skip to Main Content

I have permission set created in AWS, and I am creating an INLINE policy where I want to give access to a specific bucket .

when I am trying below it works fine which is something I don’t want, however when add resource to like and resource arn arn:aws:s3:::bucket_name or arn:aws:s3:::*data*
it shows me insufficient privilege and I am not able to access.

    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:*"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

policy I am using which Is not working

    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::data*",
                "arn:aws:s3:::data*/*"
            ]
        }
    ]
}
}

2

Answers


  1. The policy should be:

        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": "s3:*",
                "Resource": [
                    "arn:aws:s3:::BUCKET-NAME",
                    "arn:aws:s3:::BUCKET-NAME/*"
                ]
            }
        ]
    }
    }
    
    Login or Signup to reply.
  2. here is what i do in summary…

    create the permission set… create the inline policy, then attach the policy

    resource "aws_ssoadmin_permission_set" "permset" {
          name             = "name"
          description      = ""
          instance_arn     = tolist(data.aws_ssoadmin_instances.instance.arns)[0]
          session_duration = "PT10H"
        
        }
    
    data "aws_iam_policy_document" "policyname" {
      statement {
        sid = "s3actions"
        actions = "s3:*"
        "Resource": [
                "arn:aws:s3:::data*",
                "arn:aws:s3:::data*/*"
            ]
      }
    }
    
    resource "aws_ssoadmin_permission_set_inline_policy" "policyattach" {
      instance_arn       = tolist(data.aws_ssoadmin_instances.instance.arns)[0]
      permission_set_arn = aws_ssoadmin_permission_set.permset.arn
      inline_policy      = data.aws_iam_policy_document.policyname.json
    }
    

    I hope this works for you

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search