Min permissions required for IAM role to do S3 operations

[websparks-wy]

Hi,

What are the permissions required for the IAM role to use the following functions?

IAmazonS3.DoesS3BucketExistAsync
TransferUtility.UploadAsync

Usage:

               var hasBucket = await _amazonS3Client.DoesS3BucketExistAsync(bucketName);
               
                var transferUtilityRequest = new TransferUtilityUploadRequest()
                {
                    InputStream = file.OpenReadStream(),
                    Key = trustedStorageName,
                    BucketName = bucketName,
                    CannedACL = S3CannedACL.PublicRead, 
                    PartSize = 6291456
                };

                // Add metatags which can include the original file name and other decriptions
                var metaTags = requestDto.Metatags;
                if (metaTags != null && metaTags.Count() > 0)
                {
                    foreach (var tag in metaTags)
                    {
                        transferUtilityRequest.Metadata.Add(tag.Key, tag.Value);
                    }
                }

                transferUtilityRequest.Metadata.Add("originalFileName", trustedFileName);


                await _transferUtility.UploadAsync(transferUtilityRequest);

[bhoradc]

Hello @websparks-wy,

Thanks for posting the question. Please find my below response.

IAmazonS3.DoesS3BucketExistAsync() is obsolete and will give you the deprecated warning in Visual studio while trying to use this method. Instead, kindly use AmazonS3Util.DoesS3BucketExistV2Async() to determine whether an S3 bucket exists or not.

For AmazonS3Util.DoesS3BucketExistV2Async(), you should not need additional IAM permissions if you are are accessing the bucket with the same AWS account that created it.

For TransferUtility.UploadAsync(), below are least-privilege permissions you would need to assign in IAM.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:PutObjectAcl"
            ],
            "Resource": "arn:aws:s3:::<bucket-name>/*"
        }
    ]
 }

Please let me know if you have further questions.

Regards,
Chaitanya

[websparks-wy]

Hi, I am still on .net core 3.1, and unable to update the library, is that why v2 method isn't available?

If I'm not using the same AWS account that created it, what additional IAM permissions do I require?

Thanks again.

[bhoradc]

Hello @websparks-wy,

DoesS3BucketExistV2Async() would be available on S3 package AWSSDK.S3 version 3.3.104.0 and above.

If you are on S3 version below 3.3.104.0, you may use DoesS3BucketExistAsync() which still doesn't need IAM permissions to execute for non-owned buckets.

I tested again and can confirm that you would need to give "s3:PutObject" permissions to be able to use TransferUtility.UploadAsync(), on owned or cross account buckets.

Please let me know if this helps.

Regards,
Chaitanya

@bot propose-answer

[websparks-wy]

Thanks,

BTW why aren't the request IDs captured? I have already enabled it in the configuration:

  "AWS": {
    "Region": "ap-southeast-1",
    "LogMetrics": true,
    "LogResponse": true
  }

  "Serilog": {
    "Using": [ "Serilog.Sinks.File" ],
    "MinimumLevel": "Debug",
    "WriteTo": [
      {
        "Name": "File",
        "Args": { "path": "Logs/log.txt" }
      }
    ],
    "Enrich": [ "FromLogContext", "WithMachineName", "WithThreadId" ],
    "Properties": {
      "Application": "AdminService"
    }
  }

What is the minimum level for logging? I've also set it to debug, but do not see it being logged.
I have verified it is enabled too:

[ashishdhingra]

@websparks-wy For logging issue, you might be affect by the issue #1759. This is an open issue in team's backlog. Unfortunately, we do not have timeline by which this issue would be fixed.

[github-actions[bot]]

Hello! Reopening this discussion to make it searchable.