Delegating access to a single Amazon S3 bucket

I’ve just been playing around delegating access to some Amazon S3 resources using IAM and Cloudberry explorer, and found a small but useful tip for anyone doing the same thing – don’t forget to give the user account access to s3:ListAllMyBuckets, or your testing isn’t going to go very far.

I’m using Cloudberry Explorer Pro, and couldn’t see an easy way to do this using the Policy Designer (not saying it isn’t there – just that I got bored looking), so I simply edited the policy script, added the ListsAllMyBuckets action and set the resource to be arn:aws:s3:::* – the final policy looks something like the screenshot below, where YOURBUCKETHERE is obviously the bucket you’re looking to grant the user access to manage.

s3iampolicy

It seems slightly less than ideal to have to grant someone access to see all your buckets in order to let them manage one, but that seems to be how it’s meant to be done.

I’m sure the above is mentioned in the AWS documentation somewhere, but if you’re using a tool like Cloudberry then 99% of it is pretty self explanatory, so maybe this post can prevent you from needing to consult the documentation (always a good thing).

Tags: ,

Posted on Monday, September 12, 2011 2:00 PM | Web Development Miscellaneous

Like this? Share it!

No comments posted yet.

Post a comment
Please add 7 and 1 and type the answer here:
Remember me?
Ensure the word in this box says 'orange':