{"id":138,"date":"2016-10-01T15:45:00","date_gmt":"2016-10-01T11:45:00","guid":{"rendered":"http:\/\/yohoho.msp360.com\/?p=138"},"modified":"2021-06-09T14:26:07","modified_gmt":"2021-06-09T10:26:07","slug":"how-to-create-subaccounts-and-share-buckets-using-iam","status":"publish","type":"post","link":"https:\/\/www.msp360.com\/resources\/blog\/how-to-create-subaccounts-and-share-buckets-using-iam\/","title":{"rendered":"How to Create Subaccounts and Share Buckets Using IAM and MSP360 Explorer for Amazon S3"},"content":{"rendered":"<p>Identity and Access Management (IAM) is a service that allows creating user accounts inside the master account and grants those account a set of permissions. MSP360 Explorer PRO comes with full support for IAM service and you can learn more about that in\u00a0<a href=\"https:\/\/www.msp360.com\/resources\/blog\/how-to-manage-amazon-identity-and-access-management-service-iam-with-explorer\/\">our previous blog post<\/a>.<\/p>\n<p>In this blog post, we will look into the very common scenario of creating a subaccount within the master account and granting it permissions to create a bucket. This might be useful if you, for instance, work with freelancers and want them to be able to work with the content in their own bucket.<br \/>\n<!--more--><\/p>\n<h2>Creating a Policy<\/h2>\n<p>Click Access Manager in the main menu to run IAM management tool from within MSP360 Explorer: <img loading=\"lazy\" decoding=\"async\" class=\"aligncenter\" title=\"image001\" src=\"https:\/\/www.msp360.com\/resources\/wp-content\/uploads\/2010\/10\/image001_thumbB1.png\" alt=\"How to create S3 Bucket Share-1\" width=\"371\" height=\"46\" border=\"0\" \/><\/p>\n<p>In the Access Manager click New User to open up a dialog. Name the user and click Ok. <img loading=\"lazy\" decoding=\"async\" class=\"aligncenter\" title=\"image003\" src=\"https:\/\/www.msp360.com\/resources\/wp-content\/uploads\/2010\/10\/image003_thumbB1.png\" alt=\"How to create S3 Bucket Share-2\" width=\"408\" height=\"216\" border=\"0\" \/><\/p>\n<p>The new user should show up on the list. Right click it and click Add Policy\u2026<img loading=\"lazy\" decoding=\"async\" class=\"aligncenter\" title=\"image005\" src=\"https:\/\/www.msp360.com\/resources\/wp-content\/uploads\/2010\/10\/image005_thumbB1.png\" alt=\"Specifying IAM Share Bucket-3\" width=\"286\" height=\"302\" border=\"0\" \/><\/p>\n<p>Click New Statement and then\u00a0<select><\/select>\u00a0to choose the list of actions that your new users will be allowed to do. You can see below those the most common ones.<\/p>\n<p>Click in: to specify the bucket name and the path. Make sure to add \u201c\/*\u201d to the path to propagate the policy to the bucket content.<\/p>\n<p>Click New Statement once again, this time for the bucket itself.<\/p>\n<p>Choose S3: ListBucket for action and make sure that you don\u2019t add \u201c\/*\u201d at the end. This is because you are applying the statement to a bucket, not to its contents.<\/p>\n<p>You can optionally set a condition.\u00a0For example, a date until it's valid, after which the user will not have access to the resource.<\/p>\n<p>Click Ok to create the policy.<img loading=\"lazy\" decoding=\"async\" class=\"aligncenter\" title=\"Designer\" src=\"https:\/\/www.msp360.com\/resources\/wp-content\/uploads\/2010\/10\/IAM-Policy.png\" alt=\"Specifying IAM Share Bucket-4\" width=\"597\" height=\"328\" border=\"0\" \/><\/p>\n<p>Here is the policy text for you to copy:<br \/>\n{<br \/>\n\"Statement\": [<br \/>\n{<br \/>\n\"Effect\": \"Allow\",<br \/>\n\"Action\": [<br \/>\n\"s3:GetObject\",<br \/>\n\"s3:PutObject\",<br \/>\n\"s3:GetObjectAcl\",<br \/>\n\"s3:PutObjectAcl\",<br \/>\n\"s3:DeleteObject\"<br \/>\n],<br \/>\n\"Resource\": \"arn:aws:s3:::cloudberry.public\/*\",<br \/>\n\"Condition\": {}<br \/>\n},<br \/>\n{<br \/>\n\"Effect\": \"Allow\",<br \/>\n\"Action\": [<br \/>\n\"s3:ListBucket\",<br \/>\n\"s3:GetBucketLocation\",<br \/>\n\"s3:GetBucketAcl\"<br \/>\n],<br \/>\n\"Resource\": \"arn:aws:s3:::cloudberry.public\",<br \/>\n\"Condition\": {}<br \/>\n}<br \/>\n]<br \/>\n}<\/p>\n<p>Last but not least, you have to generate an access\/ secret key pair for your new user.