In S3 assign a folder to two user by IAM policy with different access level
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box;
}
I am using Amazon S3 to store client data. There are multiple clients and each client has there own folder in '/Users/' folder with their names. Clients have read and write permission.
To assign permissions to each client dynamically I create a standard policy that I assign at the time of user creation (the policy is below, which working fine).
Now clients have their users also who access that data. But they should have just read-only permission on the folder that belongs to their client Not other folders.
I created a policy which has read and write access permission:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowUserToSeeBucketListInTheConsole",
"Action": [
"s3:ListAllMyBuckets"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::*"
]
},
{
"Sid": "AllowRootAndHomeListingOfCompanyBucket",
"Action": [
"s3:*"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::bucket-name"
],
"Condition": {
"StringEquals": {
"s3:prefix": [
"",
"Users/",
"Users/${aws:username}"
],
"s3:delimiter": [
"/"
]
}
}
},
{
"Sid": "AllowListingOfUserFolder",
"Action": [
"s3:*"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::bucket-name"
],
"Condition": {
"StringLike": {
"s3:prefix": [
"",
"Users/",
"Users/${aws:username}/*"
]
}
}
},
{
"Sid": "AllowAllS3ActionsInUserFolder",
"Effect": "Allow",
"Action": [
"s3:GetObject"
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::bucket-name/Users/${aws:username}/*"
]
}
]
}
Suppose ${aws:username} is the same folder which belongs to the client.
If I create a second policy with the same as the above just having read-only permission then read-only user's username must be going to different(because username can't be same) so if the second user has the different name then he can't able to access that folder.
Questions:
- How to create a user and assign a read-only permission to the folder which belongs to its client? (A user with the folder name is already exist with read and write permission)
- Like
${aws:username}, is there anything we can assign at time of creating a user and use in the policy like a variable?
amazon-web-services amazon-s3 amazon-iam
asked Nov 24 '18 at 9:33
aviavi
146
add a comment |
I am using Amazon S3 to store client data. There are multiple clients and each client has there own folder in '/Users/' folder with their names. Clients have read and write permission.
To assign permissions to each client dynamically I create a standard policy that I assign at the time of user creation (the policy is below, which working fine).
Now clients have their users also who access that data. But they should have just read-only permission on the folder that belongs to their client Not other folders.
I created a policy which has read and write access permission:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowUserToSeeBucketListInTheConsole",
"Action": [
"s3:ListAllMyBuckets"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::*"
]
},
{
"Sid": "AllowRootAndHomeListingOfCompanyBucket",
"Action": [
"s3:*"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::bucket-name"
],
"Condition": {
"StringEquals": {
"s3:prefix": [
"",
"Users/",
"Users/${aws:username}"
],
"s3:delimiter": [
"/"
]
}
}
},
{
"Sid": "AllowListingOfUserFolder",
"Action": [
"s3:*"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::bucket-name"
],
"Condition": {
"StringLike": {
"s3:prefix": [
"",
"Users/",
"Users/${aws:username}/*"
]
}
}
},
{
"Sid": "AllowAllS3ActionsInUserFolder",
"Effect": "Allow",
"Action": [
"s3:GetObject"
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::bucket-name/Users/${aws:username}/*"
]
}
]
}
Suppose ${aws:username} is the same folder which belongs to the client.
If I create a second policy with the same as the above just having read-only permission then read-only user's username must be going to different(because username can't be same) so if the second user has the different name then he can't able to access that folder.
Questions:
- How to create a user and assign a read-only permission to the folder which belongs to its client? (A user with the folder name is already exist with read and write permission)
- Like
${aws:username}, is there anything we can assign at time of creating a user and use in the policy like a variable?
amazon-web-services amazon-s3 amazon-iam
asked Nov 24 '18 at 9:33
aviavi
146
add a comment |
I am using Amazon S3 to store client data. There are multiple clients and each client has there own folder in '/Users/' folder with their names. Clients have read and write permission.
To assign permissions to each client dynamically I create a standard policy that I assign at the time of user creation (the policy is below, which working fine).
