IAM user with DeleteObject permissions cannot delete from S3 bucket

9,461

S3 allows cross-account delegation of permissions, so that principals (users, roles) in one account can access resources in anothet account.

But, to do this, both accounts must grant the necessary permissions: the account that owns the bucket must delegate the permission and the account that owns the principal must also grant the permission.

 "Principal": {
      "AWS": "arn:aws:iam::xxxxxxxxxxxx:root"
  },

In the bucket policy, this delegates the permission to the root of foreign account xxxxxxxxxxxx... but that account must further delegate the permission to its users/roles with the appropriate IAM policy.

Note

To perform a specific operation on a resource, an IAM user needs permission from both the parent AWS account to which it belongs and the AWS account that owns the resource.

https://docs.aws.amazon.com/AmazonS3/latest/dev/how-s3-evaluates-access-control.html

The document referenced above privides an extensive overview of how S3 handles privilege checks.

9,461

Neekoy

Updated on September 18, 2022

Comments

Neekoy over 1 year
Guys there's something I really don't understand. The GitLab runner at the bottom cannot delete objects in the bucket at the top. He should have permissions to do that, but instead I get the following:

delete failed: s3://bucket.domain.com/file.png An error occurred (AccessDenied) when calling the DeleteObject operation: Access Denied

S3 permissions bucket policy:
```
   {
       "Version": "2012-10-17",
       "Statement": [
           {
               "Sid": "Stmt1412062044000",
               "Effect": "Allow",
               "Principal": {
                   "AWS": "arn:aws:iam::321570121925:root"
               },
               "Action": [
                   "s3:GetObject",
                   "s3:PutObject",
                   "s3:PutObjectAcl",
                   "s3:DeleteObject"
               ],
               "Resource": [
                   "arn:aws:s3:::bucket.domain.com/*",
                   "arn:aws:s3:::bucket.domain.com"
               ]
           },
           {
               "Sid": "Stmt1721016931TBA",
               "Effect": "Allow",
               "Principal": {
                   "AWS": "arn:aws:iam::321570121925:root"
               },
               "Action": [
                   "s3:ListBucket",
                   "s3:GetBucketLocation"
               ],
               "Resource": "arn:aws:s3:::bucket.domain.com"
           }
       ]
   }
```
GitLab runner result for "aws sts get-called-identity":
```
   {
       "Account": "321570121925", 
       "UserId": "AROAJZ6FNUZ33NL3XQVYK:i-0394709c2c1742643", 
       "Arn": "arn:aws:sts::321570121925:assumed-role/gitlab-runner-20180419190331730700000002/i-0394709c2c1742643"
   }
```
I've been investigating for hours and this doesn't make sense to me. Help please.
- Admin over 5 years
  
  Does the account 321570121925 own this bucket? I'm guessing not, but don't want to start making incorrect assumptions. What do you believe granting permissions to the account root should accomplish, here, and why?
- Admin over 5 years
  
  @Michael Nope - the account doesn't own the bucket, and I'm trying to give it permissions so it can DeleteObject in it. It can Get and Put, but when it tries to Delete through the pipeline, it gets "permission denied".
- Admin over 5 years
  
  Okay, so the bucket policy is probably fine, as is, but all this is doing is saying that the root of the specified account is allowed to delegate access to the bucket via user or role policy... but I don't believe you're doing that. The gitlab runner role needs a policy statement allowing the same things.
- Admin over 5 years
  
  @Michael Yeah you're correct - the GitLab runner assumes an IAM role that also needs matching permissions - they need to be both in the bucket policy and role policy. It doesn't work if DeleteObject isn't present in both places, and I had it only in the bucket. You can submit this as the answer btw.