Example 1: Bucket owner granting its users bucket permissions - Amazon Simple Storage Service

Example 1: Bucket owner granting its users bucket permissions

Important

Granting permissions to IAM roles is a better practice than granting permissions to individual users. To learn how to do this, see Background: Cross-account permissions and using IAM roles.

In this exercise, an AWS account owns a bucket, and it has an IAM user in the account. By default, the user has no permissions. For the user to perform any tasks, the parent account must grant them permissions. The bucket owner and parent account are the same. Therefore, to grant the user permissions on the bucket, the AWS account can use a bucket policy, a user policy, or both. The account owner will grant some permissions using a bucket policy and other permissions using a user policy.

The following steps summarize the walkthrough:

  1. Account administrator creates a bucket policy granting a set of permissions to the user.

  2. Account administrator attaches a user policy to the user granting additional permissions.

  3. User then tries permissions granted via both the bucket policy and the user policy.

For this example, you will need an AWS account. Instead of using the root user credentials of the account, you will create an administrator user (see About using an administrator user to create resources and grant permissions). We refer to the AWS account and the administrator user as follows:

Account ID Account referred to as Administrator user in the account

1111-1111-1111

Account A

AccountAadmin

Note

The administrator user in this example is AccountAadmin, which refers to Account A, and not AccountAdmin.

All the tasks of creating users and granting permissions are done in the AWS Management Console. To verify permissions, the walkthrough uses the command line tools, AWS Command Line Interface (CLI) and AWS Tools for Windows PowerShell, to verify the permissions, so you don't need to write any code.

Step 0: Preparing for the walkthrough

  1. Make sure you have an AWS account and that it has a user with administrator privileges.

    1. Sign up for an account, if needed. We refer to this account as Account A.

      1. Go to https://aws.amazon.com/s3 and click Sign Up.

      2. Follow the on-screen instructions.

        AWS will notify you by email when your account is active and available for you to use.

    2. In Account A, create an administrator user AccountAadmin. Using Account A credentials, sign in to the IAM console and do the following:

      1. Create user AccountAadmin and note down the user security credentials.

        For instructions, see Creating an IAM user in Your AWS account in the IAM User Guide.

      2. Grant AccountAadmin administrator privileges by attaching a user policy giving full access.

        For instructions, see Working with Policies in the IAM User Guide.

      3. Note down the IAM user Sign-In URL for AccountAadmin. You will need to use this URL when signing in to the AWS Management Console. For more information about where to find it, see How Users Sign in to Your Account in IAM User Guide. Note down the URL for each of the accounts.

  2. Set up either the AWS Command Line Interface (CLI) or the AWS Tools for Windows PowerShell. Make sure you save administrator user credentials as follows:

    • If using the AWS CLI, create a profile, AccountAadmin, in the config file.

    • If using the AWS Tools for Windows PowerShell, make sure you store credentials for the session as AccountAadmin.

    For instructions, see Setting up the tools for the example walkthroughs.

Step 1: Create resources (a bucket and an IAM user) in account A and grant permissions

Using the credentials of user AccountAadmin in Account A, and the special IAM user sign-in URL, sign in to the AWS Management Console and do the following:

  1. Create Resources (a bucket and an IAM user)

    1. In the Amazon S3 console create a bucket. Note down the AWS Region in which you created it. For instructions, see Creating a bucket.

    2. In the IAM Console, do the following:

      1. Create a user, Dave.

        For step-by-step instructions, see Creating IAM users (AWS Management Console) in the IAM User Guide.

      2. Note down the UserDave credentials.

      3. Note down the Amazon Resource Name (ARN) for user Dave. In the IAM Console, select the user, and the Summary tab provides the user ARN.

  2. Grant Permissions.

    Because the bucket owner and the parent account to which the user belongs are the same, the AWS account can grant user permissions using a bucket policy, a user policy, or both. In this example, you do both. If the object is also owned by the same account, the bucket owner can grant object permissions in the bucket policy (or an IAM policy).

    1. In the Amazon S3 console, attach the following bucket policy to awsexamplebucket1.

      The policy has two statements.

      • The first statement grants Dave the bucket operation permissions s3:GetBucketLocation and s3:ListBucket.

      • The second statement grants the s3:GetObject permission. Because Account A also owns the object, the account administrator is able to grant the s3:GetObject permission.

      In the Principal statement, Dave is identified by his user ARN. For more information about policy elements, see Bucket policies and user policies.

      { "Version": "2012-10-17", "Statement": [ { "Sid": "statement1", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::AccountA-ID:user/Dave" }, "Action": [ "s3:GetBucketLocation", "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::awsexamplebucket1" ] }, { "Sid": "statement2", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::AccountA-ID:user/Dave" }, "Action": [ "s3:GetObject" ], "Resource": [ "arn:aws:s3:::awsexamplebucket1/*" ] } ] }
    2. Create an inline policy for the user Dave by using the following policy. The policy grants Dave the s3:PutObject permission. You need to update the policy by providing your bucket name.

      { "Version": "2012-10-17", "Statement": [ { "Sid": "PermissionForObjectOperations", "Effect": "Allow", "Action": [ "s3:PutObject" ], "Resource": [ "arn:aws:s3:::awsexamplebucket1/*" ] } ] }

      For instructions, see Working with Inline Policies in the IAM User Guide. Note you need to sign in to the console using Account A credentials.

Step 2: Test permissions

Using Dave's credentials, verify that the permissions work. You can use either of the following two procedures.

Test using the AWS CLI
  1. Update the AWS CLI config file by adding the following UserDaveAccountA profile. For more information, see Setting up the tools for the example walkthroughs.

    [profile UserDaveAccountA] aws_access_key_id = access-key aws_secret_access_key = secret-access-key region = us-east-1
  2. Verify that Dave can perform the operations as granted in the user policy. Upload a sample object using the following AWS CLI put-object command.

    The --body parameter in the command identifies the source file to upload. For example, if the file is in the root of the C: drive on a Windows machine, you specify c:\HappyFace.jpg. The --key parameter provides the key name for the object.

    aws s3api put-object --bucket awsexamplebucket1 --key HappyFace.jpg --body HappyFace.jpg --profile UserDaveAccountA

    Run the following AWS CLI command to get the object.

    aws s3api get-object --bucket awsexamplebucket1 --key HappyFace.jpg OutputFile.jpg --profile UserDaveAccountA
Test using the AWS Tools for Windows PowerShell
  1. Store Dave's credentials as AccountADave. You then use these credentials to PUT and GET an object.

    set-awscredentials -AccessKey AccessKeyID -SecretKey SecretAccessKey -storeas AccountADave
  2. Upload a sample object using the AWS Tools for Windows PowerShell Write-S3Object command using user Dave's stored credentials.

    Write-S3Object -bucketname awsexamplebucket1 -key HappyFace.jpg -file HappyFace.jpg -StoredCredentials AccountADave

    Download the previously uploaded object.

    Read-S3Object -bucketname awsexamplebucket1 -key HappyFace.jpg -file Output.jpg -StoredCredentials AccountADave