Share buckets in Amazon S3 so that multiple users see them in their management console

amazon s3amazon-web-services

Using account A, I can add user B to the permissions of a bucket, but that bucket does not then show up in user B's management console.

What does it mean to give a user permissions in this way?
Is it possible for 2 users to truly have the same access to a bucket, so that it shows up in both consoles?

Best Answer

Buckets are fully private by default so basically you allow their AWS account the [selected] permissions to your bucket.
Nope. But I think this feature is coming soon. If you notice the bucket properties it has a line for who the owner is :)

Other tools have what's called an "External Bucket" feature to add other user's buckets they have permission for.

If the S3 console is important enough, see if the newly released "AWS Identity and Access Management" feature can get the job done:

http://aws.amazon.com/iam/

Related Solutions

Causing Access Denied when using the aws cli to download from Amazon S3

I was struggling with this, too, but I found an answer over here https://stackoverflow.com/a/17162973/1750869 that helped resolve this issue for me. Reposting answer below.

You don't have to open permissions to everyone. Use the below Bucket policies on source and destination for copying from a bucket in one account to another using an IAM user

Bucket to Copy from – SourceBucket

Bucket to Copy to – DestinationBucket

Source AWS Account ID - XXXX–XXXX-XXXX

Source IAM User - src–iam-user

The below policy means – the IAM user - XXXX–XXXX-XXXX:src–iam-user has s3:ListBucket and s3:GetObject privileges on SourceBucket/* and s3:ListBucket and s3:PutObject privileges on DestinationBucket/*

On the SourceBucket the policy should be like:

{
"Id": "Policy1357935677554",
"Statement": [
    {
        "Sid": "Stmt1357935647218",
        "Action": [
            "s3:ListBucket"
        ],
        "Effect": "Allow",
        "Resource": "arn:aws:s3:::SourceBucket",
        "Principal": {"AWS": "arn:aws:iam::XXXXXXXXXXXX:user/src–iam-user"}
    },
    {
        "Sid": "Stmt1357935676138",
        "Action": ["s3:GetObject"],
        "Effect": "Allow",
        "Resource": "arn:aws:s3::: SourceBucket/*",
        "Principal": {"AWS": "arn:aws:iam::XXXXXXXXXXXX:user/src–iam-user"}
   }
]
}

On the DestinationBucket the policy should be:

{
"Id": "Policy1357935677554",
"Statement": [
    {
        "Sid": "Stmt1357935647218",
        "Action": [
            "s3:ListBucket"
        ],
        "Effect": "Allow",
        "Resource": "arn:aws:s3::: DestinationBucket",
        "Principal": {"AWS": "arn:aws:iam::XXXXXXXXXXXX:user/src–iam-user"}
    },
    {
        "Sid": "Stmt1357935676138",
        "Action": ["s3:PutObject"],
        "Effect": "Allow",
        "Resource": "arn:aws:s3::: DestinationBucket/*",
        "Principal": {"AWS": "arn:aws:iam::XXXXXXXXXXXX:user/src–iam-user"}
   }
]
}

command to be run is s3cmd cp s3://SourceBucket/File1 s3://DestinationBucket/File1

AWS Deny NotPrincipal Bucket Policy – Configuration Guide

It sounds like you might need to specify both the bucket and its contents in the Resource tag - some permissions apply directly to the bucket only and other permissions apply to objects only, e.g.

"Resource": [
            "arn:aws:s3:::test33333",
            "arn:aws:s3:::test33333/*"
        ]

https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_notprincipal.html#specifying-notprincipal

Best Answer

Related Solutions

Causing Access Denied when using the aws cli to download from Amazon S3

AWS Deny NotPrincipal Bucket Policy – Configuration Guide

Related Topic