In S3 assign a folder to two user by IAM policy with different access level





.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box;
}







0















I am using Amazon S3 to store client data. There are multiple clients and each client has there own folder in '/Users/' folder with their names. Clients have read and write permission.



To assign permissions to each client dynamically I create a standard policy that I assign at the time of user creation (the policy is below, which working fine).



Now clients have their users also who access that data. But they should have just read-only permission on the folder that belongs to their client Not other folders.



I created a policy which has read and write access permission:



{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowUserToSeeBucketListInTheConsole",
"Action": [
"s3:ListAllMyBuckets"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::*"
]
},
{
"Sid": "AllowRootAndHomeListingOfCompanyBucket",
"Action": [
"s3:*"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::bucket-name"
],
"Condition": {
"StringEquals": {
"s3:prefix": [
"",
"Users/",
"Users/${aws:username}"
],
"s3:delimiter": [
"/"
]
}
}
},
{
"Sid": "AllowListingOfUserFolder",
"Action": [
"s3:*"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::bucket-name"
],
"Condition": {
"StringLike": {
"s3:prefix": [
"",
"Users/",
"Users/${aws:username}/*"
]
}
}
},
{
"Sid": "AllowAllS3ActionsInUserFolder",
"Effect": "Allow",
"Action": [
"s3:GetObject"
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::bucket-name/Users/${aws:username}/*"
]
}
]
}


Suppose ${aws:username} is the same folder which belongs to the client.



If I create a second policy with the same as the above just having read-only permission then read-only user's username must be going to different(because username can't be same) so if the second user has the different name then he can't able to access that folder.



Questions:




  1. How to create a user and assign a read-only permission to the folder which belongs to its client? (A user with the folder name is already exist with read and write permission)

  2. Like ${aws:username}, is there anything we can assign at time of creating a user and use in the policy like a variable?










share|improve this question































    0















    I am using Amazon S3 to store client data. There are multiple clients and each client has there own folder in '/Users/' folder with their names. Clients have read and write permission.



    To assign permissions to each client dynamically I create a standard policy that I assign at the time of user creation (the policy is below, which working fine).



    Now clients have their users also who access that data. But they should have just read-only permission on the folder that belongs to their client Not other folders.



    I created a policy which has read and write access permission:



    {
    "Version": "2012-10-17",
    "Statement": [
    {
    "Sid": "AllowUserToSeeBucketListInTheConsole",
    "Action": [
    "s3:ListAllMyBuckets"
    ],
    "Effect": "Allow",
    "Resource": [
    "arn:aws:s3:::*"
    ]
    },
    {
    "Sid": "AllowRootAndHomeListingOfCompanyBucket",
    "Action": [
    "s3:*"
    ],
    "Effect": "Allow",
    "Resource": [
    "arn:aws:s3:::bucket-name"
    ],
    "Condition": {
    "StringEquals": {
    "s3:prefix": [
    "",
    "Users/",
    "Users/${aws:username}"
    ],
    "s3:delimiter": [
    "/"
    ]
    }
    }
    },
    {
    "Sid": "AllowListingOfUserFolder",
    "Action": [
    "s3:*"
    ],
    "Effect": "Allow",
    "Resource": [
    "arn:aws:s3:::bucket-name"
    ],
    "Condition": {
    "StringLike": {
    "s3:prefix": [
    "",
    "Users/",
    "Users/${aws:username}/*"
    ]
    }
    }
    },
    {
    "Sid": "AllowAllS3ActionsInUserFolder",
    "Effect": "Allow",
    "Action": [
    "s3:GetObject"
    "s3:PutObject"
    ],
    "Resource": [
    "arn:aws:s3:::bucket-name/Users/${aws:username}/*"
    ]
    }
    ]
    }


    Suppose ${aws:username} is the same folder which belongs to the client.



