I have a third party system that I can ask to upload files to an S3 bucket of my choice. The code the system uses is
s3 = boto3.resource('s3')
bucket = s3.Bucket(bucket_name)
bucket.put_object(Body=data_log,Key='log.txt')
The AWS credentials the system uses belong to an AWS account that I cannot administrate. Also, I am (for now) not allowed to change the used AWS credentials nor the used code.
So I tried to create an s3 bucket like this:
aws s3api create-bucket --bucket <MYBUCKET> --region eu-central-1 --create-bucket-configuration LocationConstraint="eu-central-1"
aws s3api delete-public-access-block --bucket <MYBUCKET>
aws s3api put-bucket-ownership-controls --bucket <MYBUCKET> --ownership-controls 'Rules=[{ObjectOwnership="BucketOwnerPreferred"}]'
aws s3api put-bucket-acl --bucket <MYBUCKET> --acl public-read-write
But when I run the code, I get the error message
An error occurred (AccessDenied) when calling the PutObject operation: Access Denied
So the big question is, how can I configure my s3 bucket to allow access from a user in a different account WIHOUT changing that user’s policy in his account.
I can get the code to upload to my s3 bucket by changing it to
s3 = boto3.resource('s3', config=Config(signature_version=UNSIGNED))
bucket = s3.Bucket(bucket_name)
bucket.put_object(Body=data_log,Key='log.txt')
But that, unfortunately, does not solve my problem as I cannot do that on the productive system.
Also, I found that I can attach the policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PolicyForAllowUploadWithACL",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::<MYBUCKET>/*"
}
]
}
to the s3 bucket and the policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PolicyForAllowUploadWithACL",
"Effect": "Allow",
"Action": [
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::<MYBUCKET>/*"
]
}
]
}
to a user in a second AWS account of mine.
If I run the upload code with that second account it works, too. But again, that does not solve my problem as I cannot do that on the productive system (I cannot change the used AWS credentials, and I cannot administrate the policies of the used user).
TomSie is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.