Partial IAM account settings for S3, do not get accepted

triplejaimy

Hi,

I wanted to setup the plugin to allow only access to a specific bucket (and even a specific subset of that bucket).
This does not seem to be possible with the plugin as it complains about the permissions being invalid.
The documentation nontheless states that access to specific resources can be set within the IAM role, but this simply does not work.

Only setting resource to "*" and actions to: "s3:*" gets the IAM credentials accepted.
Any suggestions on how to resolve this?

Regards,
Jaimy

saguaros

Hi Jaimy,

Could you share the credentials of your site and the bucket so I can replicate the same error?

triplejaimy

saguaros
Hi Saguaros, you could replicate it by setting the resource to the bucketARN and bucketARN/* for the "s3:*" permissions.
I cannot share my site credentials as it is firewalled, also I cannot share any Bucket Creds because of an NDA.
Wait, I will post my complete IAM to bucket permission on which it fails.

triplejaimy

Hi Saguaros,

The Permission I set is:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "FullAccess",
            "Effect": "Allow",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::bucketname/*",
                "arn:aws:s3:::bucketname"
            ]
        }
    ]
}

Which is even more then I started with, which was with: only s3:Get* and s3:Put* and s3:DeleteObject to avoid deleting the bucket, etc.

The error I get is: Error The Amazon Webservice Account that you provided is incorrect. Please check it again!
Hope this helps, please let me know.

saguaros

triplejaimy Let me check with our developer if it's possible to access that specific bucket.