Sharing S3 Buckets and all sub folders

I recently needed to share an S3 bucket and all the sub-folders (objects) within it, but it wasn’t immediately obvious how to do it. After some experimentation I discovered the following solution.

If you want to give someone full read access to all objects within a bucket. You must:

  1. Set up the ACL on the bucket itself to give them list and view permissions.
  2. Set up a bucket policy on the bucket itself to apply to the all objects within that bucket:
{
	"Version": "2008-10-17",
	"Id": "PolicyToAllowFredReadAccess",
	"Statement": [
		{
			"Sid": "Give Fred Read Access to all objects in this bucket",
			"Effect": "Allow",
			"Principal": {
				"AWS": "arn:aws:iam::12346789012:root"
			},
			"Action": "s3:GetObject*",
			"Resource": "arn:aws:s3:::example-bucket/*"
		}
	]
}

The two relevant parts in here are 1) 12346789012 (the users AWS account id, written on the account page with hyphens 1234-5678-9012) and 2) example-bucket/ – the bucket name.

You can also grant by canonical user id:

{
	"Version":"2008-10-17",
	"Id":"PolicyToAllowFredReadAccess",
	"Statement":[{
			"Sid":"Give Fred Read Access to all objects in this bucket",
			"Effect":"Allow",
			"Principal":{
				"CanonicalUser":"79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be"
			},
			"Action":["s3:GetObject"],
			"Resource":"arn:aws:s3:::example-bucket/*"
		}
	]
}

Leave a Reply

Your email address will not be published. Required fields are marked *