I have a number of buckets that start with the same namespace as in assets-<something>
, so I was wondering what would be the best option to give rights to IAM group with minimal need to maintain it.
Is it possible to use any sort of regex in ARN? Or maybe I could use tags? EC2 has condition for ResourceTag
, but it appears that it does not exist for S3.
Or should I with each bucket add new ARN to the policy?
Again, I am searching for the minimal solution so attaching new policy to each bucket itself seems to be a bit much.
An IAM policy can grant access to Amazon S3 buckets based on a wildcard.
For example, this policy grants permissions to list the contents of a bucket and retrieve an object from a bucket, but only if the bucket starts with
assets-
:Note that the
Resource
section refers to both the bucket (forListBucket
) and the content of the bucket (forGetObject
).Wildcard also work elsewhere in the bucket name, eg:
arn:aws:s3:::*-record
It is not possible to grant access to Amazon S3 buckets based on Tags.
ARN format
As an aside, if you're wondering why there are so many colons in the ARN (Amazon Resource Name) for an Amazon S3 bucket, it's because the normal format for an ARN is:
In the case of an Amazon S3 bucket, the region and account can be discerned from the bucket name (which is globally unique), so those parameters are left blank.