Home/ Questions/Q 7166023
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-28T14:20:46+00:00

I’m using temporary sessions in Amazon S3 with GetSessionToken/GetFederationToken, I am planing on having

  • 0

I’m using temporary sessions in Amazon S3 with GetSessionToken/GetFederationToken, I am planing on having more than 10K users each one can upload to S3 so initialy I thought of use a bucket for each user and set write (upload) permissions per bucket for each user, but since there is a limitation on the number of buckets per Amazon account I have forsaken that idea.

How can I set a permission like allow public read, and upload only if the prefix on the key of the object that the user wants to upload ?

For example if username X uploads a file the key must be like X_filename.

Or any other way which allows me to have security, this is for a mobile app and I would not like to go through our own servers when uploading a file.

Edit:

I’ve tried the operation GetFederationToken with the following policy

"{
   "Statement":[{
      "Effect":"Allow",
      "Action":["s3:PutObject","s3:GetObject","s3:GetObjectVersion",
      "s3:DeleteObject",\"s3:DeleteObjectVersion"],
      "Resource":"arn:aws:s3:::user.uploads/john/*"
   }
   ]
}"

I have the bucket user.uploads on S3 and folder john

however any upload with the session credentials to bucket user.uploads with key john/filename fails with access denied”

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Amazon’s Identity and Access Management (IAM) service is what you need. The documentation has numerous examples, some of which match your scenario.

    From the docs:

    Example 5: Allow a partner to drop files into a specific portion of
    the corporate bucket

    In this example, we create a group called WidgetCo that represents the
    partner company, then create a user for the specific person (or
    application) at the partner company who needs access, and then put the
    user in the group.

    We then attach a policy that gives the group PutObject access to the
    following directory in the corporate bucket:
    my_corporate_bucket/uploads/widgetco.

    We also want to prevent the WidgetCo group from doing anything else
    with the bucket, so we add a statement that denies permission to any
    Amazon S3 actions except PutObject on any Amazon S3 resource in the
    AWS account. This is only necessary if there’s a broad policy in use
    elsewhere in your AWS account that gives users wide access to Amazon
    S3.

    {
    "Statement":[{
        "Effect":"Allow",
        "Action":"s3:PutObject",
        "Resource":"arn:aws:s3:::my_corporate_bucket/uploads/widgetco/*"
    },
    {
        "Effect":"Deny",
        "NotAction":"s3:PutObject",
        "Resource":["arn:aws:s3:::my_corporate_bucket/uploads/widgetco/*"]
    },
    {
        "Effect":"Deny",
        "Action":"s3:*",
        "NotResource": ”arn:aws:s3:::my_corporate_bucket/uploads/widgetco/*"
    }]
}

    You would create a new identity for each user and use that to control access to the subfolders (prefixes) as needed.

    • 0