1đź‘Ť
Personally, I would have assumed that whenever my “bucket_1” sees the
Django request from “user_1”, AWS was going to be like “Sorry user_1,
you can only access bucket_2”.
So this is the correct behavior. So if your user doesn’t have have permissions to S3 this is what it would look like on the S3 console. In essence it shouldn’t tell you you can only access bucket_2 but it should tell you that you are not able to access bucket_1.
I assume you are hosting your django app in an EC2 instance. By any chance have you started it with an IAM role that may have full access to S3. Something like like this:
Keep in mind that if you want to restrict access to a bucket for a user and you want it to be able to list the bucket you need to allow the user to list all buckets because of the s3:ListAllMyBuckets action limitation. You policy would look something like this:
{
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:GetObjectAcl",
"s3:PutObjectAcl",
"s3:ListBucket",
"s3:GetBucketAcl",
"s3:PutBucketAcl",
"s3:GetBucketLocation"
],
"Resource": "arn:aws:s3:::bucket_2/*",
"Condition": {}
},
{
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "*",
"Condition": {}
}
]
}