    If I create a second policy with the same as the above just having read-only permission then read-only user's username must be going to different(because username can't be same) so if the second user has the different name then he can't able to access that folder.



    Questions:




    1. How to create a user and assign a read-only permission to the folder which belongs to its client? (A user with the folder name is already exist with read and write permission)

    2. Like ${aws:username}, is there anything we can assign at time of creating a user and use in the policy like a variable?










    share|improve this question



























      0












      0








      0








      I am using Amazon S3 to store client data. There are multiple clients and each client has there own folder in '/Users/' folder with their names. Clients have read and write permission.



      To assign permissions to each client dynamically I create a standard policy that I assign at the time of user creation (the policy is below, which working fine).



      Now clients have their users also who access that data. But they should have just read-only permission on the folder that belongs to their client Not other folders.



      I created a policy which has read and write access permission:



      {
      "Version": "2012-10-17",
      "Statement": [
      {
      "Sid": "AllowUserToSeeBucketListInTheConsole",
      "Action": [
      "s3:ListAllMyBuckets"
      ],
      "Effect": "Allow",
      "Resource": [
      "arn:aws:s3:::*"
      ]
      },
      {
      "Sid": "AllowRootAndHomeListingOfCompanyBucket",
      "Action": [
      "s3:*"
      ],
      "Effect": "Allow",
      "Resource": [
      "arn:aws:s3:::bucket-name"
      ],
      "Condition": {
      "StringEquals": {
      "s3:prefix": [
      "",
      "Users/",
      "Users/${aws:username}"
      ],
      "s3:delimiter": [
      "/"
      ]
      }
      }
      },
      {
      "Sid": "AllowListingOfUserFolder",
      "Action": [
      "s3:*"
      ],
      "Effect": "Allow",
      "Resource": [
      "arn:aws:s3:::bucket-name"
      ],
      "Condition": {
      "StringLike": {
      "s3:prefix": [
      "",
      "Users/",
      "Users/${aws:username}/*"
      ]
      }
      }
      },
      {
      "Sid": "AllowAllS3ActionsInUserFolder",
      "Effect": "Allow",
      "Action": [
      "s3:GetObject"
      "s3:PutObject"
      ],
      "Resource": [
      "arn:aws:s3:::bucket-name/Users/${aws:username}/*"
      ]
      }
      ]
      }


      Suppose ${aws:username} is the same folder which belongs to the client.



      If I create a second policy with the same as the above just having read-only permission then read-only user's username must be going to different(because username can't be same) so if the second user has the different name then he can't able to access that folder.



      Questions:




      1. How to create a user and assign a read-only permission to the folder which belongs to its client? (A user with the folder name is already exist with read and write permission)

      2. Like ${aws:username}, is there anything we can assign at time of creating a user and use in the policy like a variable?










      share|improve this question
















      I am using Amazon S3 to store client data. There are multiple clients and each client has there own folder in '/Users/' folder with their names. Clients have read and write permission.



      To assign permissions to each client dynamically I create a standard policy that I assign at the time of user creation (the policy is below, which working fine).



      Now clients have their users also who access that data. But they should have just read-only permission on the folder that belongs to their client Not other folders.



      I created a policy which has read and write access permission:



