{"id":108,"date":"2016-05-07T18:45:00","date_gmt":"2016-05-07T14:45:00","guid":{"rendered":"http:\/\/yohoho.msp360.com\/?p=108"},"modified":"2021-06-09T14:19:52","modified_gmt":"2021-06-09T10:19:52","slug":"how-to-give-user-access-to-an-s3-folder","status":"publish","type":"post","link":"https:\/\/www.msp360.com\/resources\/blog\/how-to-give-user-access-to-an-s3-folder\/","title":{"rendered":"How to Give Access to an Amazon S3 Folder to a User with CloudBerry Explorer"},"content":{"rendered":"<p>In this blog post, we will demonstrate how to grant users access to a specific folder in a bucket.<br \/>\n<!--more--><\/p>\n<div class=\"table-of-content \">\n\t\t\t\t<p>Table of Contents<\/p>\n\t\t\t\t<ul><\/ul>\n\t\t\t\t<\/div>\n<p>First, you need to create an IAM user and assign a policy that will allow the user to access a specific bucket and folder:<\/p>\n<p><span class=\"further-reading \">Further reading<\/span>\u00a0<a href=\"https:\/\/www.msp360.com\/resources\/blog\/how-to-create-subaccounts-and-share-buckets-using-iam\/\">How to Create IAM Users and Assign Policies<\/a><\/p>\n<p>As an example, we will grant access for one specific user to the bucket named <strong>cloudberry.public<\/strong> and \u201d<strong>images<\/strong>\u201d folder inside it.<\/p>\n<h2>Allow Required Amazon S3 Permissions<\/h2>\n<p>First of all, you need to specify permissions that are required for access to Amazon S3 - <strong>ListAllMyBuckets<\/strong> and <strong>GetBucketLocation<\/strong>. If these two permissions are not specified, the user will face the \u201cAccess Denied\u201d error on each attempt to access any object within the bucket.<\/p>\n<p>Policy required:<\/p>\n<p>{<br \/>\n\"Sid\": \"AllowUserToSeeBucketListInTheConsole\",<br \/>\n\"Action\": [\"s3:<strong>GetBucketLocation<\/strong>\", \"s3:<strong>ListAllMyBuckets<\/strong>\"],<br \/>\n\"Effect\": \"Allow\",<br \/>\n\"Resource\": [\"arn:aws:s3:::*\"]<br \/>\n}<\/p>\n<p><strong>ListAllMyBuckets<\/strong> grants the user permission to list all the buckets in the AWS account. It is required for navigating buckets via the Amazon S3 console and CloudBerry Explorer.<\/p>\n<p><strong>GetBucketLocation<\/strong> grants the user permission to navigate within the AWS account via the Amazon S3 console and MSP360 S3 Explorer.<\/p>\n<div class=\"call-to-action\">\n<div class=\"call-to-action__left\" style=\"width: 70%;\">\n<div class=\"call-to-action__tag\">FREE WHITEPAPER<\/div>\n<div class=\"call-to-action__title\">Mastering AWS IAM for Amazon S3<\/div>\n<div class=\"call-to-action__text\">Learn how to effectively manage the security of your Amazon S3 account to protect your and your clients' data<\/div>\n<!--HubSpot Call-to-Action Code --><span class=\"hs-cta-wrapper hs-cta-deferred\" id=\"hs-cta-wrapper-9120adb3-1267-4129-ad5a-d8f06b87d969\" data-portal=\"5442029\" data-id=\"9120adb3-1267-4129-ad5a-d8f06b87d969\"><span class=\"hs-cta-node hs-cta-9120adb3-1267-4129-ad5a-d8f06b87d969\" id=\"hs-cta-9120adb3-1267-4129-ad5a-d8f06b87d969\"><!--[if lte IE 8]><div id=\"hs-cta-ie-element\"><\/div><![endif]--><a href=\"https:\/\/cta-redirect.hubspot.com\/cta\/redirect\/5442029\/9120adb3-1267-4129-ad5a-d8f06b87d969\" target=\"_blank\" rel=\"noopener\"><img decoding=\"async\" class=\"hs-cta-img\" id=\"hs-cta-img-9120adb3-1267-4129-ad5a-d8f06b87d969\" style=\"border-width:0px;\" src=\"https:\/\/no-cache.hubspot.com\/cta\/default\/5442029\/9120adb3-1267-4129-ad5a-d8f06b87d969.png\" alt=\"CTA\"><\/a><\/span><\/span><!