Using Amazon’s IAM, it is possible to provision fine-grained permissions to users for any of your AWS accounts.
I tried to setup such an IAM account for s3cmd, a popular command-line tool that I use all the time. But for some reason, s3cmd kept giving me 403 permission errors … even though I thought I had set up the buckets and permissions correctly.
But thanks to this blog from RegionGIS, I was able to find the problem and fix/test it.
I had initially set up the IAM permissions for something like this in the AWS console:
"Resource": [ "arn:aws:s3:::bucket/folder/" ]
But that apparently isn’t quite right. It gives permission for the folder, but NOT for anything under it.
So the right permission is something like this (again set through IAM web console):
"Resource": [ "arn:aws:s3:::bucket/folder/", "arn:aws:s3:::bucket/folder/*" ]
Once the IAM user is set up with folder permissions as above, s3cmd should merrily work and upload/download files as you set it!