      {
      "Version": "2012-10-17",
      "Statement": [
      {
      "Sid": "AllowUserToSeeBucketListInTheConsole",
      "Action": [
      "s3:ListAllMyBuckets"
      ],
      "Effect": "Allow",
      "Resource": [
      "arn:aws:s3:::*"
      ]
      },
      {
      "Sid": "AllowRootAndHomeListingOfCompanyBucket",
      "Action": [
      "s3:*"
      ],
      "Effect": "Allow",
      "Resource": [
      "arn:aws:s3:::bucket-name"
      ],
      "Condition": {
      "StringEquals": {
      "s3:prefix": [
      "",
      "Users/",
      "Users/${aws:username}"
      ],
      "s3:delimiter": [
      "/"
      ]
      }
      }
      },
      {
      "Sid": "AllowListingOfUserFolder",
      "Action": [
      "s3:*"
      ],
      "Effect": "Allow",
      "Resource": [
      "arn:aws:s3:::bucket-name"
      ],
      "Condition": {
      "StringLike": {
      "s3:prefix": [
      "",
      "Users/",
      "Users/${aws:username}/*"
      ]
      }
      }
      },
      {
      "Sid": "AllowAllS3ActionsInUserFolder",
      "Effect": "Allow",
      "Action": [
      "s3:GetObject"
      "s3:PutObject"
      ],
      "Resource": [
      "arn:aws:s3:::bucket-name/Users/${aws:username}/*"
      ]
      }
      ]
      }


      Suppose ${aws:username} is the same folder which belongs to the client.



      If I create a second policy with the same as the above just having read-only permission then read-only user's username must be going to different(because username can't be same) so if the second user has the different name then he can't able to access that folder.



      Questions:




      1. How to create a user and assign a read-only permission to the folder which belongs to its client? (A user with the folder name is already exist with read and write permission)

      2. Like ${aws:username}, is there anything we can assign at time of creating a user and use in the policy like a variable?







      amazon-web-services amazon-s3 amazon-iam






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Nov 27 '18 at 7:57







      avi

















      asked Nov 24 '18 at 9:33









      aviavi

      146




      146
























          1 Answer
          1






          active

          oldest

          votes


















          0














          First of all I would suggest to avoid using s3:* as much as possible because it can lead to some security issues. For example - in the policy rule below - a combination of s3:* together with the condition s3:prefix equals "" seems to me like effectively allowing to manage the whole bucket. And even with a correct limitation to the user folder they may still change the content to public by changing ACL. Which may be fine, but I would rather define it explicitly so you know that this is wanted.



          You can also use path "arn:aws:s3:::bucket-name/Users/{username}" in the bucket ARN and possibly avoid the conditions altogether.



                  {
          "Sid": "AllowRootAndHomeListingOfCompanyBucket",
          "Action": [
          "s3:*"
          ],
          "Effect": "Allow",
          "Resource": [
          "arn:aws:s3:::bucket-name"
          ],
          "Condition": {
          "StringEquals": {
          "s3:prefix": [
          "",
          "Users/",
          "Users/${aws:username}"
          ],
          "s3:delimiter": [
          "/"
          ]
          }
          }
          },


          For your question, can you create username and username_ro with their inline policy which you generate with a CloudFormation template where the username will be a parameter. Than you can have an parametrized prescription and also a way how to update the policy for all users consistently. Does it help or am I not getting correctly your issue?






          share|improve this answer
























          • @peter, Thanks, I will definitely update the policy. As per my knowledge, we can able to create 1500 policies only, and Client and their users are much more. Let me explain again - suppose you create a folder "/Users/petrch" and your user name will be "petrch", policy assign - "bucket-name/Users/{username}/*" with rw access, then you can able to access you folder. To be cont.

            – avi
            Nov 25 '18 at 14:41











          • @peter, now your user want to read the data(User will be just 1) so next user's username will be suppose "petrch_ro" and assign poicy - "bucket-name/Users/{username}/*" with ro access then it can able to access the "/Users/petrch_ro" but we want to read the "/User/petrch/". So how can I create user with ro access to "peter" folder??

            – avi
            Nov 25 '18 at 14:42











          • It may be possible with read only users using sts:assumerole from another account, but I it is not very elegant. Otherwise I am afraid that I dont' know.

            – petrch
            Nov 25 '18 at 21:26











          • assume role is not working, Is it possible to assign a user inline policy?? From user interface(aws website), I don't get any inline policy, It always require first to create a new policy for the user. I don't want to create policy for different user but if there is way through we can assign inline policy at the time of user creation then It can help me a lot.

