logo
Welcome Guest! To enable all features please Login or Register.

Notification

Icon
Error

Mick
#1 Posted : Sunday, October 31, 2010 8:57:00 PM(UTC)
Mick

Rank: Newbie

Reputation:

Groups: Guest
Joined: 10/31/2010(UTC)
Posts: 2

As found in AWS guide:
http://docs.amazonwebservices.c...erGuide/UsingWithS3.html

my attempt to follow Example 2:
Code:
{
"Statement":[{
"Effect":"Allow",
"Action":"s3:ListBucket",
"Resource":"arn:aws:s3:::my_corporate_bucket",
"Condition":{
"StringLike":{
"s3:prefix":"home/bob/*"
}
}
}
]
}

was unsuccesful.

The "s3:prefix" key is not available in the Edit Condition key list in IAM Manager. Can it be made available?

I tried entering a string like in Example 2 with "s3:prefix" in the Policy Script tab in the Edit Policy window (similar to the aws:Referer key) , and it seemed to take (i.e. it saved and was maintained after refreshing and reopening IAM Manager). However, I get an Access Denied error when trying to view the folder in the bucket. (Everything works fine when I remove the condition, I'm just trying to hide folder inside a bucket.)

Is the "s3:prefix" policy condition key something I can use via Cloudberry S3 Pro IAM Manager?

Thanks,
M
Juli
#2 Posted : Monday, November 01, 2010 9:22:20 AM(UTC)
Juli

Rank: Administration

Reputation:

Groups: Member, Moderator
Joined: 2/28/2009(UTC)
Posts: 952

Was thanked: 8 time(s) in 8 post(s)
Hi Mick,

In the Policy Designer we support the AWS-Wide policy keys only. The "s3:prefix" is an action specific policy key. For future we will think of the best way to support action-specific keys in the Policy Designer.

Talking about the Example 2, please confirm if you followed the same steps:

In the Access Manager:
1. select your S3 account, create a new user to which you want to grant certain permissions
2. create a new policy for this user (use Policy Script tab):
Note: replace "bucket_name" and "folder_inside_bucket" with your settings.

Code:
{
"Statement": [
{
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::bucket_name",
"Condition": {
"StringLike": {
"s3:prefix": "folder_inside_bucket/*"
}
}
}
]
}


3. right-click on the user, choose Manage Access Keys
4. click Create, copy Access and Secret Keys to the Notepad, close the Security Credentials dialog

Go to CloudBerry Explorer main window:
1. choose File | Amazon S3 Accounts
2. add a new account with Access and Secret Keys assosiated with created IAM user (from the Notepad)
3. select this account as a Source in any left or right pane
4. enter "bucket_name/folder_inside_bucket" manually instead of the "Root"

It should list the objects inside the folder.

Please let me know if it works for you.

Thanks,
Juli, CloudBerryLab Team

Edited by user Monday, November 01, 2010 9:22:59 AM(UTC)  | Reason: Not specified

Mick
#3 Posted : Wednesday, November 03, 2010 10:31:19 PM(UTC)
Mick

Rank: Newbie

Reputation:

Groups: Guest
Joined: 10/31/2010(UTC)
Posts: 2

Thanks for the reply.

My setup matches your instructions below, and behaves as you say.

I think what I was trying to do was to allow the user to see their home folder when they first run Cloudberry Explorer and it opens at the root, then they could just double-click to open the folder without having to enter the path. But I couldn't get that to work while also preventing them from seeing (and even opening) other users' home folders. But it does work when they enter the path to their home folder--just a little less intuitive for first-time users--nothing a little instruction from me won't fix. I can certainly live with that.

Thanks,
M
Juli
#4 Posted : Monday, November 08, 2010 11:25:31 AM(UTC)
Juli

Rank: Administration

Reputation:

Groups: Member, Moderator
Joined: 2/28/2009(UTC)
Posts: 952

Was thanked: 8 time(s) in 8 post(s)
Hi Mick,

There is no way to detect what folders are accessible for certain user. So as you already said there are only two ways:

1. Give users a permission to list the bucket content so that users can see all folders but access only folder they are allowed.
or
2. Enter the folder path manually.

