AWS S3 Bucket Policy - Principle SyntaxMake a bucket public in Amazon S3Downloading an entire S3 bucket?How to use AWS Lambda to backup an S3 object to a bucket on another account?CREATE_FAILED Bucketpolicy - Unknown field Fn::JoinAWS presigned url acl public read invalid signatureCross account S3 access through CloudFormation CLiCreate Policy in Cloudformation Granting Access to s3 Buckets From Separate AWS Accountboto3 giving 403s: Do we need to modify anything to have boto3 S3 work across S3 regions?AWS IAM Organization Issue - I can't see IAM users or any bucketsAWS S3 Bucket Policy with Empty Principle Array

reverse a list of generic type

Worms crawling under skin

Is it right to extend flaps only in the white arc?

Idiom for "I came, I saw, I ate" (or drank)

What is the meaning of word 'crack' in chapter 33 of A Game of Thrones?

Guitar tuning (EADGBE), "perfect" fourths?

Resolving moral conflict

I reverse the source code, you negate the output!

Is it impolite to ask for halal food when traveling to and in Thailand?

Is it a good idea to leave minor world details to the reader's imagination?

Performance for simple code that converts a RGB tuple to hex string

Transforming 2D points on to a regular grid or lattice

What is the lowest voltage that a microcontroller can successfully read on the analog pin?

Social leper versus social leopard

How can I repair this gas leak on my new range? Teflon tape isn't working

Find missing number in the transformation

I feel like most of my characters are the same, what can I do?

What is this utensil for?

How much damage can be done just by heating matter?

Allocating credit card points

My 15 year old son is gay. How do I express my feelings about this?

In a folk jam session, when asked which key my non-transposing chromatic instrument (like a violin) is in, what do I answer?

Conditionally execute a command if a specific package is loaded

How do I deal with too many NPCs in my campaign?



AWS S3 Bucket Policy - Principle Syntax


Make a bucket public in Amazon S3Downloading an entire S3 bucket?How to use AWS Lambda to backup an S3 object to a bucket on another account?CREATE_FAILED Bucketpolicy - Unknown field Fn::JoinAWS presigned url acl public read invalid signatureCross account S3 access through CloudFormation CLiCreate Policy in Cloudformation Granting Access to s3 Buckets From Separate AWS Accountboto3 giving 403s: Do we need to modify anything to have boto3 S3 work across S3 regions?AWS IAM Organization Issue - I can't see IAM users or any bucketsAWS S3 Bucket Policy with Empty Principle Array






.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;








-1















Right now I have my policy defined on my S3 bucket but it seems like the principles I have defined are root and when someone under an account who isn't root isn't falling into the allow part of the policy



"Principal": 
 "AWS": [
 "arn:aws:iam::123:root",
 "arn:aws:iam::456:root",
 "arn:aws:iam::789:root",
 "arn:aws:iam::101:root"
 ]
 ,


I tired to specify it as 



"arn:aws:iam::123:*"


but that doesn't work.



I also tried arn:aws:iam::123:user/sample@yahoo.com but that too doesn't seem to be correct as it fails with Invalid principal in policy






amazon-web-services amazon-s3







share|improve this question
























  • To whom do you wish to grant access -- do you want to grant it to all users in several different AWS accounts?

    – John Rotenstein
    Mar 28 at 23:49

















-1















Right now I have my policy defined on my S3 bucket but it seems like the principles I have defined are root and when someone under an account who isn't root isn't falling into the allow part of the policy



"Principal": 
 "AWS": [
 "arn:aws:iam::123:root",
 "arn:aws:iam::456:root",
 "arn:aws:iam::789:root",
 "arn:aws:iam::101:root"
 ]
 ,


I tired to specify it as 



"arn:aws:iam::123:*"


but that doesn't work.



I also tried arn:aws:iam::123:user/sample@yahoo.com but that too doesn't seem to be correct as it fails with Invalid principal in policy






amazon-web-services amazon-s3







share|improve this question
























  • To whom do you wish to grant access -- do you want to grant it to all users in several different AWS accounts?

    – John Rotenstein
    Mar 28 at 23:49













-1












-1








-1








Right now I have my policy defined on my S3 bucket but it seems like the principles I have defined are root and when someone under an account who isn't root isn't falling into the allow part of the policy



"Principal": 
 "AWS": [
 "arn:aws:iam::123:root",
 "arn:aws:iam::456:root",
 "arn:aws:iam::789:root",
 "arn:aws:iam::101:root"
 ]
 ,


I tired to specify it as 



"arn:aws:iam::123:*"


but that doesn't work.