            – avi
            Nov 27 '18 at 7:19






          • 1





            Solution - This can be achieved easily by the this approach - Create Read only user with Username - 'petrch_ro' so the policy will have,${aws:username} with read only access, Now full permission user have 'petrch' username and in the policy look like this "${aws:username}_ro". So our both condition satisfies. Thanks :) :)

            – avi
            Nov 29 '18 at 6:39














          Your Answer






          StackExchange.ifUsing("editor", function () {
          StackExchange.using("externalEditor", function () {
          StackExchange.using("snippets", function () {
          StackExchange.snippets.init();
          });
          });
          }, "code-snippets");

          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "1"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });














          draft saved

          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53456876%2fin-s3-assign-a-folder-to-two-user-by-iam-policy-with-different-access-level%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown

























          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes









          0














          First of all I would suggest to avoid using s3:* as much as possible because it can lead to some security issues. For example - in the policy rule below - a combination of s3:* together with the condition s3:prefix equals "" seems to me like effectively allowing to manage the whole bucket. And even with a correct limitation to the user folder they may still change the content to public by changing ACL. Which may be fine, but I would rather define it explicitly so you know that this is wanted.



          You can also use path "arn:aws:s3:::bucket-name/Users/{username}" in the bucket ARN and possibly avoid the conditions altogether.



                  {
          "Sid": "AllowRootAndHomeListingOfCompanyBucket",
          "Action": [
          "s3:*"
          ],
          "Effect": "Allow",
          "Resource": [
          "arn:aws:s3:::bucket-name"
          ],
          "Condition": {
          "StringEquals": {
          "s3:prefix": [
          "",
          "Users/",
          "Users/${aws:username}"
          ],
          "s3:delimiter": [
          "/"
          ]
          }
          }
          },


          For your question, can you create username and username_ro with their inline policy which you generate with a CloudFormation template where the username will be a parameter. Than you can have an parametrized prescription and also a way how to update the policy for all users consistently. Does it help or am I not getting correctly your issue?






          share|improve this answer
























          • @peter, Thanks, I will definitely update the policy. As per my knowledge, we can able to create 1500 policies only, and Client and their users are much more. Let me explain again - suppose you create a folder "/Users/petrch" and your user name will be "petrch", policy assign - "bucket-name/Users/{username}/*" with rw access, then you can able to access you folder. To be cont.

            – avi
            Nov 25 '18 at 14:41











          • @peter, now your user want to read the data(User will be just 1) so next user's username will be suppose "petrch_ro" and assign poicy - "bucket-name/Users/{username}/*" with ro access then it can able to access the "/Users/petrch_ro" but we want to read the "/User/petrch/". So how can I create user with ro access to "peter" folder??

            – avi
            Nov 25 '18 at 14:42











          • It may be possible with read only users using sts:assumerole from another account, but I it is not very elegant. Otherwise I am afraid that I dont' know.

            – petrch
            Nov 25 '18 at 21:26











          • assume role is not working, Is it possible to assign a user inline policy?? From user interface(aws website), I don't get any inline policy, It always require first to create a new policy for the user. I don't want to create policy for different user but if there is way through we can assign inline policy at the time of user creation then It can help me a lot.

            – avi
            Nov 27 '18 at 7:19






          • 1





            Solution - This can be achieved easily by the this approach - Create Read only user with Username - 'petrch_ro' so the policy will have,${aws:username} with read only access, Now full permission user have 'petrch' username and in the policy look like this "${aws:username}_ro". So our both condition satisfies. Thanks :) :)

            – avi
            Nov 29 '18 at 6:39


















          0














          First of all I would suggest to avoid using s3:* as much as possible because it can lead to some security issues. For example - in the policy rule below - a combination of s3:* together with the condition s3:prefix equals "" seems to me like effectively allowing to manage the whole bucket. And even with a correct limitation to the user folder they may still change the content to public by changing ACL. Which may be fine, but I would rather define it explicitly so you know that this is wanted.