Now clients have their users also who access that data. But they should have just read-only permission on the folder that belongs to their client Not other folders.
I created a policy which has read and write access permission:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowUserToSeeBucketListInTheConsole",
"Action": [
"s3:ListAllMyBuckets"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::*"
]
},
{
"Sid": "AllowRootAndHomeListingOfCompanyBucket",
"Action": [
"s3:*"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::bucket-name"
],
"Condition": {
"StringEquals": {
"s3:prefix": [
"",
"Users/",
"Users/${aws:username}"
],
"s3:delimiter": [
"/"
]
}
}
},
{
"Sid": "AllowListingOfUserFolder",
"Action": [
"s3:*"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::bucket-name"
],
"Condition": {
"StringLike": {
"s3:prefix": [
"",
"Users/",
"Users/${aws:username}/*"
]
}
}
},
{
"Sid": "AllowAllS3ActionsInUserFolder",
"Effect": "Allow",
"Action": [
"s3:GetObject"
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::bucket-name/Users/${aws:username}/*"
]
}
]
}
Suppose ${aws:username} is the same folder which belongs to the client.
If I create a second policy with the same as the above just having read-only permission then read-only user's username must be going to different(because username can't be same) so if the second user has the different name then he can't able to access that folder.
Questions:
- How to create a user and assign a read-only permission to the folder which belongs to its client? (A user with the folder name is already exist with read and write permission)
- Like
${aws:username}, is there anything we can assign at time of creating a user and use in the policy like a variable?
amazon-web-services amazon-s3 amazon-iam
asked Nov 24 '18 at 9:33
aviavi
146
I am using Amazon S3 to store client data. There are multiple clients and each client has there own folder in '/Users/' folder with their names. Clients have read and write permission.
To assign permissions to each client dynamically I create a standard policy that I assign at the time of user creation (the policy is below, which working fine).
Now clients have their users also who access that data. But they should have just read-only permission on the folder that belongs to their client Not other folders.
I created a policy which has read and write access permission:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowUserToSeeBucketListInTheConsole",
"Action": [
"s3:ListAllMyBuckets"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::*"
]
},
{
"Sid": "AllowRootAndHomeListingOfCompanyBucket",
"Action": [
"s3:*"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::bucket-name"
],
"Condition": {
"StringEquals": {
"s3:prefix": [
"",
"Users/",
"Users/${aws:username}"
],
"s3:delimiter": [
"/"
]
}
}
},
{
"Sid": "AllowListingOfUserFolder",
"Action": [
"s3:*"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::bucket-name"
],
"Condition": {
"StringLike": {
"s3:prefix": [
"",
"Users/",
"Users/${aws:username}/*"
]
}
}
},
{
"Sid": "AllowAllS3ActionsInUserFolder",
"Effect": "Allow",
"Action": [
"s3:GetObject"
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::bucket-name/Users/${aws:username}/*"
]
}
]
}
Suppose ${aws:username} is the same folder which belongs to the client.
If I create a second policy with the same as the above just having read-only permission then read-only user's username must be going to different(because username can't be same) so if the second user has the different name then he can't able to access that folder.
Questions:
- How to create a user and assign a read-only permission to the folder which belongs to its client? (A user with the folder name is already exist with read and write permission)
- Like
${aws:username}, is there anything we can assign at time of creating a user and use in the policy like a variable?
amazon-web-services amazon-s3 amazon-iam
amazon-web-services amazon-s3 amazon-iam
asked Nov 24 '18 at 9:33
aviavi
146
asked Nov 24 '18 at 9:33
aviavi
146
edited Nov 27 '18 at 7:57
avi
asked Nov 24 '18 at 9:33
aviavi
146
asked Nov 24 '18 at 9:33
aviavi
146
asked Nov 24 '18 at 9:33
aviavi
146
146
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
First of all I would suggest to avoid using s3:* as much as possible because it can lead to some security issues. For example - in the policy rule below - a combination of s3:* together with the condition s3:prefix equals "" seems to me like effectively allowing to manage the whole bucket. And even with a correct limitation to the user folder they may still change the content to public by changing ACL. Which may be fine, but I would rather define it explicitly so you know that this is wanted.
