How to give access to an AWS S3 bucket with IAM

Amazon’s AWS IAM (Identity and Access Management) can be very useful for a number of things. You can create a user and grant access to an S3 bucket in order to be able to use the API to manage the bucket instead of the AWS console web interface.

First go to the IAM section of the AWS console. Create a new group of users and give it a name. If you’re using the group to control access to a specific bucket, you can use the bucket name.

Use the wizard to get you started with the permissions policy. This lets you choose the AWS service, the actions and the ARN (Amazon Resource Name).

The following policy grants all actions on a specific S3 bucket:

{
  "Statement": [
    {
      "Sid": "your_sid",
      "Action": [
        "s3:*"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::your_bucket",
        "arn:aws:s3:::your_bucket/*"
      ]
    }
  ]
}

Be careful if the policy has just the bucket name in the resource section:

"Resource": [
  "arn:aws:s3:::your_bucket"
]

This allows read access on the bucket, but attempts to write to the bucket result in errors. Instead, you need both these lines:

"Resource": [
  "arn:aws:s3:::your_bucket",
  "arn:aws:s3:::your_bucket/*"
]

I found helpful information about this on Andrew Hitchcock’s blog.

Note, Amazon has made updates to the developer Console since Andrew’s post. You can now you the AWS Console page to control or commandline tools to work with IAM.

Once your group is created, you can create and/or add users to this group. The users can use their access key and secret access key to work with the bucket through the AWS API.

Tags: