Below are my configurations and I'm still getting Access Denied excpetion while trying to do PutBucketReplication from a lambda.
Replication role policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:ListBucket",
"s3:GetReplicationConfiguration",
"s3:GetObjectVersionForReplication",
"s3:GetObjectVersionAcl",
"s3:GetObjectVersionTagging",
"s3:GetObjectRetention",
"s3:GetObjectLegalHold"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::<source bucket>",
"arn:aws:s3:::<source bucket>/*",
"arn:aws:s3:::<destination bucket>",
"arn:aws:s3:::<destination bucket>/*"
]
},
{
"Action": [
"s3:ReplicateObject",
"s3:ReplicateDelete",
"s3:ReplicateTags",
"s3:ObjectOwnerOverrideToBucketOwner"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::<source bucket>/*",
"arn:aws:s3:::<destination bucket>/*"
]
}
]
}
Lambda Role policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "logs:CreateLogGroup",
"Resource": "arn:aws:logs:us-west-2:<source account>:*"
},
{
"Effect": "Allow",
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": [
"arn:aws:logs:us-west-2:<source account>:log-group:/aws/lambda/PutReplicationFunction:*"
]
},
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "arn:aws:s3:::*"
}
]
}
Source bucket policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement1",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<source account>:role/service-role/PutReplicationFunction-role-pugxea1r"
},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::<source bucket>",
"arn:aws:s3:::<source bucket>/*"
]
}
]
}
IAM pass role:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:GetRole",
"iam:PassRole"
],
"Resource": "*"
}
]
}
Input request:
client.put_bucket_replication(
Bucket='<source bucket>',
ReplicationConfiguration={
'Role': '<iam role used for replication>',
'Rules': [
{
"Priority": 0,
"DeleteMarkerReplication": {"Status": "Disabled"},
"Filter": {"Prefix": ""},
'Status': 'Enabled',
'Destination': {
'Bucket': 'arn:aws:s3:::<destination bucket>'
}
}
]
}
)
Response:
{
"errorMessage": "An error occurred (AccessDenied) when calling the PutBucketReplication operation: Access Denied",
"errorType": "ClientError",
"requestId": "10515e45-992c-46bf-a20d-cce84c47dbb7",
"stackTrace": [
" File \"/var/task/lambda_function.py\", line 7, in lambda_handler\n response = client.put_bucket_replication(\n",
" File \"/var/runtime/botocore/client.py\", line 391, in _api_call\n return self._make_api_call(operation_name, kwargs)\n",
" File \"/var/runtime/botocore/client.py\", line 719, in _make_api_call\n raise error_class(parsed_response, operation_name)\n"
]
}
I also tried adding the bucket policy on destination account, but it is still not working
Destination bucket policy:
{
"Version": "2012-10-17",
"Id": "",
"Statement": [
{
"Sid": "Set permissions for objects",
"Effect": "Allow",
"Principal": {
"AWS": "<iam role used for replication>"
},
"Action": [
"s3:ReplicateObject",
"s3:ReplicateDelete"
],
"Resource": "arn:aws:s3:::<destination bucket>/*"
},
{
"Sid": "Set permissions on bucket",
"Effect": "Allow",
"Principal": {
"AWS": "<iam role used for replication>"
},
"Action": [
"s3:List*",
"s3:GetBucketVersioning",
"s3:PutBucketVersioning"
],
"Resource": "arn:aws:s3:::<destination bucket>"
}
]
}
Related
I'm trying to add a role to my instances in Terraform and I want to add a role with the AmazonElasticFileSystemsUtils policy attached to it. I got the JSON from the AWS console and added it to my terraform code, but it's giving me this error Error creating IAM Role (test_role): MalformedPolicyDocument: Has prohibited field Resource saying the policy is malinformed? Is there a different format that I have to use?
