I want to create a user with a custom group that only lets me access one S3 bucket and I'm having difficulty doing so.
So I'm at this screen:
I've allowed S3 actions. Now I want to restrict it to just a specific bucket. I click on the "Resources" text and I get this:
I click on "Add ARN" for both and get this:
I use "whatever" as the "Bucket name" for bucket and "whatever" as the "Bucket name" for object (whilst leaving "Object name" blank) and then when I try to use the newly created account, in the newly created group, to access S3, I find that I can't upload or download files from the bucket without getting a 403 Forbidden error. If I use "All resources" instead of "Specific" it works but I only want this user to have access to one particular bucket.
Any ideas?
It looks like you're missing the wildcard
*in the object declaration.It should be
bucket-name/*instead ofbucket-name/when declaring bucket objectsFor the resulting entries:
You haven't shared the actual policy, just screenshots of the wizard. If you want help with your policy please edit your post to include it.
There are plenty of resources online to help with this, such as this AWS blog post, and this documentation.
I have this policy which allows read only access to a single bucket. I attach the policy to a group, and add users who need that policy to that group. If you need different permissions just add them to the json.