/(my-role)" }, "Action": [ "s3:List", "s3:Get" ], "Resource": "arn:aws:s3:::my-bucket/*" } ] }

Also I configured aws using aws configure with my temporary access and secret access key using curl http://169.254.169.254/latest/meta-data/iam/security-credentials/ but still I am seeing

curl https://s3.amazonaws.com/my-bucket/myfile.json <?xml version="1.0" encoding="UTF-8"?>

AccessDeniedAccess Denied1C272502A24D780DYRP7gKyKfSQRzlKeOx/YpxHCjdh9AlBb80hcfwy9fjAAY9tlDNfmziRhfWzdIkDmgt/TWwT8Ink=

Regards, Raja

rajasekaran07 commented 7 years ago

I followed the below link and modified my s3 policy as below I am unable to curl in both account. https://aws.amazon.com/blogs/security/how-to-restrict-amazon-s3-bucket-access-to-a-specific-iam-role/

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Principal": "", "Action": "s3:", "Resource": [ "arn:aws:s3:::my-bucket", "arn:aws:s3:::bucket/" ], "Condition": { "StringNotLike": { "aws:userId": [ "AROAJZ45MYWZWL7SPA56W:", "27***646" ] } } } ] }