-- end HubSpot Call-to-Action Code -->\n<\/div>\n<div class=\"call-to-action__right\" style=\"width: 30%;\"><img decoding=\"async\" src=\"https:\/\/www.msp360.com\/resources\/wp-content\/uploads\/2019\/07\/Mastering-AWS-IAM-for-Amazon-S3.png\" alt=\"WP icon\" \/><\/div>\n<\/div>\n<h2>Allow Listing Objects in the Root Folder<\/h2>\n<p>Our user should have access to only one folder named \u201cImages\u201d but all the other folders within a bucket shall be visible for them. To have an ability to navigate objects within an S3 bucket we need to specify additional permissions. These permissions allow the user to view the contents of the root of the bucket:<\/p>\n<p>{<br \/>\n\"Sid\": \" AllowRootAndHomeListingOfCompanyBucket\",<br \/>\n\"Action\": [\"s3:<strong>GetBucketLocation<\/strong>\", \"s3:<strong>ListBucket<\/strong>\"],<br \/>\n\"Effect\": \"Allow\",<br \/>\n\"Resource\": [\"arn:aws:s3:::<strong>cloudberry.public<\/strong>\"],<br \/>\n\"Condition\":{\"StringEquals\":{\"s3:prefix\":[\"\"],\"s3:delimiter\":[\"\/\"]}}<br \/>\n}<\/p>\n<p><strong>ListBucket<\/strong> is required to specify a list of files and folders that will be visible to the user. Without the <strong>ListBucket<\/strong> permission specified user will face an access denied error each time trying to view the contents of the root of the bucket.<\/p>\n<p><strong>Note<\/strong>: The user won't be able to view the contents of any files or folders except his own.<\/p>\n<p>The <strong>s3:prefix<\/strong> condition specifies files and folders that are visible to the user.<\/p>\n<p>The <strong>s3:delimiter<\/strong> condition specifies a slash as a delimiter of the folder. It is not necessary to specify a delimiter but it is worth specifying as it will help to create folders and subfolders within a bucket in the future.<\/p>\n<h2>Allow Listing Objects in Images Folder<\/h2>\n<p>Now our users can view files and folders at the root of the bucket. We shall grant them access to all the objects in the folder and any subfolders that might be created in the future. For it we have to specify the following policy:<\/p>\n<p>{<br \/>\n\"Sid\": \"AllowListingOfUserFolder\",<br \/>\n\"Action\": [\"s3:GetBucketLocation\", \"s3:ListBucket\"],<br \/>\n\"Effect\": \"Allow\",<br \/>\n\"Resource\": [\"arn:aws:s3:::<strong>cloudberry.public<\/strong>\"],<br \/>\n\"Condition\":{\"StringLike\":{\"s3:prefix\":[\"<strong>images\/*<\/strong>\"]}}<br \/>\n}<\/p>\n<h2>Allow All Amazon S3 Actions in Images Folder<\/h2>\n<p>Finally, we have to specify a list of user's actions that they shall be able to take with objects within a folder. We shall allow all the actions such as read, write, and delete permissions and limit them to just one folder - \u201cimages\u201d.<\/p>\n<p>{<br \/>\n\"Sid\": \"AllowAllS3ActionsInUserFolder\",<br \/>\n\"Effect\": \"Allow\",<br \/>\n\"Action\": [\"s3:*\"],<br \/>\n\"Resource\": [\"arn:aws:s3:::<strong>cloudberry.public\/images\/*<\/strong>\"]<br \/>\n}<br \/>\n\u201c<strong>Action<\/strong>\u201d element with \u201cs3:*\u201d specified allows the user to take all the Amazon S3 actions.<br \/>\n\"<strong>Resource<\/strong>\" element limits allowed actions to just one specified folder.