everyone. I have a situation in which I want a web application to add / update files to an S3 bucket, and then have only specified IPs be able to read these files. My web application uses AWS SDK to access the S3 bucket and upload files. So, in other words, I want SDK and specified IPs access to the bucket, and otherwise deny access.
I tried doing this through the S3 bucket policy but was unable to make it work. My latest attempt at the policy is as follows:
{
"Version": "2012-10-17",
"Id": "MyPolicy",
"Statement": [
{
"Sid": "MyPolicy",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::my-bucket",
"arn:aws:s3:::my-bucket/*"
],
"Condition": {
"StringNotLike": {
"aws:SourceIp": [
"11.11.11.111/32",
"22.22.22.222/32",
"333.333.33.333/32",
"444.444.44.444/32"
],
"aws:SourceAccount": [
"123456789012"
]
}
}
}
]
}
This did not work, however, as it blocked even the bucket owner / root account from accessing files. Any help is appreciated, thanks in advance!
I am trying to follow this tutorial here to create an execution role - https://docs.aws.amazon.com/lambda/latest/dg/python-package-create.html
However, when I try and run the following command from the instructions
aws iam create-role --role-name lambda-ex --assume-role-policy-document "{"Version": "2012-10-17","Statement": [{ "Effect": "Allow", "Principal": {"Service": "lambda.amazonaws.com"}, "Action": "sts:AssumeRole"}]}"
I get the error "An error occurred (MalformedPolicyDocument) when calling the CreateRole operation: This policy contains invalid Json".
I'm new to AWS so I'm not sure what's going on - can anyone help please?
Use single quotes. Note: this only works for Linux-like OS.
aws iam create-role --role-name lambda-ex --assume-role-policy-document '{"Version": "2012-10-17","Statement": [{ "Effect": "Allow", "Principal": {"Service": "lambda.amazonaws.com"}, "Action": "sts:AssumeRole"}]}'
To fix this, as perjellycsc's advise to escape every " in the string I used:
aws iam create-role --role-name lambda-ex --assume-role-policy-document "{\"Version\": \"2012-10-17\",\"Statement\": [{ \"Effect\": \"Allow\", \"Principal\": {\"Service\": \"lambda.amazonaws.com\"}, \"Action\": \"sts:AssumeRole\"}]}"
I did not find the solution here so I need to ask you for some help.
I am trying to create a new simple aws policy (cli) with powershell and I have the error:
An error occurred (MalformedPolicyDocument) when calling the
CreatePolicy operation: Syntax errors in policy.
This is the command I use:
aws iam create-policy --policy-name TEST-POLICY --policy-document file://policy.json
And this is the policy.json file:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"iam:GetUser",
"iam:GetGroup"
],
"Resource": [
"arn:aws:iam::(arn id):user/(arn id)",
"arn:aws:iam::(arn id):group/(arn id)"
]
}
]
}
It is strange because when I use the AWS website JSON editor it works fine. But when I try it on my windows pc does not.
Someone can see the wrong syntax?
Solved. It was because the encoding UTF-8-BOM. It must be UTF-8
I've an AWS Api-Gateway resource that I tried configuring to add a message to AWS-SQS, however when I try sending a request to the api I get a response:
{
"Error": {
"Code": "MissingParameter",
"Message": "Version is missing.",
"Type": "Sender"
},
"RequestId": "the-multicharacter-request-id-blah-blah"
}
I have linked the two services in the integration taband the permissions policy is the below:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"sqs:*"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
I've tried adding in api-gateway permissions to the policy, adding a Version parameter in the header, starting the setup from scratch again.
Is there something I'm missing?
'Version' here specifies which version of 'SQS' service to use and should be specified as a query parameter and not the header e.g.:
?Version='2019-05-09'
'Version' specified in the policy refers to the version of the policy language.
This was a case of RTFM.
I ran into this due to a different root cause: make sure the "Action Type" is set to "Use path override" if you don't intent to use "action override"
I am trying to move an S3 bucket from one account (A) to another (B).
I have succeeded with that operation and remove the bucket from account A.
I am trying to move the new bucket from account B to another bucket on account B, but learning that beside the bucket itself I have no access to the files.
After much fighting with s3 cli and its permissions I checked s3api commands and found out that the files (surprise surprise) still holds the old ownership.
I am trying now to change it, but came to a stand still with the put-bucket-acl, the JSON file isn't working for s3api command.
