I recently needed to share an S3 bucket and all the sub-folders (objects) within it, but it wasn't immediately obvious how to do it. After some experimentation I discovered the following solution.
If you want to give someone full read access to all objects within a bucket. You must:
- Set up the ACL on the bucket itself to give them list and view permissions.
- Set up a bucket policy on the bucket itself to apply to the all objects within that bucket:
{
"Version": "2008-10-17",
"Id": "PolicyToAllowFredReadAccess",
"Statement": [
{
"Sid": "Give Fred Read Access to all objects in this bucket",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::12346789012:root"
},
"Action": "s3:GetObject*",
"Resource": "arn:aws:s3:::example-bucket/*"
}
]
}
The two relevant parts in here are 1) 12346789012 (the users AWS account id, written on the account page with hyphens 1234-5678-9012) and 2) example-bucket/ - the bucket name.
You can also grant by canonical user id:
{
"Version":"2008-10-17",
"Id":"PolicyToAllowFredReadAccess",
"Statement":[{
"Sid":"Give Fred Read Access to all objects in this bucket",
"Effect":"Allow",
"Principal":{
"CanonicalUser":"79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be"
},
"Action":["s3:GetObject"],
"Resource":"arn:aws:s3:::example-bucket/*"
}
]
}