I also tried arn:aws:iam::123:user/sample@yahoo.com but that too doesn't seem to be correct as it fails with Invalid principal in policy






amazon-web-services amazon-s3







share|improve this question














Right now I have my policy defined on my S3 bucket but it seems like the principles I have defined are root and when someone under an account who isn't root isn't falling into the allow part of the policy



"Principal": 
 "AWS": [
 "arn:aws:iam::123:root",
 "arn:aws:iam::456:root",
 "arn:aws:iam::789:root",
 "arn:aws:iam::101:root"
 ]
 ,


I tired to specify it as 



"arn:aws:iam::123:*"


but that doesn't work.



I also tried arn:aws:iam::123:user/sample@yahoo.com but that too doesn't seem to be correct as it fails with Invalid principal in policy






amazon-web-services amazon-s3




amazon-web-services amazon-s3






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Mar 28 at 15:59









TonyTony

2,2137 gold badges19 silver badges34 bronze badges




2,2137 gold badges19 silver badges34 bronze badges















  • To whom do you wish to grant access -- do you want to grant it to all users in several different AWS accounts?

    – John Rotenstein
    Mar 28 at 23:49

















  • To whom do you wish to grant access -- do you want to grant it to all users in several different AWS accounts?

    – John Rotenstein
    Mar 28 at 23:49
















To whom do you wish to grant access -- do you want to grant it to all users in several different AWS accounts?

– John Rotenstein
Mar 28 at 23:49





To whom do you wish to grant access -- do you want to grant it to all users in several different AWS accounts?

– John Rotenstein
Mar 28 at 23:49












1 Answer
1






active

oldest

votes


















0
















When granting cross-account permissions, you need both of:



  1. A bucket policy on Bucket-A in Account-A (as above)

  2. Permissions on the users in their own account to access Bucket-A (which can include wide permissions such as s3:*, but that's rarely a good idea)

Not only does the bucket need to permit access, but the users in the originating account must be granted permission to use S3 for the desired actions (eg s3:GetObject) on Bucket-A (or all buckets).



See: Bucket Owner Granting Cross-Account Bucket Permissions - Amazon Simple Storage Service






share|improve this answer



























    Your Answer






    StackExchange.ifUsing("editor", function ()
    StackExchange.using("externalEditor", function ()
    StackExchange.using("snippets", function ()
    StackExchange.snippets.init();
    );
    );
    , "code-snippets");

    StackExchange.ready(function()
    var channelOptions =
    tags: "".split(" "),
    id: "1"
    ;
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function()
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled)
    StackExchange.using("snippets", function()
    createEditor();
    );

    else
    createEditor();

    );

    function createEditor()
    StackExchange.prepareEditor(
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: true,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: 10,
    bindNavPrevention: true,
    postfix: "",
    imageUploader:
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/4.0/"u003ecc by-sa 4.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    ,
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    );



    );














    draft saved

    draft discarded
















    StackExchange.ready(
    function ()
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f55402032%2faws-s3-bucket-policy-principle-syntax%23new-answer', 'question_page');

    );

    Post as a guest















    Required, but never shown

























    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    0
















    When granting cross-account permissions, you need both of:



    1. A bucket policy on Bucket-A in Account-A (as above)

    2. Permissions on the users in their own account to access Bucket-A (which can include wide permissions such as s3:*, but that's rarely a good idea)

    Not only does the bucket need to permit access, but the users in the originating account must be granted permission to use S3 for the desired actions (eg s3:GetObject) on Bucket-A (or all buckets).



    See: Bucket Owner Granting Cross-Account Bucket Permissions - Amazon Simple Storage Service






    share|improve this answer





























      0
















      When granting cross-account permissions, you need both of:



      1. A bucket policy on Bucket-A in Account-A (as above)

      2. Permissions on the users in their own account to access Bucket-A (which can include wide permissions such as s3:*, but that's rarely a good idea)

      Not only does the bucket need to permit access, but the users in the originating account must be granted permission to use S3 for the desired actions (eg s3:GetObject) on Bucket-A (or all buckets).



      See: Bucket Owner Granting Cross-Account Bucket Permissions - Amazon Simple Storage Service






      share|improve this answer



























        0














        0










        0









        When granting cross-account permissions, you need both of:



        1. A bucket policy on Bucket-A in Account-A (as above)

        2. Permissions on the users in their own account to access Bucket-A (which can include wide permissions such as s3:*, but that's rarely a good idea)

        Not only does the bucket need to permit access, but the users in the originating account must be granted permission to use S3 for the desired actions (eg s3:GetObject) on Bucket-A (or all buckets).



        See: Bucket Owner Granting Cross-Account Bucket Permissions - Amazon Simple Storage Service






        share|improve this answer













        When granting cross-account permissions, you need both of:



        1. A bucket policy on Bucket-A in Account-A (as above)

        2. Permissions on the users in their own account to access Bucket-A (which can include wide permissions such as s3:*, but that's rarely a good idea)

        Not only does the bucket need to permit access, but the users in the originating account must be granted permission to use S3 for the desired actions (eg s3:GetObject) on Bucket-A (or all buckets).