main.tf
resource "aws_iam_role" "role" {
name = "test_role"
path = "/"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssm:DescribeAssociation",
"ssm:GetDeployablePatchSnapshotForInstance",
"ssm:GetDocument",
"ssm:DescribeDocument",
"ssm:GetManifest",
"ssm:GetParameter",
"ssm:GetParameters",
"ssm:ListAssociations",
"ssm:ListInstanceAssociations",
"ssm:PutInventory",
"ssm:PutComplianceItems",
"ssm:PutConfigurePackageResult",
"ssm:UpdateAssociationStatus",
"ssm:UpdateInstanceAssociationStatus",
"ssm:UpdateInstanceInformation"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ssmmessages:CreateControlChannel",
"ssmmessages:CreateDataChannel",
"ssmmessages:OpenControlChannel",
"ssmmessages:OpenDataChannel"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2messages:AcknowledgeMessage",
"ec2messages:DeleteMessage",
"ec2messages:FailMessage",
"ec2messages:GetEndpoint",
"ec2messages:GetMessages",
"ec2messages:SendReply"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"elasticfilesystem:DescribeMountTargets"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:DescribeAvailabilityZones"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"logs:PutLogEvents",
"logs:DescribeLogStreams",
"logs:DescribeLogGroups",
"logs:CreateLogStream",
"logs:CreateLogGroup",
"logs:PutRetentionPolicy"
],
"Resource": "*"
}
]
}
EOF
}
This is incorrect assume_role_policy. Assume role specifies what IAM entity (IAM role, user or AWS service) can assume the role. Not what permissions that entity has.
You should be using iam_role_policy to specify those permissions:
resource "aws_iam_role_policy" "test_policy" {
name = "test_policy"
role = aws_iam_role.role.id
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssm:DescribeAssociation",
"ssm:GetDeployablePatchSnapshotForInstance",
"ssm:GetDocument",
"ssm:DescribeDocument",
"ssm:GetManifest",
"ssm:GetParameter",
"ssm:GetParameters",
"ssm:ListAssociations",
"ssm:ListInstanceAssociations",
"ssm:PutInventory",
"ssm:PutComplianceItems",
"ssm:PutConfigurePackageResult",
"ssm:UpdateAssociationStatus",
"ssm:UpdateInstanceAssociationStatus",
"ssm:UpdateInstanceInformation"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ssmmessages:CreateControlChannel",
"ssmmessages:CreateDataChannel",
"ssmmessages:OpenControlChannel",
"ssmmessages:OpenDataChannel"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2messages:AcknowledgeMessage",
"ec2messages:DeleteMessage",
"ec2messages:FailMessage",
"ec2messages:GetEndpoint",
"ec2messages:GetMessages",
"ec2messages:SendReply"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"elasticfilesystem:DescribeMountTargets"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:DescribeAvailabilityZones"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"logs:PutLogEvents",
"logs:DescribeLogStreams",
"logs:DescribeLogGroups",
"logs:CreateLogStream",
"logs:CreateLogGroup",
"logs:PutRetentionPolicy"
],
"Resource": "*"
}
]
}
EOF
}
I have EKS cluster
{
"cluster": {
"name": "cluster",
"arn": "arn:aws:eks:us-west-2:xxx:cluster/cluster",
"createdAt": "2022-10-04T18:24:38.786000-07:00",
"version": "1.23",
"endpoint": "https://xxx.gr7.us-west-2.eks.amazonaws.com",
"roleArn": "arn:aws:iam::xxx:role/eksrole",
"resourcesVpcConfig": {
"subnetIds": [
"subnet-08f0fc71",
"subnet-53032a18"
],
"securityGroupIds": [],
"clusterSecurityGroupId": "sg-06fa1aa90566a372e",
"vpcId": "vpc-0e09ba76",
"endpointPublicAccess": true,
"endpointPrivateAccess": false,
"publicAccessCidrs": [
"0.0.0.0/0"
]
},
"kubernetesNetworkConfig": {
"serviceIpv4Cidr": "10.100.0.0/16",
"ipFamily": "ipv4"
},
"logging": {
"clusterLogging": [
{
"types": [
"api",
"audit",
"authenticator",
"controllerManager",
"scheduler"
],
"enabled": false
}
]
},
"identity": {
"oidc": {