\u00a0 Click Generate Access Keys\u2026 in the user context menu. Copy the keys so that you can hand them over to the user later.<img loading=\"lazy\" decoding=\"async\" class=\"aligncenter\" title=\"image009\" src=\"https:\/\/www.msp360.com\/resources\/wp-content\/uploads\/2010\/10\/image009_thumbB1.png\" alt=\"Specifying IAM Share Bucket-5\" width=\"452\" height=\"252\" border=\"0\" \/><\/p>\n<h2>Working as a User<\/h2>\n<p>Register an account for the newly created user in MSP360 Explorer console.\u00a0 Use the assess\/ secret key created earlier. <img loading=\"lazy\" decoding=\"async\" class=\"aligncenter\" title=\"image011\" src=\"https:\/\/www.msp360.com\/resources\/wp-content\/uploads\/2010\/10\/image011_thumbB1.png\" alt=\"Specifying IAM Share Bucket-6\" width=\"359\" height=\"357\" border=\"0\" \/> Note: you can use MSP360 Explorer freeware to register one bucket for IAM users. If you need to register more than one bucket you will have to turn to our PRO version.<\/p>\n<p>Now, select the newly created account in the drop-down list. If you look at the list of buckets it will be empty. This is because we have not granted the user a right to list all buckets. You have to add a bucket as an external bucket manually. Click a green button on the toolbar and type the bucket name manually.<img loading=\"lazy\" decoding=\"async\" class=\"aligncenter\" title=\"image013\" src=\"https:\/\/www.msp360.com\/resources\/wp-content\/uploads\/2010\/10\/image013_thumbB1.png\" alt=\"How to create S3 Bucket Share-7\" width=\"504\" height=\"241\" border=\"0\" \/><\/p>\n<p>Now you can see the bucket in the console. You can copy, move, delete files, create folders, etc. <img loading=\"lazy\" decoding=\"async\" class=\"aligncenter\" title=\"image015\" src=\"https:\/\/www.msp360.com\/resources\/wp-content\/uploads\/2010\/10\/image015_thumbB1.png\" alt=\"How to create S3 Bucket Share-8\" width=\"405\" height=\"151\" border=\"0\" \/><\/p>\n<p>As always we would be happy to hear your feedback and you are welcome to post a comment.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Identity and Access Management (IAM) is a service that allows creating user accounts inside the master account and grants those account a set of permissions. MSP360 Explorer PRO comes with full support for IAM service and you can learn more about that in\u00a0our previous blog post. In this blog post, we will look into the [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[877,898,882],"tags":[],"class_list":["post-138","post","type-post","status-publish","format-standard","hentry","category-blog-articles","category-msp360-explorer","category-msp360-news"],"acf":[],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/posts\/138","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/comments?post=138"}],"version-history":[{"count":2,"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/posts\/138\/revisions"}],"predecessor-version":[{"id":51268,"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/posts\/138\/revisions\/51268"}],"wp:attachment":[{"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/media?parent=138"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/categories?post=138"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/tags?post=138"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}