I’ve just been playing around delegating access to some Amazon S3 resources using IAM and Cloudberry explorer, and found a small but useful tip for anyone doing the same thing – don’t forget to give the user account access to s3:ListAllMyBuckets, or your testing isn’t going to go very far.
I’m using Cloudberry Explorer Pro, and couldn’t see an easy way to do this using the Policy Designer (not saying it isn’t there – just that I got bored looking), so I simply edited the policy script, added the ListsAllMyBuckets action and set the resource to be arn:aws:s3:::* – the final policy looks something like the screenshot below, where YOURBUCKETHERE is obviously the bucket you’re looking to grant the user access to manage.

It seems slightly less than ideal to have to grant someone access to see all your buckets in order to let them manage one, but that seems to be how it’s meant to be done.
I’m sure the above is mentioned in the AWS documentation somewhere, but if you’re using a tool like Cloudberry then 99% of it is pretty self explanatory, so maybe this post can prevent you from needing to consult the documentation (always a good thing).
Tags: Amazon S3, Cloudberry