I tried running the command in debug , but didn't make too much out of it.
Anybody knows what to do ?
Maybe a better way to solve this issue ?
what I did so far:
the command:
aws s3api put-bucket-acl --bucket my-bucket --cli-input-json file://1.json
(Same with put-object-acl)
1.json file:
"Grantee": {
"DisplayName": "account_B",
"EmailAddress": "user#mail.com",
"ID": "111111hughalphnumericnumber22222",
"Type": "CanonicalUser",
"Permission": "FULL_CONTROL"
}
The errors I get :
Unknown parameter in input: "Grantee", must be one of: ACL,
AccessControlPolicy, Bucket, ContentMD5, GrantFullControl, GrantRead,
GrantReadACP, GrantWrite, GrantWriteACP Unknown parameter in input:
"Permission", must be one of: ACL, AccessControlPolicy, Bucket,
ContentMD5, GrantFullControl, GrantRead, GrantReadACP, GrantWrite,
GrantWriteACP
UPDATE:
AssumeRole between the 2 accounts doesn't work in my case.
cli (s3cmd,s3api) GUI (MCSTools,bucketexplorer), ACL using headers,body (Postman) did not help as well..
I'm connecting AWS support and hoping for the best.
I'll update when I have a solution.
So, AWS support came to the rescue... I'm leaving this for others to see, so they won't have to waste 2 days like I did trying to figure what the hell went wrong...
aws s3api get-object-acl --bucket <bucket_on_B> --key <Key_on_B_Owned_by_A> --profile IAM_User_A > A_to_B.json
apply the outcome of:
aws s3api get-bucket-acl --bucket <Bucket_on_B> --profile IAM_User_B
onto the json file that was created, and then run
aws s3api put-object-acl --bucket <Bucket_on_B> --key <Key_on_B_Owned_by_A> --access-control-policy file://A_to_B.json --profile IAM_User_A
Your JSON is wrong. According to the documentation for the put-bucket-acl option you can generate valid JSON template ('skeleton') using --generate-cli-skeleton. For example:
aws s3api put-bucket-acl --bucket BUCKETNAME --generate-cli-skeleton
And here is the output:
{
"ACL": "",
"AccessControlPolicy": {
"Grants": [
{
"Grantee": {
"DisplayName": "",
"EmailAddress": "",
"ID": "",
"Type": "",
"URI": ""
},
"Permission": ""
}
],
"Owner": {
"DisplayName": "",
"ID": ""
}
},
"Bucket": "",
"ContentMD5": "",
"GrantFullControl": "",
"GrantRead": "",
"GrantReadACP": "",
"GrantWrite": "",
"GrantWriteACP": ""
}
For anyone who's still looking to do this - OP probably looked at the right aws doc but overlooked the right command. I'm just glad I got to right command because of this stackoverflow page :)
https://docs.aws.amazon.com/cli/latest/reference/s3api/put-bucket-acl.html
^^ The json syntax with example is present there and instead of --cli-input-json , use --access-control-policy
{
"Grants": [
{
"Grantee": {
"DisplayName": "string",
"EmailAddress": "string",
"ID": "string",
"Type": "CanonicalUser"|"AmazonCustomerByEmail"|"Group",
"URI": "string"
},
"Permission": "FULL_CONTROL"|"WRITE"|"WRITE_ACP"|"READ"|"READ_ACP"
}
...
],
"Owner": {
"DisplayName": "string",
"ID": "string"
}
}
I had the policy as a json file and used this command it worked just fine.
aws s3api put-bucket-acl --bucket bucketname --access-control-policy file://yourJson.json
Also one more thing to note is that I wasn't able to add permissions along with existing ones, old acl was being overwritten. So any permission you want to add needs to be in json policy file along with existing policy. It will be easier when you use some command to describe all the ACLs first.
The syntax is the following (with example):
aws s3api put-bucket-acl --bucket bucket_name --access-control-policy file://grant.json
grant.json file:
{
"Grants": [
{
"Grantee": {
"ID": "CANONICAL_ID_TO_GRANT",
"Type": "CanonicalUser"
},
"Permission": "WRITE"
},
{
"Grantee": {
"ID": "CANONICAL_ID_TO_GRANT",
"Type": "CanonicalUser"
},
"Permission": "READ"
}
],
"Owner": {
"DisplayName": "example_owner",
"ID": "CANONICAL_ID_OWNER"
}
}