<br \/>\n<strong>The whole policy<\/strong> for the user shall look like this:<br \/>\n{<br \/>\n\"Statement\": [<br \/>\n{<br \/>\n\"Sid\": \"AllowUserToSeeBucketListInTheConsole\",<br \/>\n\"Effect\": \"Allow\",<br \/>\n\"Action\": [<br \/>\n\"s3:GetBucketLocation\",<br \/>\n\"s3:ListAllMyBuckets\"<br \/>\n],<br \/>\n\"Resource\": \"arn:aws:s3:::*\",<br \/>\n\"Condition\": {}<br \/>\n},<br \/>\n{<br \/>\n\"Sid\": \"AllowRootAndHomeListingOfCompanyBucket\",<br \/>\n\"Effect\": \"Allow\",<br \/>\n\"Action\": [\"s3:ListBucket\", \"s3:GetBucketLocation\"]<br \/>\n\"Resource\": \"arn:aws:s3:::<strong>cloudberry.public<\/strong>\",<br \/>\n\"Condition\": {<br \/>\n\"StringEquals\": {<br \/>\n\"s3:prefix\": \"\",<br \/>\n\"s3:delimiter\": \"\/\"<br \/>\n}<br \/>\n}<br \/>\n},<br \/>\n{<br \/>\n\"Sid\": \"AllowListingOfUserFolder\",<br \/>\n\"Effect\": \"Allow\",<br \/>\n\"Action\": [\"s3:ListBucket\", \"s3:GetBucketLocation\"]<br \/>\n\"Resource\": \"arn:aws:s3:::<strong>cloudberry.public<\/strong>\",<br \/>\n\"Condition\": {<br \/>\n\"StringLike\": {<br \/>\n\"s3:prefix\": \"Images\/*\"<br \/>\n}<br \/>\n}<br \/>\n},<br \/>\n{<br \/>\n\"Sid\": \"AllowAllS3ActionsInUserFolder\",<br \/>\n\"Effect\": \"Allow\",<br \/>\n\"Action\": \"s3:*\",<br \/>\n\"Resource\": \"arn:aws:s3:::<strong>cloudberry.public\/Images\/*<\/strong>\",<br \/>\n\"Condition\": {}<br \/>\n}<br \/>\n]<br \/>\n}<\/p>\n<h2>Create an External Bucket with CloudBerry Explorer<\/h2>\n<p>Now, the user should <strong>create an External Bucket<\/strong>. Note that the user can use CloudBerry Explorer freeware.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter\" style=\"border: 0px;\" title=\"image001\" src=\"https:\/\/www.msp360.com\/resources\/wp-content\/uploads\/2011\/05\/image0015.png\" alt=\"S3 Policy Actions: Creating an External Bucket\" width=\"174\" height=\"83\" border=\"0\" \/><\/p>\n<p>Specifying the bucket and the path:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter\" style=\"border: 0px;\" title=\"image003\" src=\"https:\/\/www.msp360.com\/resources\/wp-content\/uploads\/2011\/05\/image0033.png\" alt=\"S3 Policy Actions: Specifying Bucket and the Path\" width=\"455\" height=\"280\" border=\"0\" \/><\/p>\n<p>After that, they will be able to browse the content of the bucket and perform file operations allowed in the policy.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter\" style=\"border: 0px;\" src=\"https:\/\/www.msp360.com\/resources\/wp-content\/uploads\/2011\/05\/image0053.png\" alt=\"S3 Policy Actions: External Bucket Added\" width=\"572\" height=\"307\" border=\"0\" \/><\/p>\n<blockquote><p><strong>Note<\/strong>: this post applies to CloudBerry Explorer 2.7.5 and later.<\/p><\/blockquote>\n","protected":false},"excerpt":{"rendered":"<p>In this blog post, we will demonstrate how to grant users access to a specific folder in a bucket.<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[877,898,882],"tags":[],"class_list":["post-108","post","type-post","status-publish","format-standard","hentry","category-blog-articles","category-msp360-explorer","category-msp360-news"],"acf":[],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/posts\/108","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/comments?post=108"}],"version-history":[{"count":1,"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/posts\/108\/revisions"}],"predecessor-version":[{"id":51266,"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/posts\/108\/revisions\/51266"}],"wp:attachment":[{"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/media?parent=108"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/categories?post=108"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/tags?post=108"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}