Example 3: Bucket owner granting permissions to objects it does not own - Amazon Simple Storage Service
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

Example 3: Bucket owner granting permissions to objects it does not own

The scenario for this example is that a bucket owner wants to grant permission to access objects, but not all objects in the bucket are owned by the bucket owner. For this example, the bucket owner is trying to grant permission to users in its own account.

A bucket owner can enable other Amazon Web Services accounts to upload objects. By default, the bucket owner doesn't own objects written to a bucket by another Amazon Web Services account. Objects are owned by the accounts that write them to an S3 bucket. If the bucket owner doesn't own objects in the bucket, the object owner must first grant permission to the bucket owner using an object ACL. Then, the bucket owner can grant permissions to an object that they do not own, For more information, see Amazon S3 bucket and object ownership.

If the bucket owner applies the bucket owner enforced setting for S3 Object Ownership for the bucket, the bucket owner will own all objects in the bucket, including objects written by another Amazon Web Services account. This will resolve the issue that objects are not owned by the bucket owner. Then, you can delegate permission to users in your own account or to other Amazon Web Services accounts.

Note

By default, when another Amazon Web Services account uploads an object to your S3 bucket, that account (the object writer) owns the object, has access to it, and can grant other users access to it through ACLs. You can use Object Ownership to change this default behavior so that ACLs are disabled and you, as the bucket owner, automatically own every object in your bucket. As a result, access control for your data is based on policies, such as IAM policies, S3 bucket policies, virtual private cloud (VPC) endpoint policies, and Amazon Organizations service control policies (SCPs).

A majority of modern use cases in Amazon S3 no longer require the use of ACLs, and we recommend that you disable ACLs except in unusual circumstances where you need to control access for each object individually. With Object Ownership, you can disable ACLs and rely on policies for access control. When you disable ACLs, you can easily maintain a bucket with objects uploaded by different Amazon Web Services accounts. You, as the bucket owner, own all the objects in the bucket and can manage access to them using policies. For more information, see Controlling ownership of objects and disabling ACLs for your bucket.

In this example, we assume the bucket owner has not applied the bucket owner enforced setting for Object Ownership. The bucket owner delegates permission to users in its own account. The following is a summary of the walkthrough steps:

  1. Account A administrator user attaches a bucket policy with two statements.

    • Allow cross-account permission to Account B to upload objects.

    • Allow a user in its own account to access objects in the bucket.

  2. Account B administrator user uploads objects to the bucket owned by Account A.

  3. Account B administrator updates the object ACL adding grant that gives the bucket owner full-control permission on the object.

  4. User in Account A verifies by accessing objects in the bucket, regardless of who owns them.

For this example, you need two accounts. The following table shows how we refer to these accounts and the administrator users in these accounts. In this walkthrough, you don't use the account root credentials, according to the recommended IAM guidelines. For more information, see About using an administrator user to create resources and grant permissions. Instead, you create an administrator in each account and use those credentials in creating resources and granting them permissions.

Amazon Web Services account ID Account referred to as Administrator in the account

1111-1111-1111

Account A

AccountAadmin

2222-2222-2222

Account B

AccountBadmin

All the tasks of creating users and granting permissions are done in the Amazon Web Services Management Console. To verify permissions, the walkthrough uses the command line tools, Amazon Command Line Interface (Amazon CLI) and Amazon Tools for Windows PowerShell, so you don't need to write any code.

Step 0: Preparing for the walkthrough

  1. Make sure that you have two Amazon Web Services accounts and each account has one administrator as shown in the table in the preceding section.

    1. Sign up for an Amazon Web Services account, if needed.

      1. Open the Amazon S3 page and choose Create an Amazon Account.

      2. Follow the on-screen instructions. Amazon will notify you by email when your account is active and available for you to use.

    2. Using Account A credentials, sign in to the IAM console and do the following to create an administrator user:

      • Create user AccountAadmin and note down security credentials. For more information about adding users, see Creating an IAM user in your Amazon Web Services account in the IAM User Guide.

      • Grant AccountAadmin administrator permissions by attaching a user policy giving full access. For instructions, see Managing IAM policies in the IAM User Guide.

      • In the IAM console Dashboard, note down the IAM User Sign-In URL. Users in this account must use this URL when signing in to the Amazon Web Services Management Console. For more information, see How users sign in to your account in IAM User Guide.

    3. Repeat the preceding step using Account B credentials and create administrator user AccountBadmin.

  2. Set up either the Amazon CLI or the Tools for Windows PowerShell. Make sure that you save the administrator credentials as follows:

    • If using the Amazon CLI, create two profiles, AccountAadmin and AccountBadmin, in the config file.

    • If using the Tools for Windows PowerShell, make sure that you store credentials for the session as AccountAadmin and AccountBadmin.

    For instructions, see Setting up the tools for the example walkthroughs.

Step 1: Do the Account A tasks

Perform the following steps for Account A:

Step 1.1: Sign in to the console

Using the IAM user sign-in URL for Account A, sign in to the Amazon Web Services Management Console as AccountAadmin user. This user will create a bucket and attach a policy to it.

