amazon web services - AWS s3:ListBucket action results in access denied using conditional StringLike statement on s3:prefix -

-

i have items in "folder" in s3 bucket. "path" file contains identity id of user uploaded file , appears in s3 managment console "all buckets/[my_bucket]/us-east-1:080ffd35-c00e-4e33-877f-3ec57be4b128" have iam policy attached cognito authenticated users includes following conditional statement:

"condition": {             "stringlike": {                 "s3:prefix": [                     "us-east-1:080ffd35-c00e-4e33-877f-3ec57be4b128/*"                 ]             }         }

i've hard-coded in identity id troubleshooting step since wasn't sure if "${cognito-identity.amazonaws.com:sub}" contained correct string. specific identity id encoded, still not work , receive access denied error when trying list contents of bucket. correct in thinking stringlike looks given string inside prefix? there else i'm missing?

i've included full iam policy below:

{ "version": "2012-10-17", "statement": [     {         "effect": "allow",         "action": [             "s3:listbucket"         ],         "resource": [             "arn:aws:s3:::[my_bucket]"         ],         "condition": {             "stringlike": {                 "s3:prefix": [                     "us-east-1:080ffd35-c00e-4e33-877f-3ec57be4b128/*"                 ]             }         }     },     {         "effect": "allow",         "action": [             "s3:getobject",             "s3:putobject",             "s3:putobjectacl",             "s3:getobjectacl"         ],         "resource": [             "arn:aws:s3:::[my_bucket]/${cognito-identity.amazonaws.com:sub}*",             "arn:aws:s3:::[my_bucket]/${cognito-identity.amazonaws.com:sub}/*"         ]     } ]

}

does s3 bucket require specific permissions settings on s3 management console make work , prevent access denied error when trying list contents of bucket?

additional edit:

  1. a couple of questions wasn't able figure out document. there requirement bucket have policy? don't see in documentation's examples specify bucket needs policy itself.
  2. does bucket's permissions matter? once again, didn't see specified in iam policy documentation.

list bucket can't narrowed specific prefix that. list- bucket operation done on bucket condition , resource must valid bucket. i.e. prefix condition doesn't match valid on objects in bucket not bucket itself.

in same way can't limit list buckets list buckets because action done on service.

this poorly described in docs: http://docs.aws.amazon.com/amazons3/latest/dev/using-with-s3-actions.html#using-with-s3-actions-related-to-buckets


Comments

Post a Comment

Popular posts from this blog

php - How to display all orders for a single product showing the most recent first? Woocommerce -

-
i have password protected page on frontend. on page, want display full list of purchases associated single woocommerce product id. option 1: i've looked through woocommerce docs , , found: wc_cli_order , list_( $args, $assoc_args ) function lists orders. presumably, orders can filtered product id [--=] filter orders based on order property. line item fields (numeric array, started index zero): line_items.0.product_id option 2: i found article , based on customer id. i've modified code based on guesses meta_key , meta_value. $customer_orders = get_posts( array( 'numberposts' => -1, 'meta_key' => '_product', 'meta_value' => get_product_id(), 'post_type' => wc_get_order_types(), 'post_status' => array_keys( wc_get_order_statuses() ), ) ); how display orders single product showing recent order first? here solution put based on these articles: http://www.w...
Read more

asp.net - How to correctly use QUERY_STRING in ISAPI rewrite? -

-
i'm having difficult time , hope guys can help. using helicon isapi rewrite version 3.1.0.104 on our iis server. edit http.conf file , have tried , still fail. this trying do: redirect url: https://www.domain.com/switch-by-version?version=2.8.5.2594 to: https://test.domain.com/load/load.aspx?tver=2.8.5.2594 the version number @ end source url change, , need target url have same version number @ end of url example above shows. i tried following not work: rewritecond %{query_string} ^version=(\d\d?)\.(\d\d?)\.(\d\d?)\.(.*)$ [nc] rewriterule ^/switch-by-version(.*)$ https://test.domain.com/load/load.aspx?tver=%1 [r=307,nc,l] any appreciated! thanks. if it's running in equivalent context of .htaccess , rule shouldn't start / . here's simpler version: rewritecond %{query_string} ^version=(\d+\.\d+\.\d+(?:\..+)?)$ [nc] rewriterule ^switch-by-version/?$ https://test.domain.com/load/load.aspx?tver=%1 [r=307,nc,l]
Read more

angularjs - How restrict admin panel using in backend laravel and admin panel on angular? -

-
https://scotch.io/tutorials/token-based-authentication-for-angularjs-and-laravel-apps following tutorials, try write authentication restrict admin panel, didn't understood how can that. this admin panel, admin panel don't want show , request database unauthenticated users. my laravel-routes route::get('/admin',function(){ return view('index'); }); route::get('/api/v1/employees/{id?}', 'employees@index'); route::get('/api/v1/users/{id?}', 'employees@users'); route::post('/api/v1/employees', 'employees@store'); route::post('/api/v1/employees/{id}', 'employees@update'); route::delete('/api/v1/employees/{id}', 'employees@destroy'); route::group(['prefix' => 'api'], function() { route::resource('authenticate', 'authenticatecontroller', ['only' => ['index']]); route::post('authenticate', 'authentic...
Read more