IAM policy for home folder access (S3) only

[lbate...@gmail.com]

I have a configuration in S3 that looks something like:

<bucket>

  <home folder>

    <user1 folder>

    <user2 folder>

    .

    .

    <userN folder>

I want to limit the ability of users to only PutObject into their folders and have written the policy below to achieve that end.  I've tested the policy in the AWS Policy Simulator and via the AWS console and I am convinced that it is correct.  When I try to access this using boto with this user's credentials it errors with:

SSarchive-Traceback (most recent call last):

  File "SSarchive.py", line 1091, in <module>

    main()

  File "SSarchive.py", line 721, in main

    BUCKET = S3.get_bucket(_s3bucket)

  File "C:\Python27\lib\site-packages\boto\s3\connection.py", line 502, in get_b

ucket

    return self.head_bucket(bucket_name, headers=headers)

  File "C:\Python27\lib\site-packages\boto\s3\connection.py", line 535, in head_

bucket

    raise err

S3ResponseError: S3ResponseError: 403 Forbidden

----Policy----

{

    "Version": "2012-10-17",

    "Statement": [

        {

            "Sid": "AllowUserToSeeBucketListInTheConsole",

            "Action": [

                "s3:ListAllMyBuckets",

                "s3:GetBucketLocation"

            ],

            "Effect": "Allow",

            "Resource": [

                "arn:aws:s3:::*"

            ]

        },

        {

            "Sid": "AllowListingOfshadowSafeBucket",

            "Action": [

                "s3:ListBucket"

            ],

            "Effect": "Allow",

            "Resource": [

                "arn:aws:s3:::mycompanybucket1"

            ],

            "Condition": {

                "StringEquals": {

                    "s3:delimiter": [

                        "/"

                    ]

                }

            }

        },

        {

            "Sid": "AllowSomeS3ActionsOnUserFolder",

            "Effect": "Allow",

            "Action": [

                "s3:ListBucket",

                "s3:PutObject",

                "s3:AbortMultipartUpload",

                "s3:ListBucketMultipartUploads",

                "s3:ListMultipartUploadParts"

            ],

            "Resource": [

                "arn:aws:s3:::mycompanybucket1/home/${aws:username}/*"

            ]

        }

    ]

}

If I repeat the process using credentials that have unlimited access, everything works perfectly.  Clearly I'm missing something fundamental.  

Any help would be greatly appreciated.

Regards,

Larry Bates

vitalEsafe, Inc.

[lbate...@gmail.com]

If I give full/read only access to the user, I can get a bucket object.  If not, I get 403 Forbidden error.  Are there some rights that I need for boto to be able to create me a bucket instance?

Thanks in advance,

Larry Bates

vitalEsafe, Inc.

[lbate...@gmail.com]

Many hours of trial and error later I have finally determined that I don't seem to be able to get a bucket instance on the home folder unless you give GetObject rights in the policy.  I had planned on only allowing users to have PutObject and ListObject rights (i.e. once something was put it couldn't be read or deleted), but so far haven't found a way to accomplish that.  Perhaps I'm missing something or misunderstanding?

This policy works, but does give GetObject rights to the user (which isn't exactly what I wanted):

{

    "Version": "2012-10-17",

    "Statement": [

        {

            "Sid": "AllowGroupToSeeBucketListInTheConsole",

            "Action": [

                "s3:ListAllMyBuckets",

                "s3:ListBucket",

                "s3:GetBucketLocation",

                "s3:ListBucketMultipartUploads",

                "s3:AbortMultipartUpload"

            ],

            "Effect": "Allow",

            "Resource": [

                "arn:aws:s3:::*"

            ]

        },

        {

            "Sid": "AllowListBucketInHomeFolder",

            "Effect": "Allow",

            "Action": [

                "s3:ListBucket"

            ],

            "Resource": "arn:aws:s3:::mycompanybucket1/home/*"

        },

        {

            "Sid": "AllowUserSpecificActionsOnlyInHomeFolder",

            "Effect": "Allow",

            "Action": [

              "s3:GetObject",

              "s3:ListBucket",

              "s3:PutObject"

            ],

            "Resource": "arn:aws:s3:::mycompanybucket1/home/${aws:username}/*"

        }

    ]

}

Thanks in advance,

Larry Bates

On Saturday, February 28, 2015 at 1:11:41 PM UTC-6, lbate...@gmail.com wrote:

[Thomas O'Dowd]

Hi Larry,

I don't believe this is a Boto related issue but rather a more generic
S3/Bucket Policy related question. Have you tried posting the question
to the AWS S3 forum. You might get more eyeballs and perhaps a response
from AWS themselves.

Tom.

> --
> You received this message because you are subscribed to the Google
> Groups "boto-users" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to boto-users+...@googlegroups.com.
> To post to this group, send email to boto-...@googlegroups.com.
> Visit this group at http://groups.google.com/group/boto-users.
> For more options, visit https://groups.google.com/d/optout.

--
Cloudian KK - http://cloudian.jp/
S3 REST API Compliant Cloud Storage with Cloudian®

[Larry Bates]

I did try posting to S3 forums, but so far no response. I can’t really
tell if this is boot or something else. It just bothers me that I have
to give GetObject rights when I don’t want the user to be able to get
an object. I posted here just in case it was a “known” problem. Thanks
for taking a look.

Larry Bates
lbate...@gmail.com

> You received this message because you are subscribed to a topic in the Google Groups "boto-users" group.
> To unsubscribe from this topic, visit https://groups.google.com/d/topic/boto-users/igOZEaPmhm4/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to boto-users+...@googlegroups.com.

[Thomas O'Dowd]

Hi Larry,

Ok, you got me. I'll take another peak although I've not played around
much with Bucket Policies. Could be something extra Boto is doing
though.

Looking at the 403 again that you got with the previous policy...

> >> SSarchive-Traceback (most recent call last):
> >> File "SSarchive.py", line 1091, in <module>
> >> main()
> >> File "SSarchive.py", line 721, in main
> >> BUCKET = S3.get_bucket(_s3bucket)
> >> File "C:\Python27\lib\site-packages\boto\s3
\connection.py",
> >> line 502, in get_b
> >> ucket
> >> return self.head_bucket(bucket_name, headers=headers)
> >> File "C:\Python27\lib\site-packages\boto\s3
\connection.py",
> >> line 535, in head_
> >> bucket
> >> raise err
> >> S3ResponseError: S3ResponseError: 403 Forbidden

We can see from above that your SSarchive program is calling
get_bucket(). This in turn calls head_bucket().

head_bucket() does a HEAD request on the bucket name. A HEAD is like a
GET request but doesn't return any contents so is lightweight. It does
however require that the user have permissions to GET the bucket. A GET
on the bucket is a bucket listing so it requires s3:ListBucket.

When checking the source of connection.py, I noticed that if you are
sure the bucket exists, you can skip this HEAD request altogether by
using:
get_bucket(bucketname, validate=False)

Remove the GetObject rights for now and let's work through the
exceptions.

Tom.