Hi! Is there a way to grant list permissions to all S3 buckets w/o seeing the content of them?
List object names is ListBucket getting the content of objects is GetObject
So if I grant only ListBucket should work, right?
That’s right, and remember the Resource is the bucket, without the key prefix
I’ll testing right now. Thanks!
Np, that one is a little weird because it’s one of the rare places the IAM permission name (ListBuckets) doesn’t align with the API method name (ListObjectsV2)
It sounds like you are actually looking for ListAllMyBuckets https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazons3.html
ListBucket is the contents of a bucket
Oh, yes I could have been confused by the wording. You are looking to see a list of all S3 buckets in the account? Or to see the names of the objects inside the buckets?
List to see all buckets but not the content of them if possible
Ah, sorry, then you want what conzy said
Can you please help me why is this happening?
You are almost there……
The link I posted above shows what resources are valid for a given action
If you are using ListAllMyBuckets the resource must be *
And if you include ListBucket like you have then principals will be able to list bucket contents
Which is what you didnt want
Thank you! I reviewed and remove ListBucket permission and used ListAllMyBuckets
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:GetBucketPolicy",
"s3:GetBucketPolicyStatus",
"s3:ListAllMyBuckets"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::*"
}
]
}```I used aws cli and I was able to list the buckets and their policies but couldn’t get the content of the buckets
