Monday, October 29, 2012

Allow Cyberduck to login to Amazon S3

If you have created a user in the Amazon IAM Console and wish to allow them to use Cyberduck to connect to Amazon S3 you need to grant them the ability to list all the buckets. This is done by applying a policy on the user of:


{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:ListAllMyBuckets"
      ],
      "Resource": "arn:aws:s3:::*"
    }
  ]
}


This means they can see all the buckets that exist on your account but can't actually see then contents of them without getting some policies applied on specific buckets.

This all comes about from the way Cyberduck does it's initial login to Amazon S3.

Update: If you just connect directly to the bucket using it's bucket name as part of the hostname (eg www.example.com.s3.amazonaws.com), you don't need to grant this permission but you do get an SSL issue.