Creating An Amazon IAM User Who Can Access A Single S3 Bucket
Creating An Amazon IAM User Who Can Access A Single S3 Bucket
2011-03-26 16:53:47 by Andrew Hitchcock G+

This article will show how to create an AWS IAM user, grant them access to a single bucket, and allow them to access that bucket using the AWS Management Console.

I have a friend who is trying to start a small website using Amazon S3's new static website feature. Since their site is likely to be a rounding error on my AWS bill I offered to host it and avoid them the hassle of setting up an AWS account and learning how to use everything. I wanted to give them access to a single bucket under my AWS account and nothing else. AWS IAM fits this use case perfectly, but can be a little tricky to set up. Since it took me a few hours to get everything working I thought I'd document this for myself and others to benefit from in the future.

Tooling

Since IAM doesn't have a Console page you'll need to use their command line tools. After downloading the tools there a few steps you need to perform to set them up. First, copy aws-credential.template to aws-credential and fill it out with your account keys. The tools also require some environment variables. Since I'm on a Mac, I added the following lines to my .bash_profile:

export AWS_IAM_HOME=/Users/Andrew/Downloads/IAMCli-1.2.0
export PATH=$PATH:$AWS_IAM_HOME/bin
export AWS_CREDENTIAL_FILE=$AWS_IAM_HOME/aws-credential

Source the your bash profile and you should have access to all the IAM tools.

$ source ~/.bash_profile

Create User

Now that our tooling is ready we can start setting everything up. First I created an S3 bucket for my friend using the AWS Management Console. Then I created a user with the IAM tools.

$ iam-usercreate -u username

Since they will only be accessing S3 using the Console they didn't require a keypair. If they want to use other tools such as S3 Firefox Organizer or s3cmd you can add a -k to that command and a keypair will be created.

Create and Grant Policy

Next we have to create an IAM policy and grant its permissions to the user. I used the AWS Policy Generator to get a sample policy that was similar to what I wanted and then edited it until it fit my needs. You can go this route if you want custom settings, but if you only need to grant a user a permission to a bucket you can just copy mine.

{
  "Statement": [
    {
      "Action": [
        "s3:ListAllMyBuckets"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::*"
    },
    {
      "Action": "s3:*",
      "Effect": "Allow",
      "Resource": ["arn:aws:s3:::my-bucket", "arn:aws:s3:::my-bucket/*"]
    }
  ]
}

The only thing you need to change here is the name of the bucket. Replace all occurrences of my-bucket with the actual name of the bucket you created. The policy states that the user can list all buckets (necessary to use the AWS Console) and they have full permission to their own bucket.

Save your JSON policy to a file and then issue this command to grant permissions:

$ iam-useruploadpolicy -u username -f policy.json -p usernames3

There are three arguments here. First is the username, obviously. The second is the path of the file where you saved your policy. Finally you have to give the policy a name. I named the policy after the user and appended "s3".

Accessing the AWS Console

In order to let the user access the console you'll need to create a password for them. Run this command, substituting in the appropriate username and password.

$ iam-useraddloginprofile -u username -p password

If you need to change the password at a later time you can use the command iam-usermodloginprofile. If you delete and then re-add the profile you'll have to wait a while for the changes to propagate, so prefer the modify command instead.

Now that you've created the user they can login using a special URL. In order to access the S3 console, you can use the following URL:

https://012345678901.signin.aws.amazon.com/console/s3

You'll need to replace the number with your account number. The account number is found at the top right of your account credentials page. Remove all hyphens for it to work. Another gotcha: you can't have a trailing slash at the end of the URL or it won't work.

Now give your new user the special URL and they should be able to login to the AWS Management Console. They'll be able to see a list of all buckets for your account, but they'll only be able to access or modify the one you gave them permission to.

Creative Commons License
This work is licensed under a Creative Commons Attribution 3.0 Unported License.