Ruan Bekker's Blog

From a Curious mind to Posts on Github

AWS: IAM S3 Policy for Cyberduck to Allow Listing Buckets and Access to One Bucket

When using Cyberduck to access S3, and a account has restrictive policies, you may find error Listing Directory: / failed.

If you have restrictive IAM Policies in your account, this may be due to the fact that S3:ListMyBuckets is not allowed.

In this post we want to allow a user to list all buckets, so that Cyberduck can do the initial list after configuration / launch, and we would like to give the user access to their designated bucket.

Creating the IAM Policy:

We will create this IAM Policy and associate the policy to the user’s account:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1480515305000",
            "Effect": "Allow",
            "Action": [
                "s3:ListAllMyBuckets",
                "s3:GetBucketLocation"
            ],
            "Resource": [
                "arn:aws:s3:::*"
            ]
        },
        {
            "Sid": "Stmt1480515305002",
            "Effect": "Allow",
            "Action": [
                "s3:List*",
                "s3:GetObject",
                "s3:PutObject",
                "s3:DeleteObject"
            ],
            "Resource": [
                "arn:aws:s3:::allowed-bucket",
                "arn:aws:s3:::allowed-bucket/*"
            ]
        }
    ]
}

So here we should be able to list the buckets:

1
2
3
4
5
6
$ aws --profile cyberduck s3 ls /
2017-06-08 08:27:01 allowed-bucket
2017-05-21 13:39:21 private-bucket
2016-12-21 08:23:45 confidential-bucket
2017-08-10 14:18:19 test-bucket
2016-08-03 12:38:29 datalake-bucket

Able to list inside the bucket, as well as Get, Put etc.

1
2
$ aws --profile cyberduck s3 ls allowed-bucket/
                           PRE data/

Unable to list the buckets content which is expected, as we did not mention in the policy:

1
2
3
$ aws --profile cyberduck s3 ls confidential-bucket/

An error occurred (AccessDenied) when calling the ListObjects operation: Access Denied

Resources:

Comments