You can also use path "arn:aws:s3:::bucket-name/Users/{username}" in the bucket ARN and possibly avoid the conditions altogether.
{
"Sid": "AllowRootAndHomeListingOfCompanyBucket",
"Action": [
"s3:*"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::bucket-name"
],
"Condition": {
"StringEquals": {
"s3:prefix": [
"",
"Users/",
"Users/${aws:username}"
],
"s3:delimiter": [
"/"
]
}
}
},
For your question, can you create username and username_ro with their inline policy which you generate with a CloudFormation template where the username will be a parameter. Than you can have an parametrized prescription and also a way how to update the policy for all users consistently. Does it help or am I not getting correctly your issue?
answered Nov 24 '18 at 12:28
petrchpetrch
32627
@peter, Thanks, I will definitely update the policy. As per my knowledge, we can able to create 1500 policies only, and Client and their users are much more. Let me explain again - suppose you create a folder "/Users/petrch" and your user name will be "petrch", policy assign - "bucket-name/Users/{username}/*" with rw access, then you can able to access you folder. To be cont.
– avi
Nov 25 '18 at 14:41
@peter, now your user want to read the data(User will be just 1) so next user's username will be suppose "petrch_ro" and assign poicy - "bucket-name/Users/{username}/*" with ro access then it can able to access the "/Users/petrch_ro" but we want to read the "/User/petrch/". So how can I create user with ro access to "peter" folder??
– avi
Nov 25 '18 at 14:42
It may be possible with read only users using sts:assumerole from another account, but I it is not very elegant. Otherwise I am afraid that I dont' know.
– petrch
Nov 25 '18 at 21:26
assume role is not working, Is it possible to assign a user inline policy?? From user interface(aws website), I don't get any inline policy, It always require first to create a new policy for the user. I don't want to create policy for different user but if there is way through we can assign inline policy at the time of user creation then It can help me a lot.
– avi
Nov 27 '18 at 7:19
1
Solution - This can be achieved easily by the this approach - Create Read only user with Username - 'petrch_ro' so the policy will have,${aws:username} with read only access, Now full permission user have 'petrch' username and in the policy look like this "${aws:username}_ro". So our both condition satisfies. Thanks :) :)
– avi
Nov 29 '18 at 6:39
add a comment |
Your Answer
StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53456876%2fin-s3-assign-a-folder-to-two-user-by-iam-policy-with-different-access-level%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
First of all I would suggest to avoid using s3:* as much as possible because it can lead to some security issues. For example - in the policy rule below - a combination of s3:* together with the condition s3:prefix equals "" seems to me like effectively allowing to manage the whole bucket. And even with a correct limitation to the user folder they may still change the content to public by changing ACL. Which may be fine, but I would rather define it explicitly so you know that this is wanted.
You can also use path "arn:aws:s3:::bucket-name/Users/{username}" in the bucket ARN and possibly avoid the conditions altogether.
{
"Sid": "AllowRootAndHomeListingOfCompanyBucket",
"Action": [
"s3:*"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::bucket-name"
],
"Condition": {
"StringEquals": {
"s3:prefix": [
"",
"Users/",
"Users/${aws:username}"
],
"s3:delimiter": [
"/"
]
}
}
},
For your question, can you create username and username_ro with their inline policy which you generate with a CloudFormation template where the username will be a parameter. Than you can have an parametrized prescription and also a way how to update the policy for all users consistently. Does it help or am I not getting correctly your issue?
answered Nov 24 '18 at 12:28
petrchpetrch
32627
@peter, Thanks, I will definitely update the policy. As per my knowledge, we can able to create 1500 policies only, and Client and their users are much more. Let me explain again - suppose you create a folder "/Users/petrch" and your user name will be "petrch", policy assign - "bucket-name/Users/{username}/*" with rw access, then you can able to access you folder. To be cont.
– avi
Nov 25 '18 at 14:41
@peter, now your user want to read the data(User will be just 1) so next user's username will be suppose "petrch_ro" and assign poicy - "bucket-name/Users/{username}/*" with ro access then it can able to access the "/Users/petrch_ro" but we want to read the "/User/petrch/". So how can I create user with ro access to "peter" folder??
