How to get the user's canonical ID for adding a S3 permission

Amazon Web-Services Problem Overview

I want to add a S3 permission for a specific user. The AWS console is asking me for the Canonical ID for the user. I used the AWS CLI command aws iam list-users to retrieve the list of users, but there was no "Canonical ID" field, and the "User ID" is not recognized, giving me an "Invalid ID" message. I tryied also with ARN and it did not work.

Amazon Web-Services Solutions

Solution 1 - Amazon Web-Services

To grant permissions to an IAM user on a bucket, you'll need to create a Bucket Policy - which is an JSON document. The "Access for other AWS accounts" option in the ACL is for granting access to other (wholly separate) root AWS accounts, not for granting access to IAM users within your own root account.

##Creating/Editing a Policy## To access the bucket policy, browse to a bucket in the S3 web console. There you'll see the Overview/Properties/Permissions/Management tabs. Under Permissions there is a sub-tab called "Bucket Policy". At the bottom of the Bucket Policy page there is a link to a "Policy Generator", which will generate the JSON for you. (or the direct link is http://awspolicygen.s3.amazonaws.com/policygen.html)

##Identifying an IAM User to Assign Rights To## To identify the IAM user you want to grant permissions to, you'll use an ARN (Amazon Resource Name). The ARN format for IAM users is as follows: "arn:aws:iam::{Account-ID}:user/{Username}" (note the curly braces aren't part of the format). An example IAM ARN looks like this: arn:aws:iam::100123456789:user/Daniel

To get your numeric account ID, sign in as the root user and click your user name in the upper right corner of the page and choose "My Account" (which takes you to https://console.aws.amazon.com/billing/home?#/account ). The account ID is listed under "Account Settings" at the top of the page.

Plug that user ARN into the "Principal" field of the policy generator, and choose which action(s) to grant to the user from the dropdown list.

##Specifying what to grant permissions on## To grant permissions to a bucket, or a set of files (objects) within a bucket you need to enter an ARN that identifies the bucket, or some subset of objects within the bucket into the "Amazon Resource Name" field (e.g. if I had a bucket called daniels-stuff and a folder in that bucket called images that I wanted to grant access to then I could provide an ARN such as arn:aws:s3:::daniels-stuff/images/*

Hit "Add Statement" when you've put in the necessary information and then hit "Generate Policy". Note you can put multiple statements (access right assignments) into the one policy.

##More Info## Finally, there is a good primer to s3 bucket policies at https://brandonwamboldt.ca/understanding-s3-permissions-1662/ which includes some example policies.

Good luck (although I assume you've probably solved your issue now, others may find this helpful).

Solution 2 - Amazon Web-Services

The user's canonical ID is easiest to find by calling, as the user whose ID you want to find, aws s3api list-buckets:

aws --profile PROD s3api list-buckets
{
    "Owner": {
        "DisplayName": "a-display-name",
        "ID": "a-64?-char-hex-string"  <<-- this HERE is the canonical user ID
    },
    "Buckets": [
        {
            "CreationDate": "2018-03-28T21:50:56.000Z",
            "Name": "bucket-1"
        },
        {
            "CreationDate": "2018-03-22T14:08:48.000Z",
            "Name": "bucket-2"
        }
    ]
}

With this ID, you can then call the s3api to grant access - eg to give read-access - like this:

aws --profile OTHER s3api put-object-acl \
    --bucket bucket-3 \
    --key path/to/file \
    --grant-read id="the-64-char-hex"

Solution 3 - Amazon Web-Services

For getting the canonical ID, one of the simplest ways is to use CLI and run aws s3api list-buckets command. You will get the ID in the output.