          You can also use path "arn:aws:s3:::bucket-name/Users/{username}" in the bucket ARN and possibly avoid the conditions altogether.



                  {
          "Sid": "AllowRootAndHomeListingOfCompanyBucket",
          "Action": [
          "s3:*"
          ],
          "Effect": "Allow",
          "Resource": [
          "arn:aws:s3:::bucket-name"
          ],
          "Condition": {
          "StringEquals": {
          "s3:prefix": [
          "",
          "Users/",
          "Users/${aws:username}"
          ],
          "s3:delimiter": [
          "/"
          ]
          }
          }
          },


          For your question, can you create username and username_ro with their inline policy which you generate with a CloudFormation template where the username will be a parameter. Than you can have an parametrized prescription and also a way how to update the policy for all users consistently. Does it help or am I not getting correctly your issue?






          share|improve this answer
























          • @peter, Thanks, I will definitely update the policy. As per my knowledge, we can able to create 1500 policies only, and Client and their users are much more. Let me explain again - suppose you create a folder "/Users/petrch" and your user name will be "petrch", policy assign - "bucket-name/Users/{username}/*" with rw access, then you can able to access you folder. To be cont.

            – avi
            Nov 25 '18 at 14:41











          • @peter, now your user want to read the data(User will be just 1) so next user's username will be suppose "petrch_ro" and assign poicy - "bucket-name/Users/{username}/*" with ro access then it can able to access the "/Users/petrch_ro" but we want to read the "/User/petrch/". So how can I create user with ro access to "peter" folder??

            – avi
            Nov 25 '18 at 14:42











          • It may be possible with read only users using sts:assumerole from another account, but I it is not very elegant. Otherwise I am afraid that I dont' know.

            – petrch
            Nov 25 '18 at 21:26











          • assume role is not working, Is it possible to assign a user inline policy?? From user interface(aws website), I don't get any inline policy, It always require first to create a new policy for the user. I don't want to create policy for different user but if there is way through we can assign inline policy at the time of user creation then It can help me a lot.

            – avi
            Nov 27 '18 at 7:19






          • 1





            Solution - This can be achieved easily by the this approach - Create Read only user with Username - 'petrch_ro' so the policy will have,${aws:username} with read only access, Now full permission user have 'petrch' username and in the policy look like this "${aws:username}_ro". So our both condition satisfies. Thanks :) :)

            – avi
            Nov 29 '18 at 6:39
















          0












          0








          0







          First of all I would suggest to avoid using s3:* as much as possible because it can lead to some security issues. For example - in the policy rule below - a combination of s3:* together with the condition s3:prefix equals "" seems to me like effectively allowing to manage the whole bucket. And even with a correct limitation to the user folder they may still change the content to public by changing ACL. Which may be fine, but I would rather define it explicitly so you know that this is wanted.



          You can also use path "arn:aws:s3:::bucket-name/Users/{username}" in the bucket ARN and possibly avoid the conditions altogether.



                  {
          "Sid": "AllowRootAndHomeListingOfCompanyBucket",
          "Action": [
          "s3:*"
          ],
          "Effect": "Allow",
          "Resource": [
          "arn:aws:s3:::bucket-name"
          ],
          "Condition": {
          "StringEquals": {
          "s3:prefix": [
          "",
          "Users/",
          "Users/${aws:username}"
          ],
          "s3:delimiter": [
          "/"
          ]
          }
          }
          },


          For your question, can you create username and username_ro with their inline policy which you generate with a CloudFormation template where the username will be a parameter. Than you can have an parametrized prescription and also a way how to update the policy for all users consistently. Does it help or am I not getting correctly your issue?






          share|improve this answer













          First of all I would suggest to avoid using s3:* as much as possible because it can lead to some security issues. For example - in the policy rule below - a combination of s3:* together with the condition s3:prefix equals "" seems to me like effectively allowing to manage the whole bucket. And even with a correct limitation to the user folder they may still change the content to public by changing ACL. Which may be fine, but I would rather define it explicitly so you know that this is wanted.



