1 Answer
- Newest
- Most votes
- Most comments
-1
IAM Identity Center users do not contain an ARN (IAM ARN is not a substitute). You can allow access to your user to the S3 Bucket would be to use the Identity Center User information (User ID and Username) as a Condition in the S3 Bucket policy.
Example:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "UserID",
"Effect": "Allow",
"Principal": "*",
"Action": [ "s3:*"],
"Resource": "arn:aws:s3:::mybucket/*",
"Condition": {
"StringLike": {
"aws:userId": "SSOUserID:SSOUserName"
}
}
}
]
}
answered a year ago
Didn't work, same error.
fatal error: An error occurred (403) when calling the HeadObject operation: Forbidden
I got the user ID from the IAM Identity Center, it's a long hex string with dashes in it, and I used the username listed there too.
Hello, it didn't work also for me, please can you help to fix it
Relevant content
- AWS OFFICIALUpdated 7 months ago
- AWS OFFICIALUpdated 8 months ago
Could you provide the bucket policy?
Have you considered using AWS S3 Presigned URLs?
Here it is with sensitive info removed
I haven't looked at presigned URLs. I'd like to understand what about this approach doesn't work before going down the rabbit hole of another approach that will probably break with a different obscure error :P