search

udondan / iam-floyd

AWS IAM policy statement generator with fluent interface
https://iam-floyd.readthedocs.io/
Apache License 2.0
547 stars 20 forks source link

S3 all_list_actions should include ListObjectsV2 #38

Closed cmclaughlin closed 4 years ago

cmclaughlin commented 4 years ago

I'm using the package

I'm using the package in language

Describe the problem

>>> from iam_floyd import S3
>>> bucket = 'mybucket'
>>> s3_statement = S3().allow().all_read_actions().on(bucket)
>>> s3_statement.allow().all_list_actions().on(bucket)
<iam_floyd.S3 object at 0x10bde10d0>
>>> s3_statement.to_json()
{'Action': ['s3:DescribeJob', 's3:GetAccelerateConfiguration', 's3:GetAccessPoint', 's3:GetAccessPointPolicy', 's3:GetAccessPointPolicyStatus', 's3:GetAccountPublicAccessBlock', 's3:GetAnalyticsConfiguration', 's3:GetBucketAcl', 's3:GetBucketCORS', 's3:GetBucketLocation', 's3:GetBucketLogging', 's3:GetBucketNotification', 's3:GetBucketObjectLockConfiguration', 's3:GetBucketPolicy', 's3:GetBucketPolicyStatus', 's3:GetBucketPublicAccessBlock', 's3:GetBucketRequestPayment', 's3:GetBucketTagging', 's3:GetBucketVersioning', 's3:GetBucketWebsite', 's3:GetEncryptionConfiguration', 's3:GetInventoryConfiguration', 's3:GetJobTagging', 's3:GetLifecycleConfiguration', 's3:GetMetricsConfiguration', 's3:GetObject', 's3:GetObjectAcl', 's3:GetObjectLegalHold', 's3:GetObjectRetention', 's3:GetObjectTagging', 's3:GetObjectTorrent', 's3:GetObjectVersion', 's3:GetObjectVersionAcl', 's3:GetObjectVersionForReplication', 's3:GetObjectVersionTagging', 's3:GetObjectVersionTorrent', 's3:GetReplicationConfiguration', 's3:ListAccessPoints', 's3:ListBucketMultipartUploads', 's3:ListBucketVersions', 's3:ListJobs', 's3:ListMultipartUploadParts', 's3:ListAllMyBuckets', 's3:ListBucket'], 'Resource': ['mybucket']}

Allow with issue issue #31 - I'm trying to draft a policy as documented here:

https://docs.aws.amazon.com/neptune/latest/userguide/bulk-load-tutorial-IAM.html

I was thinking all_list_actions on s3 would include the ListObjectsV2 API. Seems pretty reasonable to me.

Please let me know if I'm missing something.

udondan commented 4 years ago

ListObjectsV2 is an API call, not an action available in IAM. API actions do not translate 1:1 to IAM actions.

From the docs:

To use this operation in an AWS Identity and Access Management (IAM) policy, you must have permissions to perform the s3:ListBucket action.

So your policy should be fine and be able to run this API call.

cmclaughlin commented 4 years ago

Hmmm I'm guessing I need "'mybucket' and "mybucket/*" as resources

udondan commented 4 years ago

That would be done via ...on_bucket('mybucket').on_object('mybucket', '*')