To create an AWS IAM user with access restricted to only the s3://bucket-public-access-uw2/web-assets/lapis/ folder, follow these steps:
- Create an IAM User with programmatic access.
- Attach a Custom IAM Policy restricting access to the specified folder.
- Generate Access Key and Secret for the user.
Here’s the necessary AWS CLI and JSON policy for setting this up:
Step 1: Create the IAM User
aws iam create-user --user-name S3LimitedUserStep 2: Create an IAM Policy
Save the following policy as s3-lapis-policy.json:
nano s3-lapis-policy.json{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": "arn:aws:s3:::bucket-public-access-uw2",
"Condition": {
"StringLike": {
"s3:prefix": "web-assets/lapis/*"
}
}
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::bucket-public-access-uw2/web-assets/lapis/*"
}
]
}Now create the policy in AWS:
aws iam create-policy --policy-name S3LapisPolicy --policy-document file://s3-lapis-policy.jsonStep 3: Attach Policy to User
Replace <policy-arn> with the ARN returned from the previous command:
- arn:aws:iam::390213897844:policy/S3LapisPolicy
aws iam attach-user-policy --user-name S3LimitedUser --policy-arn <policy-arn>Step 4: Create Access Key for the User
aws iam create-access-key --user-name S3LimitedUserThis will return a response with:
AccessKeyIdSecretAccessKey
Save these credentials securely, as you won’t be able to retrieve the secret key again.
Now, the user has access ONLY to s3://bucket-public-access-uw2/web-assets/lapis/, allowing upload, download, listing, and deletion within that folder.