– avi
Nov 25 '18 at 14:42
It may be possible with read only users using sts:assumerole from another account, but I it is not very elegant. Otherwise I am afraid that I dont' know.
– petrch
Nov 25 '18 at 21:26
assume role is not working, Is it possible to assign a user inline policy?? From user interface(aws website), I don't get any inline policy, It always require first to create a new policy for the user. I don't want to create policy for different user but if there is way through we can assign inline policy at the time of user creation then It can help me a lot.
– avi
Nov 27 '18 at 7:19
1
Solution - This can be achieved easily by the this approach - Create Read only user with Username - 'petrch_ro' so the policy will have,${aws:username} with read only access, Now full permission user have 'petrch' username and in the policy look like this "${aws:username}_ro". So our both condition satisfies. Thanks :) :)
– avi
Nov 29 '18 at 6:39
add a comment |
First of all I would suggest to avoid using s3:* as much as possible because it can lead to some security issues. For example - in the policy rule below - a combination of s3:* together with the condition s3:prefix equals "" seems to me like effectively allowing to manage the whole bucket. And even with a correct limitation to the user folder they may still change the content to public by changing ACL. Which may be fine, but I would rather define it explicitly so you know that this is wanted.
You can also use path "arn:aws:s3:::bucket-name/Users/{username}" in the bucket ARN and possibly avoid the conditions altogether.
{
"Sid": "AllowRootAndHomeListingOfCompanyBucket",
"Action": [
"s3:*"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::bucket-name"
],
"Condition": {
"StringEquals": {
"s3:prefix": [
"",
"Users/",
"Users/${aws:username}"
],
"s3:delimiter": [
"/"
]
}
}
},
For your question, can you create username and username_ro with their inline policy which you generate with a CloudFormation template where the username will be a parameter. Than you can have an parametrized prescription and also a way how to update the policy for all users consistently. Does it help or am I not getting correctly your issue?
answered Nov 24 '18 at 12:28
petrchpetrch
32627
@peter, Thanks, I will definitely update the policy. As per my knowledge, we can able to create 1500 policies only, and Client and their users are much more. Let me explain again - suppose you create a folder "/Users/petrch" and your user name will be "petrch", policy assign - "bucket-name/Users/{username}/*" with rw access, then you can able to access you folder. To be cont.
– avi
Nov 25 '18 at 14:41
@peter, now your user want to read the data(User will be just 1) so next user's username will be suppose "petrch_ro" and assign poicy - "bucket-name/Users/{username}/*" with ro access then it can able to access the "/Users/petrch_ro" but we want to read the "/User/petrch/". So how can I create user with ro access to "peter" folder??
– avi
Nov 25 '18 at 14:42
It may be possible with read only users using sts:assumerole from another account, but I it is not very elegant. Otherwise I am afraid that I dont' know.
– petrch
Nov 25 '18 at 21:26
assume role is not working, Is it possible to assign a user inline policy?? From user interface(aws website), I don't get any inline policy, It always require first to create a new policy for the user. I don't want to create policy for different user but if there is way through we can assign inline policy at the time of user creation then It can help me a lot.
– avi
Nov 27 '18 at 7:19
1
Solution - This can be achieved easily by the this approach - Create Read only user with Username - 'petrch_ro' so the policy will have,${aws:username} with read only access, Now full permission user have 'petrch' username and in the policy look like this "${aws:username}_ro". So our both condition satisfies. Thanks :) :)
– avi
Nov 29 '18 at 6:39
add a comment |
First of all I would suggest to avoid using s3:* as much as possible because it can lead to some security issues. For example - in the policy rule below - a combination of s3:* together with the condition s3:prefix equals "" seems to me like effectively allowing to manage the whole bucket. And even with a correct limitation to the user folder they may still change the content to public by changing ACL. Which may be fine, but I would rather define it explicitly so you know that this is wanted.
You can also use path "arn:aws:s3:::bucket-name/Users/{username}" in the bucket ARN and possibly avoid the conditions altogether.
