As found in AWS guide:
http://docs.amazonwebservices.c...erGuide/UsingWithS3.html

my attempt to follow Example 2:

was unsuccesful.

The "s3:prefix" key is not available in the Edit Condition key list in IAM Manager. Can it be made available?

I tried entering a string like in Example 2 with "s3:prefix" in the Policy Script tab in the Edit Policy window (similar to the aws:Referer key) , and it seemed to take (i.e. it saved and was maintained after refreshing and reopening IAM Manager). However, I get an Access Denied error when trying to view the folder in the bucket. (Everything works fine when I remove the condition, I'm just trying to hide folder inside a bucket.)

Is the "s3:prefix" policy condition key something I can use via Cloudberry S3 Pro IAM Manager?

Thanks,
M

Thanks for the reply.

My setup matches your instructions below, and behaves as you say.

I think what I was trying to do was to allow the user to see their home folder when they first run Cloudberry Explorer and it opens at the root, then they could just double-click to open the folder without having to enter the path. But I couldn't get that to work while also preventing them from seeing (and even opening) other users' home folders. But it does work when they enter the path to their home folder--just a little less intuitive for first-time users--nothing a little instruction from me won't fix. I can certainly live with that.

Thanks,
M

Hi Juli,
I have just started working with CloudBerry pro and had the same problem where I could not list "Conditions" with "S3:Prefix". Anyhow, I followed your advice and created a policy for an IAM user where I would like him to only access one folder. The problem I am having is that once the user is inside the bucket he can access all the folders. I have managed to restrict his access to only one Bucket but I am unable to do that at the folder level. My policy looks like:
{
"Statement": [
{
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "*",
"Condition": {}
},
{
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::a-test",
"Condition": {
"StringLike": {
"s3:prefix": "Test/*"
}
}
}
]
}

Hi Juli,
I already had added that statement in my policy but I am still able to access other folders inside my bucket. Let me explain you the structure of my bucket. I have a bucket named "a-test". I have two folders inside it "test" and "Live". Inside these folders I have HTML files and related images. I also have a IAM policy attached to an IAM user called "Test User". Here is the complete policy:
{
"Statement": [
{
"Effect": "Allow",
"Action": "sts:GetFederationToken*",
"Resource": "*",
"Condition": {}
},
{
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "arn:aws:s3:::*",
"Condition": {}
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:ListBucketVersions"
],
"Resource": "arn:aws:s3:::finpa-test",
"Condition": {
"StringLike": {
"s3:prefix": "test/*"
}
}
},
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "arn:aws:s3:::finpa-test/test/*",
"Condition": {}
}
]
}
Now, when I log in to CloudBerry Explorer pro And I change the user to "TestUser". I get all the buckets under my account. Although I can only access "a-test" which is fine because thats what I want. Once I click on it I see two folders "test" and "live". When I click on "test", I see my HTMl files and Images, I can
click on them and they open up in browser. That is again what I want. But if I click on "live" I see the HTML files and Images inside it and if I click on them they open up too. I don't want that. Also, if I try to access it from my code in c# I can do that.

GetPreSignedUrlRequest request =
new GetPreSignedUrlRequest().WithBucketName(bucketName)
.WithKey("live/notebook.htm");
// .WithKey("test/content.htm");
request.WithExpires(DateTime.Now.Add(new TimeSpan(0, 0, 0, 50)));
string url = S3.GetPreSignedURL(request);
this.Iframe2.Attributes.Add("src", url);

So if the user knows the key of the object he can access any files inside the folder. Is there a way to stop this.?

Kind Regards
Abhi