"issuer": "https://oidc.eks.us-west-2.amazonaws.com/id/18BD011EE7130A4BA313C555E62FB9FA"
}
},
"status": "ACTIVE",
xxx
},
"platformVersion": "eks.2",
"tags": {}
}
}
It has 1 node group which I added in UI (my account shown in UI arn:aws:iam::xxx9399:user/user)
aws eks list-nodegroups --cluster-name cluster
{
"nodegroups": [
"node-group"
]
}
I have no problems adding more node groups to the same cluster in UI, but when I use AWS CLI I get this error:
aws eks create-nodegroup --cluster-name cluster --nodegroup-name NG --subnets subnet-08f0fc71 subnet-53032a18 --node-role arn:aws:iam::xxx9399:role/aws-service-role/eks-nodegroup.amazonaws.com/AWSServiceRoleForAmazonEKSNodegroup
An error occurred (InvalidParameterException) when calling the CreateNodegroup operation: Following required service principals [ec2.amazonaws.com] were not found in the trust relationships of nodeRole arn:aws:iam::xxx9399:role/aws-service-role/eks-nodegroup.amazonaws.com/AWSServiceRoleForAmazonEKSNodegroup
I checked AWSServiceRoleForAmazonEKSNodegroup
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "SharedSecurityGroupRelatedPermissions",
"Effect": "Allow",
"Action": [
"ec2:RevokeSecurityGroupIngress",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:DescribeInstances",
"ec2:RevokeSecurityGroupEgress",
"ec2:DeleteSecurityGroup"
],
"Resource": "*",
"Condition": {
"StringLike": {
"ec2:ResourceTag/eks": "*"
}
}
},
{
"Sid": "EKSCreatedSecurityGroupRelatedPermissions",
"Effect": "Allow",
"Action": [
"ec2:RevokeSecurityGroupIngress",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:DescribeInstances",
"ec2:RevokeSecurityGroupEgress",
"ec2:DeleteSecurityGroup"
],
"Resource": "*",
"Condition": {
"StringLike": {
"ec2:ResourceTag/eks:nodegroup-name": "*"
}
}
},
{
"Sid": "LaunchTemplateRelatedPermissions",
"Effect": "Allow",
"Action": [
"ec2:DeleteLaunchTemplate",
"ec2:CreateLaunchTemplateVersion"
],
"Resource": "*",
"Condition": {
"StringLike": {
"ec2:ResourceTag/eks:nodegroup-name": "*"
}
}
},
{
"Sid": "AutoscalingRelatedPermissions",
"Effect": "Allow",
"Action": [
"autoscaling:UpdateAutoScalingGroup",
"autoscaling:DeleteAutoScalingGroup",
"autoscaling:TerminateInstanceInAutoScalingGroup",
"autoscaling:CompleteLifecycleAction",
"autoscaling:PutLifecycleHook",
"autoscaling:PutNotificationConfiguration",
"autoscaling:EnableMetricsCollection"
],
"Resource": "arn:aws:autoscaling:*:*:*:autoScalingGroupName/eks-*"
},
{
"Sid": "AllowAutoscalingToCreateSLR",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"iam:AWSServiceName": "autoscaling.amazonaws.com"
}
},
"Action": "iam:CreateServiceLinkedRole",
"Resource": "*"
},
{
"Sid": "AllowASGCreationByEKS",
"Effect": "Allow",
"Action": [
"autoscaling:CreateOrUpdateTags",
"autoscaling:CreateAutoScalingGroup"
],
"Resource": "*",
"Condition": {
"ForAnyValue:StringEquals": {
"aws:TagKeys": [
"eks",
"eks:cluster-name",
"eks:nodegroup-name"
]
}
}
},
{
"Sid": "AllowPassRoleToAutoscaling",
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:PassedToService": "autoscaling.amazonaws.com"
}
}
},
{
"Sid": "AllowPassRoleToEC2",
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "*",
"Condition": {
"StringEqualsIfExists": {
"iam:PassedToService": [
"ec2.amazonaws.com",
"ec2.amazonaws.com.cn"
]
}
}
},
{
"Sid": "PermissionsToManageResourcesForNodegroups",
"Effect": "Allow",
"Action": [
"iam:GetRole",
"ec2:CreateLaunchTemplate",
"ec2:DescribeInstances",
"iam:GetInstanceProfile",
"ec2:DescribeLaunchTemplates",
"autoscaling:DescribeAutoScalingGroups",
"ec2:CreateSecurityGroup",
"ec2:DescribeLaunchTemplateVersions",
"ec2:RunInstances",
"ec2:DescribeSecurityGroups",
"ec2:GetConsoleOutput",
"ec2:DescribeRouteTables",
"ec2:DescribeSubnets"
],
"Resource": "*"
},
{
"Sid": "PermissionsToCreateAndManageInstanceProfiles",
"Effect": "Allow",
"Action": [