{
"Sid": "AllowRootAndHomeListingOfCompanyBucket",
"Action": [
"s3:*"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::bucket-name"
],
"Condition": {
"StringEquals": {
"s3:prefix": [
"",
"Users/",
"Users/${aws:username}"
],
"s3:delimiter": [
"/"
]
}
}
},
For your question, can you create username and username_ro with their inline policy which you generate with a CloudFormation template where the username will be a parameter. Than you can have an parametrized prescription and also a way how to update the policy for all users consistently. Does it help or am I not getting correctly your issue?
answered Nov 24 '18 at 12:28
petrchpetrch
32627
First of all I would suggest to avoid using s3:* as much as possible because it can lead to some security issues. For example - in the policy rule below - a combination of s3:* together with the condition s3:prefix equals "" seems to me like effectively allowing to manage the whole bucket. And even with a correct limitation to the user folder they may still change the content to public by changing ACL. Which may be fine, but I would rather define it explicitly so you know that this is wanted.
You can also use path "arn:aws:s3:::bucket-name/Users/{username}" in the bucket ARN and possibly avoid the conditions altogether.
{
"Sid": "AllowRootAndHomeListingOfCompanyBucket",
"Action": [
"s3:*"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::bucket-name"
],
"Condition": {
"StringEquals": {
"s3:prefix": [
"",
"Users/",
"Users/${aws:username}"
],
"s3:delimiter": [
"/"
]
}
}
},
For your question, can you create username and username_ro with their inline policy which you generate with a CloudFormation template where the username will be a parameter. Than you can have an parametrized prescription and also a way how to update the policy for all users consistently. Does it help or am I not getting correctly your issue?
answered Nov 24 '18 at 12:28
petrchpetrch
32627
answered Nov 24 '18 at 12:28
petrchpetrch
32627
answered Nov 24 '18 at 12:28
petrchpetrch
32627
answered Nov 24 '18 at 12:28
petrchpetrch
32627
32627
@peter, Thanks, I will definitely update the policy. As per my knowledge, we can able to create 1500 policies only, and Client and their users are much more. Let me explain again - suppose you create a folder "/Users/petrch" and your user name will be "petrch", policy assign - "bucket-name/Users/{username}/*" with rw access, then you can able to access you folder. To be cont.
– avi
Nov 25 '18 at 14:41
@peter, now your user want to read the data(User will be just 1) so next user's username will be suppose "petrch_ro" and assign poicy - "bucket-name/Users/{username}/*" with ro access then it can able to access the "/Users/petrch_ro" but we want to read the "/User/petrch/". So how can I create user with ro access to "peter" folder??
– avi
Nov 25 '18 at 14:42
It may be possible with read only users using sts:assumerole from another account, but I it is not very elegant. Otherwise I am afraid that I dont' know.
– petrch
Nov 25 '18 at 21:26
assume role is not working, Is it possible to assign a user inline policy?? From user interface(aws website), I don't get any inline policy, It always require first to create a new policy for the user. I don't want to create policy for different user but if there is way through we can assign inline policy at the time of user creation then It can help me a lot.
– avi
Nov 27 '18 at 7:19
1
Solution - This can be achieved easily by the this approach - Create Read only user with Username - 'petrch_ro' so the policy will have,${aws:username} with read only access, Now full permission user have 'petrch' username and in the policy look like this "${aws:username}_ro". So our both condition satisfies. Thanks :) :)
– avi
Nov 29 '18 at 6:39
add a comment |
@peter, Thanks, I will definitely update the policy. As per my knowledge, we can able to create 1500 policies only, and Client and their users are much more. Let me explain again - suppose you create a folder "/Users/petrch" and your user name will be "petrch", policy assign - "bucket-name/Users/{username}/*" with rw access, then you can able to access you folder. To be cont.
– avi
Nov 25 '18 at 14:41
@peter, now your user want to read the data(User will be just 1) so next user's username will be suppose "petrch_ro" and assign poicy - "bucket-name/Users/{username}/*" with ro access then it can able to access the "/Users/petrch_ro" but we want to read the "/User/petrch/". So how can I create user with ro access to "peter" folder??