          You can also use path "arn:aws:s3:::bucket-name/Users/{username}" in the bucket ARN and possibly avoid the conditions altogether.



                  {
          "Sid": "AllowRootAndHomeListingOfCompanyBucket",
          "Action": [
          "s3:*"
          ],
          "Effect": "Allow",
          "Resource": [
          "arn:aws:s3:::bucket-name"
          ],
          "Condition": {
          "StringEquals": {
          "s3:prefix": [
          "",
          "Users/",
          "Users/${aws:username}"
          ],
          "s3:delimiter": [
          "/"
          ]
          }
          }
          },


          For your question, can you create username and username_ro with their inline policy which you generate with a CloudFormation template where the username will be a parameter. Than you can have an parametrized prescription and also a way how to update the policy for all users consistently. Does it help or am I not getting correctly your issue?







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered Nov 24 '18 at 12:28









          petrchpetrch

          32627




          32627













          • @peter, Thanks, I will definitely update the policy. As per my knowledge, we can able to create 1500 policies only, and Client and their users are much more. Let me explain again - suppose you create a folder "/Users/petrch" and your user name will be "petrch", policy assign - "bucket-name/Users/{username}/*" with rw access, then you can able to access you folder. To be cont.

            – avi
            Nov 25 '18 at 14:41











          • @peter, now your user want to read the data(User will be just 1) so next user's username will be suppose "petrch_ro" and assign poicy - "bucket-name/Users/{username}/*" with ro access then it can able to access the "/Users/petrch_ro" but we want to read the "/User/petrch/". So how can I create user with ro access to "peter" folder??

            – avi
            Nov 25 '18 at 14:42











          • It may be possible with read only users using sts:assumerole from another account, but I it is not very elegant. Otherwise I am afraid that I dont' know.

            – petrch
            Nov 25 '18 at 21:26











          • assume role is not working, Is it possible to assign a user inline policy?? From user interface(aws website), I don't get any inline policy, It always require first to create a new policy for the user. I don't want to create policy for different user but if there is way through we can assign inline policy at the time of user creation then It can help me a lot.

            – avi
            Nov 27 '18 at 7:19






          • 1





            Solution - This can be achieved easily by the this approach - Create Read only user with Username - 'petrch_ro' so the policy will have,${aws:username} with read only access, Now full permission user have 'petrch' username and in the policy look like this "${aws:username}_ro". So our both condition satisfies. Thanks :) :)

            – avi
            Nov 29 '18 at 6:39





















          • @peter, Thanks, I will definitely update the policy. As per my knowledge, we can able to create 1500 policies only, and Client and their users are much more. Let me explain again - suppose you create a folder "/Users/petrch" and your user name will be "petrch", policy assign - "bucket-name/Users/{username}/*" with rw access, then you can able to access you folder. To be cont.

            – avi
            Nov 25 '18 at 14:41











          • @peter, now your user want to read the data(User will be just 1) so next user's username will be suppose "petrch_ro" and assign poicy - "bucket-name/Users/{username}/*" with ro access then it can able to access the "/Users/petrch_ro" but we want to read the "/User/petrch/". So how can I create user with ro access to "peter" folder??

            – avi
            Nov 25 '18 at 14:42











          • It may be possible with read only users using sts:assumerole from another account, but I it is not very elegant. Otherwise I am afraid that I dont' know.

            – petrch
            Nov 25 '18 at 21:26











          • assume role is not working, Is it possible to assign a user inline policy?? From user interface(aws website), I don't get any inline policy, It always require first to create a new policy for the user. I don't want to create policy for different user but if there is way through we can assign inline policy at the time of user creation then It can help me a lot.