There are other ways also for getting the canonical ID and are clearly described in the aws docs: https://docs.aws.amazon.com/general/latest/gr/acct-identifiers.html

list-buckets aws docs: https://docs.aws.amazon.com/cli/latest/reference/s3api/list-buckets.html

Solution 4 - Amazon Web-Services

To find Canonical ID of account follow the below steps:

Click on your username which is located in the top menu bar.
A drop down will appear. Select My Security Credentials.
Canonical user ID is there

Solution 5 - Amazon Web-Services

You can also get your Canonical ID for your IAM user from the CLI command:

List all the buckets and your iam Canonical ID:

aws s3api list-buckets

And if you just want to get your Canonical ID:

aws s3api list-buckets | grep ID

Keep in mind, the above commands are done via CLI where you would have set up your profile already.

Solution 6 - Amazon Web-Services

1. Create a new policy using the following JSON

{
  "Version": "2012-10-17",
  "Statement": [
      {
          "Effect": "Allow",
          "Action": [
              "s3:ListAllMyBuckets"
          ],
          "Resource": "arn:aws:s3:::*"
      },
      {
          "Effect": "Allow",
          "Action": [
              "s3:ListBucket",
              "s3:GetBucketLocation"
          ],
          "Resource": "arn:aws:s3:::<your_bucket_name_here>"
      },
      {
          "Sid": "VisualEditor0",
          "Effect": "Allow",
          "Action": [
              "s3:PutObject",
              "s3:GetObject",
              "s3:ListBucket",
              "s3:DeleteObject",
              "s3:GetObjectVersion"
          ],
          "Resource": "arn:aws:s3:::<your_bucket_name_here>/*"
      }
  ]
}

**2. Assign the policy to the user or a user group

Note:

I kept on getting Access Denied (Status code: 403) errors because I was missing the first 2 objects in the JSON array above. You have to give your user permission to:

See all your buckets
List the specific bucket and get its location

before it even gets a chance to perform any actions on the bucket contents at all.

Solution 7 - Amazon Web-Services

How to view the Canonical ID in AWS.

In the top Click your user Account drop down box . Click My Security Credential. In the console  Click the Account Identifiers Pls don’s share your credential info. To view the Canonical ID in AWS

Pala ( VR.PL)

Solution 8 - Amazon Web-Services

Make sure to have * at the end of the line to grant permissions to everything!

arn:aws:s3:::daniels-stuff/images/*

Solution 9 - Amazon Web-Services

paste this in the terminal

aws s3api list-buckets --query "Owner.ID"

Solution 10 - Amazon Web-Services

There is another way to find your canonical name in case you are not the ROOT user,

You will need to log using CLI (using your access key and secret key) afterwards just type

aws iam list-users

and it will show the following information

{
    "Users": [
        {
            "UserName": "yoda",
            "PasswordLastUsed": "2018-02-24T17:47:15Z",
            "CreateDate": "2018-02-11T02:23:11Z",
            "UserId": "AIDASDY9WSX6QD",    <== Canonical Name
            "Path": "/",
            "Arn": "arn:aws:iam::7783412456453:user/yoda"
        }
    ]

Note: The User ID and ARN originals were edited :-)

I hope this will help

Neo

Content Type	Original Author	Original Content on Stackoverflow
Question	jigarzon	View Question on Stackoverflow
Solution 1 - Amazon Web-Services	Daniel Scott	View Answer on Stackoverflow
Solution 2 - Amazon Web-Services	Enda Farrell	View Answer on Stackoverflow
Solution 3 - Amazon Web-Services	Rathan	View Answer on Stackoverflow
Solution 4 - Amazon Web-Services	Sajid Javed	View Answer on Stackoverflow
Solution 5 - Amazon Web-Services	Stryker	View Answer on Stackoverflow
Solution 6 - Amazon Web-Services	RVP	View Answer on Stackoverflow
Solution 7 - Amazon Web-Services	user12069132	View Answer on Stackoverflow
Solution 8 - Amazon Web-Services	Rachael	View Answer on Stackoverflow
Solution 9 - Amazon Web-Services	ThomasP1988	View Answer on Stackoverflow
Solution 10 - Amazon Web-Services	Neo	View Answer on Stackoverflow