– avi
Nov 25 '18 at 14:42
It may be possible with read only users using sts:assumerole from another account, but I it is not very elegant. Otherwise I am afraid that I dont' know.
– petrch
Nov 25 '18 at 21:26
assume role is not working, Is it possible to assign a user inline policy?? From user interface(aws website), I don't get any inline policy, It always require first to create a new policy for the user. I don't want to create policy for different user but if there is way through we can assign inline policy at the time of user creation then It can help me a lot.
– avi
Nov 27 '18 at 7:19
1
Solution - This can be achieved easily by the this approach - Create Read only user with Username - 'petrch_ro' so the policy will have,${aws:username} with read only access, Now full permission user have 'petrch' username and in the policy look like this "${aws:username}_ro". So our both condition satisfies. Thanks :) :)
– avi
Nov 29 '18 at 6:39
@peter, Thanks, I will definitely update the policy. As per my knowledge, we can able to create 1500 policies only, and Client and their users are much more. Let me explain again - suppose you create a folder "/Users/petrch" and your user name will be "petrch", policy assign - "bucket-name/Users/{username}/*" with rw access, then you can able to access you folder. To be cont.
– avi
Nov 25 '18 at 14:41
@peter, Thanks, I will definitely update the policy. As per my knowledge, we can able to create 1500 policies only, and Client and their users are much more. Let me explain again - suppose you create a folder "/Users/petrch" and your user name will be "petrch", policy assign - "bucket-name/Users/{username}/*" with rw access, then you can able to access you folder. To be cont.
– avi
Nov 25 '18 at 14:41
@peter, now your user want to read the data(User will be just 1) so next user's username will be suppose "petrch_ro" and assign poicy - "bucket-name/Users/{username}/*" with ro access then it can able to access the "/Users/petrch_ro" but we want to read the "/User/petrch/". So how can I create user with ro access to "peter" folder??
– avi
Nov 25 '18 at 14:42
@peter, now your user want to read the data(User will be just 1) so next user's username will be suppose "petrch_ro" and assign poicy - "bucket-name/Users/{username}/*" with ro access then it can able to access the "/Users/petrch_ro" but we want to read the "/User/petrch/". So how can I create user with ro access to "peter" folder??
– avi
Nov 25 '18 at 14:42
It may be possible with read only users using sts:assumerole from another account, but I it is not very elegant. Otherwise I am afraid that I dont' know.
– petrch
Nov 25 '18 at 21:26
It may be possible with read only users using sts:assumerole from another account, but I it is not very elegant. Otherwise I am afraid that I dont' know.
– petrch
Nov 25 '18 at 21:26
assume role is not working, Is it possible to assign a user inline policy?? From user interface(aws website), I don't get any inline policy, It always require first to create a new policy for the user. I don't want to create policy for different user but if there is way through we can assign inline policy at the time of user creation then It can help me a lot.
– avi
Nov 27 '18 at 7:19
assume role is not working, Is it possible to assign a user inline policy?? From user interface(aws website), I don't get any inline policy, It always require first to create a new policy for the user. I don't want to create policy for different user but if there is way through we can assign inline policy at the time of user creation then It can help me a lot.
– avi
Nov 27 '18 at 7:19
1
1
Solution - This can be achieved easily by the this approach - Create Read only user with Username - 'petrch_ro' so the policy will have,${aws:username} with read only access, Now full permission user have 'petrch' username and in the policy look like this "${aws:username}_ro". So our both condition satisfies. Thanks :) :)
– avi
Nov 29 '18 at 6:39
Solution - This can be achieved easily by the this approach - Create Read only user with Username - 'petrch_ro' so the policy will have,${aws:username} with read only access, Now full permission user have 'petrch' username and in the policy look like this "${aws:username}_ro". So our both condition satisfies. Thanks :) :)
– avi
Nov 29 '18 at 6:39
add a comment |
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53456876%2fin-s3-assign-a-folder-to-two-user-by-iam-policy-with-different-access-level%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
