Amazon S3 SubAccount Bucket Access

[darrellchapman]

I have created a bucket in Amazon S3 and created a sub-account specifically for this bucket however SFFS gives me the following error when I attempt to browse or copy files to the bucket:

"Login failed. Please check your S3 access details..."

I think what is happening is that this S3 account doesn't have permissions to list all of my buckets and SFFS isn't accounting for that. I've explicitly set the bucket name in "Internet Protocol Settings" for S3 but that still doesn't work.

Has anyone else had this issue or could offer some advice please?

[superflexible]

Correct, this type of subaccount is currently not supported.

[darrellchapman]

Thanks for the reply. Any plans to implement it? This would allow me to use SFFS as the backup client for all of my customers.

[superflexible]

I would like to, but I can't find how to create a subaccount, can you help?

[darrellchapman]

Yes, I would be more than happy to help any way I can.

What I have done is created a new bucket in S3 under my master account. Then using Amazon's IAM (Identity and Access Manager) configuration page on the AWS management console, I added a new user. I then setup this user with their own unique Access Key ID and Secret Access Key to be used for authentication. Finally, I setup a policy that gives them access to their own bucket.

If you are unable to setup your own subaccount, I don't mind sharing mine for testing. I have already verified I can upload data to it using a different application however I think the problem with SFFS is that it's trying to list all buckets (which is not allowed for this user).

Let me know how you want to proceed and I'll gladly help you.

Darrell Chapman

[darrellchapman]

Here's a copy of the policy script that gives the user access to the bucket and all resources under that bucket. I've obviously changed the bucket name below...

Code: Select all

{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:PutObject",
        "s3:GetObjectAcl",
        "s3:PutObjectAcl",
        "s3:DeleteObject"
      ],
      "Resource": "arn:aws:s3:::bucketnamehere/*",
      "Condition": {}
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:ListBucket",
        "s3:GetBucketAcl"
      ],
      "Resource": "arn:aws:s3:::bucketnamehere",
      "Condition": {}
    }
  ]
}

[superflexible]

Hello,

great, if you could send credentials for testing to info@superflexible.com I can probably fix this quickly.

Cheers,
Tobias Giesen

[darrellchapman]

I sent you the credentials. Thanks for your help Tobias. I really appreciate it.