Step 1.2: Create a bucket and user, and add a bucket policy to grant user permissions

  1. In the Amazon S3 console, create a bucket. This exercise assumes that the bucket is created in the US East (N. Virginia) Region, and the name is DOC-EXAMPLE-BUCKET1.

    For instructions, see Creating a bucket.

  2. In the IAM console, create a user Dave.

    For instructions, see Creating IAM users (console) in the IAM User Guide.

  3. Note down the Dave credentials.

  4. In the Amazon S3 console, attach the following bucket policy to DOC-EXAMPLE-BUCKET1 bucket. For instructions, see Adding a bucket policy using the Amazon S3 console. Follow the steps to add a bucket policy. For information about how to find account IDs, see Finding your Amazon Web Services account ID.

    The policy grants Account B the s3:PutObject and s3:ListBucket permissions. The policy also grants user Dave the s3:GetObject permission.

    { "Version": "2012-10-17", "Statement": [ { "Sid": "Statement1", "Effect": "Allow", "Principal": { "AWS": "arn:aws-cn:iam::AccountB-ID:root" }, "Action": [ "s3:PutObject", "s3:ListBucket" ], "Resource": [ "arn:aws-cn:s3:::DOC-EXAMPLE-BUCKET1/*", "arn:aws-cn:s3:::DOC-EXAMPLE-BUCKET1" ] }, { "Sid": "Statement3", "Effect": "Allow", "Principal": { "AWS": "arn:aws-cn:iam::AccountA-ID:user/Dave" }, "Action": [ "s3:GetObject" ], "Resource": [ "arn:aws-cn:s3:::DOC-EXAMPLE-BUCKET1/*" ] } ] }

Step 2: Do the Account B tasks

Now that Account B has permissions to perform operations on Account A's bucket, the Account B administrator will do the following:

  • Upload an object to Account A's bucket.

  • Add a grant in the object ACL to allow Account A, the bucket owner, full control.

Using the Amazon CLI

  1. Using the put-object CLI command, upload an object. The --body parameter in the command identifies the source file to upload. For example, if the file is on C: drive of a Windows machine, you would specify c:\HappyFace.jpg. The --key parameter provides the key name for the object.

    aws s3api put-object --bucket DOC-EXAMPLE-BUCKET1 --key HappyFace.jpg --body HappyFace.jpg --profile AccountBadmin
  2. Add a grant to the object ACL to allow the bucket owner full control of the object. For information about how to find a canonical user ID, see Finding the canonical user ID for your Amazon Web Services account.

    aws s3api put-object-acl --bucket DOC-EXAMPLE-BUCKET1 --key HappyFace.jpg --grant-full-control id="AccountA-CanonicalUserID" --profile AccountBadmin

Using the Tools for Windows PowerShell

  1. Using the Write-S3Object Tools for Windows PowerShellcommand, upload an object.

    Write-S3Object -BucketName DOC-EXAMPLE-BUCKET1 -key HappyFace.jpg -file HappyFace.jpg -StoredCredentials AccountBadmin
  2. Add a grant to the object ACL to allow the bucket owner full control of the object.

    Set-S3ACL -BucketName DOC-EXAMPLE-BUCKET1 -Key HappyFace.jpg -CannedACLName "bucket-owner-full-control" -StoredCreden

Step 3: Test permissions

Now verify that user Dave in Account A can access the object owned by Account B.

Using the Amazon CLI

  1. Add user Dave credentials to the Amazon CLI config file and create a new profile, UserDaveAccountA. For more information, see Setting up the tools for the example walkthroughs.

    [profile UserDaveAccountA] aws_access_key_id = access-key aws_secret_access_key = secret-access-key region = us-east-1
  2. Run the get-object CLI command to download HappyFace.jpg and save it locally. You provide user Dave credentials by adding the --profile parameter.

    aws s3api get-object --bucket DOC-EXAMPLE-BUCKET1 --key HappyFace.jpg Outputfile.jpg --profile UserDaveAccountA

Using the Tools for Windows PowerShell

  1. Store user Dave Amazon credentials, as UserDaveAccountA, to persistent store.

    Set-AWSCredentials -AccessKey UserDave-AccessKey -SecretKey UserDave-SecretAccessKey -storeas UserDaveAccountA
  2. Run the Read-S3Object command to download the HappyFace.jpg object and save it locally. You provide user Dave credentials by adding the -StoredCredentials parameter.

    Read-S3Object -BucketName DOC-EXAMPLE-BUCKET1 -Key HappyFace.jpg -file HappyFace.jpg -StoredCredentials UserDaveAccountA

Step 4: Clean up

  1. After you are done testing, you can do the following to clean up.

    1. Sign in to the Amazon Web Services Management Console using Account A credentials, and do the following:

      • In the Amazon S3 console, remove the bucket policy attached to DOC-EXAMPLE-BUCKET1. In the bucket Properties, delete the policy in the Permissions section.

      • If the bucket is created for this exercise, in the Amazon S3 console, delete the objects and then delete the bucket.

      • In the IAM console, remove the AccountAadmin user.

  2. Sign in to the Amazon Web Services Management Console using Account B credentials. In the IAM console, delete user AccountBadmin.