        See: Bucket Owner Granting Cross-Account Bucket Permissions - Amazon Simple Storage Service







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered Mar 28 at 23:51









        John RotensteinJohn Rotenstein

        97.1k8 gold badges112 silver badges165 bronze badges




        97.1k8 gold badges112 silver badges165 bronze badges

































            draft saved

            draft discarded















































            Thanks for contributing an answer to Stack Overflow!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid


            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.

            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f55402032%2faws-s3-bucket-policy-principle-syntax%23new-answer', 'question_page');

            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            -

            Popular posts from this blog

            Kamusi Yaliyomo Aina za kamusi | Muundo wa kamusi | Faida za kamusi | Dhima ya picha katika kamusi | Marejeo | Tazama pia | Viungo vya nje | UrambazajiKuhusu kamusiGo-SwahiliWiki-KamusiKamusi ya Kiswahili na Kiingerezakuihariri na kuongeza habari

            Image
            Pages using ISBN magic linksMbegu za lughaKamusiIsimu nenoKiarabukitabulughaKiswahilialfabetimaanaufafanuzimanenomuhtasarisarufividahizoalfabeti Kamusi Kutoka Wikipedia, kamusi elezo huru Jump to navigation Jump to search Kamusi za Kiswahili Kamusi ya Kiswahili-Kiswahili (kamusi wahidiya) Kamusi ya Kiswahili - Kiingereza (kamusi thania) Kamusi (kutoka neno la Kiarabu قاموس qamus ) ni kitabu ambacho kinaorodhesha maneno ya lugha yaliyokusanywa kutoka kwa watumiaji wa lugha fulani, kwa mfano lugha ya Kiswahili. Maneno hupangwa kwa mtindo wa alfabeti, hutoa maana, asili na ufafanuzi wa utumizi wa maneno na jinsi yanavyotumika au yanavyotamkwa. [1] Yaliyomo 1 Aina za kamusi 2 Muundo wa kamusi 2.1 1. Utangulizi wa kamusi 2.2 2. Matini ya kamusi 2.3 3. Sherehe ya kamusi 3 Faida za kamusi 4 Dhima ya picha katika kamusi 5 Marejeo 6 Tazama pia 7 Viungo vya nje Aina za kamusi | Kuna aina mbalimbali za kamusi ambazo n...
            Read more

            SQL error code 1064 with creating Laravel foreign keysForeign key constraints: When to use ON UPDATE and ON DELETEDropping column with foreign key Laravel error: General error: 1025 Error on renameLaravel SQL Can't create tableLaravel Migration foreign key errorLaravel php artisan migrate:refresh giving a syntax errorSQLSTATE[42S01]: Base table or view already exists or Base table or view already exists: 1050 Tableerror in migrating laravel file to xampp serverSyntax error or access violation: 1064:syntax to use near 'unsigned not null, modelName varchar(191) not null, title varchar(191) not nLaravel cannot create new table field in mysqlLaravel 5.7:Last migration creates table but is not registered in the migration table

            Image
            Does a multiclassed wizard start with a spellbook? Minimizing medical costs with HSA Boss has banned cycling to work because he thinks it's unsafe Is there a typical layout to blocking installed for backing in new construction framing? In the Seventh Seal why does Death let the chess game happen? Why has Novell never written its own boot loader? Should I warn my boss I might take sick leave Why is the saxophone not common in classical repertoire? Is it possible to spoof an IP address to an exact number? Motorcyle Chain needs to be cleaned every time you lube it? Bypass with wrong cvv of debit card and getting OTP Do we have a much compact and generalized version of erase–remove idiom? how can i make this execution plan more efficient? Why did moving the mouse cursor cause Windows 95 to run more quickly? What's the big deal about the Nazgûl losing their horses? Has chattel slavery ever been used as a criminal punishment in the USA since the passag...
            Read more

            은진 송씨 목차 역사 본관 분파 인물 조선 왕실과의 인척 관계 집성촌 항렬자 인구 같이 보기 각주 둘러보기 메뉴은진 송씨세종실록 149권, 지리지 충청도 공주목 은진현

            Image
            송씨은진 송씨충청남도 소재 성씨논산시 충청남도논산시은진면한국의 성씨고려송명의회덕 황씨류준고흥 류씨송유조선송준길문묘송시열좌의정문묘종묘송준길송규렴송상기송시열송인수송환기송치규송근수충청남도논산시은진면백제757년충청남도은진군논산군논산시은진면송유 은...
            Read more