Best regards,
Juli, CloudBerryLab Team
Abhi_aws
#5 Posted : Tuesday, May 15, 2012 10:06:52 AM(UTC)
Abhi_aws

Rank: Newbie

Reputation:

Groups: Member
Joined: 5/15/2012(UTC)
Posts: 3

Hi Juli,
I have just started working with CloudBerry pro and had the same problem where I could not list "Conditions" with "S3:Prefix". Anyhow, I followed your advice and created a policy for an IAM user where I would like him to only access one folder. The problem I am having is that once the user is inside the bucket he can access all the folders. I have managed to restrict his access to only one Bucket but I am unable to do that at the folder level. My policy looks like:
{
"Statement": [
{
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "*",
"Condition": {}
},
{
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::a-test",
"Condition": {
"StringLike": {
"s3:prefix": "Test/*"
}
}
}
]
}
Juli
#6 Posted : Wednesday, May 16, 2012 1:48:56 AM(UTC)
Juli

Rank: Administration

Reputation:

Groups: Member, Moderator
Joined: 2/28/2009(UTC)
Posts: 952

Was thanked: 8 time(s) in 8 post(s)
Hi Abhi,

It seems you need one more statement for the policy, please check How to give User access to an S3 folder with CloudBerry Explorer:

{
"Effect": "Allow",
"Action": "s3:*" ,
"Resource": "arn:aws:s3:::a-test/Test/",
"Condition": {}
}

Let me know if it helped.

Thanks,
Juli, CloudBerryLab Team
Abhi_aws
#7 Posted : Wednesday, May 16, 2012 9:21:51 PM(UTC)
Abhi_aws

Rank: Newbie

Reputation:

Groups: Member
Joined: 5/15/2012(UTC)
Posts: 3

Hi Juli,
I already had added that statement in my policy but I am still able to access other folders inside my bucket. Let me explain you the structure of my bucket. I have a bucket named "a-test". I have two folders inside it "test" and "Live". Inside these folders I have HTML files and related images. I also have a IAM policy attached to an IAM user called "Test User". Here is the complete policy:
{
"Statement": [
{
"Effect": "Allow",
"Action": "sts:GetFederationToken*",
"Resource": "*",
"Condition": {}
},
{
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "arn:aws:s3:::*",
"Condition": {}
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:ListBucketVersions"
],
"Resource": "arn:aws:s3:::finpa-test",
"Condition": {
"StringLike": {
"s3:prefix": "test/*"
}
}
},
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "arn:aws:s3:::finpa-test/test/*",
"Condition": {}
}
]
}
Now, when I log in to CloudBerry Explorer pro And I change the user to "TestUser". I get all the buckets under my account. Although I can only access "a-test" which is fine because thats what I want. Once I click on it I see two folders "test" and "live". When I click on "test", I see my HTMl files and Images, I can
click on them and they open up in browser. That is again what I want. But if I click on "live" I see the HTML files and Images inside it and if I click on them they open up too. I don't want that. Also, if I try to access it from my code in c# I can do that.

GetPreSignedUrlRequest request =
new GetPreSignedUrlRequest().WithBucketName(bucketName)
.WithKey("live/notebook.htm");
// .WithKey("test/content.htm");
request.WithExpires(DateTime.Now.Add(new TimeSpan(0, 0, 0, 50)));
string url = S3.GetPreSignedURL(request);
this.Iframe2.Attributes.Add("src", url);

So if the user knows the key of the object he can access any files inside the folder. Is there a way to stop this.?

Kind Regards
Abhi
Abhi_aws
#8 Posted : Thursday, May 17, 2012 12:40:21 AM(UTC)
Abhi_aws

Rank: Newbie

Reputation:

Groups: Member
Joined: 5/15/2012(UTC)
Posts: 3

I finally got it working. Although I think there is a bug in AWS management console or atleast it seems like one. The problem is my policy was right all along the way but it behaved differently when I accessed it through AWS management console then softwares like CloudBErry. One thing I had to modify was ACL settings for objects and buckets.That too would have been done earlier had the AWS console worked properly. Anyways here is my policy:

{
"Statement": [

{
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "arn:aws:s3:::*",
"Condition": {}
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:ListBucketVersions"
],
"Resource": "arn:aws:s3:::pa-test",
"Condition": {
"StringLike": {
"s3:prefix": "test/*"
}
}
},
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "arn:aws:s3:::pa-test/test/*",
"Condition": {}
}
]
}
1) The problem is when I access management console for this IAM user through AWS console I get access denied when I click on my bucket although when I log in through Cloudberry I can see my folders. 2) I had to modify the ACL settings for my bucket and objects(folders) for my bucket: Owner : Full Control Authenticated Users : Readonly

For my folders: Owner : Full Control

Now the issue is that you cannot set ACl settings for folders(object) in AWS console. You can set them for files(object). For example if you right click on a folder(object) inside a bucket and then click properties it won't show you a permission tabs. But if you right click on a bucket or a file(Say test.html) and click properties it will show you a permissions tab. I am not sure if someone else has noticed this issue. Anyways that is my script and it's working now.
Users browsing this topic
Guest
Forum Jump  
You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.

Powered by YAF 1.9.6.1 | YAF © 2003-2014, Yet Another Forum.NET
This page was generated in 1.484 seconds.