            – avi
            Nov 27 '18 at 7:19






          • 1





            Solution - This can be achieved easily by the this approach - Create Read only user with Username - 'petrch_ro' so the policy will have,${aws:username} with read only access, Now full permission user have 'petrch' username and in the policy look like this "${aws:username}_ro". So our both condition satisfies. Thanks :) :)

            – avi
            Nov 29 '18 at 6:39



















          @peter, Thanks, I will definitely update the policy. As per my knowledge, we can able to create 1500 policies only, and Client and their users are much more. Let me explain again - suppose you create a folder "/Users/petrch" and your user name will be "petrch", policy assign - "bucket-name/Users/{username}/*" with rw access, then you can able to access you folder. To be cont.

          – avi
          Nov 25 '18 at 14:41





          @peter, Thanks, I will definitely update the policy. As per my knowledge, we can able to create 1500 policies only, and Client and their users are much more. Let me explain again - suppose you create a folder "/Users/petrch" and your user name will be "petrch", policy assign - "bucket-name/Users/{username}/*" with rw access, then you can able to access you folder. To be cont.

          – avi
          Nov 25 '18 at 14:41













          @peter, now your user want to read the data(User will be just 1) so next user's username will be suppose "petrch_ro" and assign poicy - "bucket-name/Users/{username}/*" with ro access then it can able to access the "/Users/petrch_ro" but we want to read the "/User/petrch/". So how can I create user with ro access to "peter" folder??

          – avi
          Nov 25 '18 at 14:42





          @peter, now your user want to read the data(User will be just 1) so next user's username will be suppose "petrch_ro" and assign poicy - "bucket-name/Users/{username}/*" with ro access then it can able to access the "/Users/petrch_ro" but we want to read the "/User/petrch/". So how can I create user with ro access to "peter" folder??

          – avi
          Nov 25 '18 at 14:42













          It may be possible with read only users using sts:assumerole from another account, but I it is not very elegant. Otherwise I am afraid that I dont' know.

          – petrch
          Nov 25 '18 at 21:26





          It may be possible with read only users using sts:assumerole from another account, but I it is not very elegant. Otherwise I am afraid that I dont' know.

          – petrch
          Nov 25 '18 at 21:26













          assume role is not working, Is it possible to assign a user inline policy?? From user interface(aws website), I don't get any inline policy, It always require first to create a new policy for the user. I don't want to create policy for different user but if there is way through we can assign inline policy at the time of user creation then It can help me a lot.

          – avi
          Nov 27 '18 at 7:19





          assume role is not working, Is it possible to assign a user inline policy?? From user interface(aws website), I don't get any inline policy, It always require first to create a new policy for the user. I don't want to create policy for different user but if there is way through we can assign inline policy at the time of user creation then It can help me a lot.

          – avi
          Nov 27 '18 at 7:19




          1




          1





          Solution - This can be achieved easily by the this approach - Create Read only user with Username - 'petrch_ro' so the policy will have,${aws:username} with read only access, Now full permission user have 'petrch' username and in the policy look like this "${aws:username}_ro". So our both condition satisfies. Thanks :) :)

          – avi
          Nov 29 '18 at 6:39







          Solution - This can be achieved easily by the this approach - Create Read only user with Username - 'petrch_ro' so the policy will have,${aws:username} with read only access, Now full permission user have 'petrch' username and in the policy look like this "${aws:username}_ro". So our both condition satisfies. Thanks :) :)

          – avi
          Nov 29 '18 at 6:39






















          draft saved

          draft discarded




















































          Thanks for contributing an answer to Stack Overflow!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53456876%2fin-s3-assign-a-folder-to-two-user-by-iam-policy-with-different-access-level%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          這個網誌中的熱門文章

          Xamarin.form Move up view when keyboard appear

          Post-Redirect-Get with Spring WebFlux and Thymeleaf

          Anylogic : not able to use stopDelay()