"iam:CreateInstanceProfile",
"iam:DeleteInstanceProfile",
"iam:RemoveRoleFromInstanceProfile",
"iam:AddRoleToInstanceProfile"
],
"Resource": "arn:aws:iam::*:instance-profile/eks-*"
},
{
"Sid": "PermissionsToManageEKSAndKubernetesTags",
"Effect": "Allow",
"Action": [
"ec2:CreateTags",
"ec2:DeleteTags"
],
"Resource": "*",
"Condition": {
"ForAnyValue:StringLike": {
"aws:TagKeys": [
"eks",
"eks:cluster-name",
"eks:nodegroup-name",
"kubernetes.io/cluster/*"
]
}
}
}
]
}
It shows the following Trusted entities
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "eks-nodegroup.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
I cannot add anything to Trust Relationships (entities are not editable)
I also have AWSServiceRoleForAmazonEKSNodegroup Policy with attached AWSServiceRoleForAmazonEKSNodegroup role to it
aws iam get-policy --policy-arn arn:aws:iam::aws:policy/aws-service-role/AWSServiceRoleForAmazonEKSNodegroup
{
"Policy": {
"PolicyName": "AWSServiceRoleForAmazonEKSNodegroup",
"PolicyId": "ANPAZKAPJZG4KH2AAMJJG",
"Arn": "arn:aws:iam::aws:policy/aws-service-role/AWSServiceRoleForAmazonEKSNodegroup",
"Path": "/aws-service-role/",
"DefaultVersionId": "v6",
"AttachmentCount": 1,
"PermissionsBoundaryUsageCount": 0,
"IsAttachable": true,
"Description": "Permissions required for managing nodegroups in the customer's account. These policies related to management of the following resources: AutoscalingGroups, SecurityGroups, LaunchTemplates and InstanceProfiles.",
"CreateDate": "2019-11-07T01:34:26+00:00",
"UpdateDate": "2022-01-14T00:33:26+00:00",
"Tags": []
}
}
But I cannot attach it to my user
I would like to know what actions I need to perform to
be able to create a managed node group
add required service principals [ec2.amazonaws.com] in the trust relationships of nodeRole arn:aws:iam::xxx9399:role/aws-service-role/eks-nodegroup.amazonaws.com/AWSServiceRoleForAmazonEKSNodegroup
Thanks
You need to change eks-nodegroup.amazonaws.com to ec2.amazonaws.com in the permissions. At least that was my problem.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "eks-nodegroup.amazonaws.com" // change to ec2.amazonaws.com
},
"Action": "sts:AssumeRole"
}
]
}
We are in a process to move all of our IAM users to aws SSO
we used to have this IAM policy for sagemaker :
"
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"sagemaker:ListTags",
"sagemaker:DeleteNotebookInstance",
"sagemaker:StopNotebookInstance",
"sagemaker:CreatePresignedNotebookInstanceUrl",
"sagemaker:DescribeNotebookInstance",
"sagemaker:StartNotebookInstance",
"sagemaker:UpdateNotebookInstance"
],
"Resource": "arn:aws:sagemaker:::notebook-instance/${aws:username}*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"sagemaker:ListNotebookInstanceLifecycleConfigs",
"sagemaker:ListNotebookInstances",
"sagemaker:ListCodeRepositories"
],
"Resource": "*"
}
]
}
"
this would give access to each user to use his\hers own notebook in sagemaker
now on the new SSO permission set i gave this:
"
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"glue:CreateScript",
"secretsmanager:*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"sagemaker:ListTags",
"sagemaker:DeleteNotebookInstance",
"sagemaker:StopNotebookInstance",
"sagemaker:CreatePresignedNotebookInstanceUrl",
"sagemaker:Describe*",
"sagemaker:StartNotebookInstance",
"sagemaker:UpdateNotebookInstance",
"sagemaker:CreatePresignedDomainUrl",
"sagemaker:*"
],
"Resource": "arn:aws:sagemaker:::notebook-instance/*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/Owner": "${identitystore:UserId}"
}
}
},
{
"Effect": "Allow",
"Action": [
"sagemaker:ListTags",
"sagemaker:Describe*",
"sagemaker:StartNotebookInstance"
],
"Resource": "*"
}
]
}
"
this is what i tried but i cant make it work please assist?
