IT in Education

Allowing multiple users access to a bucket

awsYou might wish to have a bucket where multiple users can store objects in a directory using their name. This article describes a method for achieving this using a bucket called myschool, with a directory called home, that will contain directories using usernames.


Buckets, Groups and Users

To complete this task you will need to do the following:

  1. Create an S3 bucket called myschool.
  2. Create a user group called staff
  3. Create some users, and make them members of the staff group.

After you've created the following policy you'll need to apply the policy to the group called staff

myschool-HomeDirectories

Now we can create a policy called myschool-HomeDirectories that will allow the required granular access. Note that you will need to change the highlighted bucket names below.

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowUserToSeeBucketListInTheConsole",
"Action": [
"s3:ListAllMyBuckets",
"s3:GetBucketLocation"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Sid": "AllowRootAndHomeListingOfSchoolBucket",
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::myschool"
],
"Condition": {
"StringEquals": {
"s3:prefix": [
"",
"home/"
],
"s3:delimiter": [
"/"
]
}
}
},
{
"Sid": "AllowListingOfUserFolder",
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::myschool"
],
"Condition": {
"StringLike": {
"s3:prefix": [
"home/${aws:username}/*"
]
}
}
},
{
"Sid": "AllowAllS3ActionsInUserFolder",
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::myschool/home/${aws:username}/*"
]
}
]
}

Group policy

This policy can then be allocated to the group called staff, so that all the users in the group will be able to access their own username folder.


Thanks for visiting,
Steven