All geek questions in one place

Can I get the canonical user ID from AWS IAM users, from the .NET API?

I successfully created the user, credentials, and bucket.
Now I need to provide access to this user.

Is there any way to get this CanonicalUser value from code?
The user IAM object provides only the values ​​of ARN, Path, UserId, and UserName, but none of them are suitable for the provision.

using (var s3 = new Amazon.S3.AmazonS3Client("[user_key]", "[secret_user_key]", RegionEndpoint.GetBySystemName("eu-west-1"))) { var response = s3.GetACL("[bucket_id]"); var acl = response.AccessControlList; acl.AddGrant( new S3Grantee() { CanonicalUser = **???** }, new S3Permission(S3Permission.FULL_CONTROL) ); s3.PutACL( new PutACLRequest() { AccessControlList = acl, BucketName = "[bucket_id]" } ); }
+5
source share
2 answers

You can easily get the CanonicalUser ID using the ListAllMyBuckets API [1] API (s3: ListAllMyBuckets permission required):

 $ aws s3api list-buckets --query Owner { "DisplayName": "lord-vader", "ID": "f420064cb076f772e10584fc40ab777c09f6b7d154342cf358f1bd1e573c9cf7" }

AWSJavaSDK uses the AmazonS3.getS3AccountOwner cover method [2].

+3
source

No, it’s not possible to get the canonical user ID from the code - you came across a somewhat strange and likely outdated aspect due to another way to manage access permissions for S3 resources , see the response of the AWS command to How to find out Canonical ID for IAM user? :

You cannot add IAM users to the ACL as a recipient. I will have updated documentation to clarify that IAM users are not supported in the ACL. There are several solutions you can use to give this user access to your Amazon S3 content: [...]

You might want to reconsider the use of the more universal S3 vector policy (see below) - however, if you have root access, you can find the canonical user ID associated with your AWS account, as described in β€œSpecifying a principal in policy "(remember that this is not so) t work with IAM user credentials):

  • Go to http://aws.amazon.com and from the My Account / Console drop-down menu, select Security Accounts .
  • Log in using the appropriate credentials.
  • Click Account IDs .

Once again, I emphasize that AWS strongly recommends using IAM users only these days, see, for example, Root account credentials and IAM user credentials :

Since you cannot manage the privileges of the root account credentials, you must store them in a safe place and use AWS user credentials for authentication and access control (IAM) for everyday work interaction with AWS instead.

This requirement of a canonical user ID for S3 is a rare exception and, as I said, is probably considered an outdated artifact due to the S3 level ACL prior to IAM, so it is best avoided if possible.

+2
source

Source: https://habr.com/ru/post/1206613/

More articles:


All Articles