i also treid using the attributes and many other things
but i just cant make it work
please if you have any suggestions
apprently on the SSO permission set we must write the region and account number of the resource
so the fix was just adding that to the resource part like this
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"glue:CreateScript",
"secretsmanager:*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"sagemaker:ListTags",
"sagemaker:DeleteNotebookInstance",
"sagemaker:StopNotebookInstance",
"sagemaker:CreatePresignedNotebookInstanceUrl",
"sagemaker:Describe*",
"sagemaker:StartNotebookInstance",
"sagemaker:UpdateNotebookInstance",
"sagemaker:CreatePresignedDomainUrl"
],
"Resource": "arn:aws:sagemaker:us-east-1:7XXXXXXXXX:notebook-instance/*",
"Condition": {
"StringEquals": {
"sagemaker:ResourceTag/Owner": "${identitystore:UserId}"
}
}
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"sagemaker:ListNotebookInstanceLifecycleConfigs",
"sagemaker:ListNotebookInstances",
"sagemaker:ListCodeRepositories"
],
"Resource": "*"
}
]
}
thanks to Yash_c from repost.aws
How to create an IAM role inside a SAM template likewise I did in SAM package.
I tried this as following:
"lambdaFunctionRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"lambda.amazonaws.com",
"apigateway.amazonaws.com"
]
},
"Action": "sts:AssumeRole"
}
]
},
"ManagedPolicyArns": [
{
"Ref": "lambdaBasePolicy"
}
],
"Policies": [
{
"PolicyName": "root",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "arn:aws:logs:*:*:*"
},
{
"Effect": "Allow",
"Action": [
"s3:*",
"dynamodb:*",
"iam:ListRoles",
"ses:*",
"events:*"
],
"Resource": "*"
}
]
}
}
]
}
}
It throws me an error : com.amazonaws.serverlessappsrepo.template.InvalidTemplateException: Resource with name [lambdaFunctionRole] is invalid. AWS::Serverless::Role is not a supported Serverless Apps Repository Type.
When publishing to the Serverless app repo, you need to take care to use only the supported resources in you SAM template.
In your case, you can skip creating the lambdaFunctionRole as a standalone resource and just create it inline in your function resource definition.
"lambdaFunction": {
"Type": "AWS::Serverless::Function",
"Policies": [
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "arn:aws:logs:*:*:*"
},
{
"Effect": "Allow",
"Action": [
"s3:*",
"dynamodb:*",
"iam:ListRoles",
"ses:*",
"events:*"
],
"Resource": "*"
}
]
}
]
}
Notice that I've only copied the PolicyDocument part of the Policies in the Role. See the Policies section in the SAM spec.
I'm trying to create a policy for only read/put/list my bucket and a dir into it.
I've write this policy:
{
"Version": "2014-05-19",
"Statement": [
{
"Effect": "Allow",
"Action": [ "s3:Put*", "s3:Get*" ],
"Resource": "arn:aws:s3:::<mybucket>/<mydirectoryinbucket>/*"
}
]
}
{
"Version": "2014-05-19",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:ListBucket",
"Condition": { "StringLike": { "s3:prefix": "<mydirectoryinbucket>/*"} },
"Resource": "arn:aws:s3:::<mybucket>"
}
]
}
But I get error on the last line of the first policy...the error is only syntax error, and no additional informations.
Where I did wrong ?
You're at the very least missing the principal, which defines the entity that is allowed or denied access to a resource.
I took your policy, added the wildcard * to denote 'any' principal, and regenerated it with the IAM Policy Generator. Try this:
{
"Id": "Policy1432045314996",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PublicGetAndPutPolicy",
"Action": [
"s3:Get*",
"s3:Put*"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::<mybucket>/<mydirectoryinbucket>/*",
"Principal": "*"
},
{
"Sid": "PublicListPolicy",
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::<mybucket>",
"Condition": {
"StringLike": {
"s3:prefix": "<mydirectoryinbucket>/*"
}
},
"Principal": "*"
}
]
}
Documentation:
Specifying a Principal in a Policy