How to get the user's canonical ID for adding a S3 permission

To grant permissions to an IAM user on a bucket, you'll need to create a Bucket Policy - which is an JSON document. The "Access for other AWS accounts" option in the ACL is for granting access to other (wholly separate) root AWS accounts, not for granting access to IAM users within your own root account.

Creating/Editing a Policy

To access the bucket policy, browse to a bucket in the S3 web console. There you'll see the Overview/Properties/Permissions/Management tabs. Under Permissions there is a sub-tab called "Bucket Policy". At the bottom of the Bucket Policy page there is a link to a "Policy Generator", which will generate the JSON for you. (or the direct link is http://awspolicygen.s3.amazonaws.com/policygen.html)

Identifying an IAM User to Assign Rights To

To identify the IAM user you want to grant permissions to, you'll use an ARN (Amazon Resource Name). The ARN format for IAM users is as follows: "arn:aws:iam::{Account-ID}:user/{Username}" (note the curly braces aren't part of the format). An example IAM ARN looks like this: arn:aws:iam::100123456789:user/Daniel

To get your numeric account ID, sign in as the root user and click your user name in the upper right corner of the page and choose "My Account" (which takes you to https://console.aws.amazon.com/billing/home?#/account ). The account ID is listed under "Account Settings" at the top of the page.

Plug that user ARN into the "Principal" field of the policy generator, and choose which action(s) to grant to the user from the dropdown list.

Specifying what to grant permissions on

To grant permissions to a bucket, or a set of files (objects) within a bucket you need to enter an ARN that identifies the bucket, or some subset of objects within the bucket into the "Amazon Resource Name" field (e.g. if I had a bucket called daniels-stuff and a folder in that bucket called images that I wanted to grant access to then I could provide an ARN such as arn:aws:s3:::daniels-stuff/images/*

Hit "Add Statement" when you've put in the necessary information and then hit "Generate Policy". Note you can put multiple statements (access right assignments) into the one policy.

More Info

Finally, there is a good primer to s3 bucket policies at https://brandonwamboldt.ca/understanding-s3-permissions-1662/ which includes some example policies.

Good luck (although I assume you've probably solved your issue now, others may find this helpful).


The user's canonical ID is easiest to find by calling, as the user whose ID you want to find, aws s3api list-buckets:

aws --profile PROD s3api list-buckets
{
    "Owner": {
        "DisplayName": "a-display-name",
        "ID": "a-64?-char-hex-string"  <<-- this HERE is the canonical user ID
    },
    "Buckets": [
        {
            "CreationDate": "2018-03-28T21:50:56.000Z",
            "Name": "bucket-1"
        },
        {
            "CreationDate": "2018-03-22T14:08:48.000Z",
            "Name": "bucket-2"
        }
    ]
}

With this ID, you can then call the s3api to grant access - eg to give read-access - like this:

aws --profile OTHER s3api put-object-acl \
    --bucket bucket-3 \
    --key path/to/file \
    --grant-read id="the-64-char-hex"

For getting the canonical ID, one of the simplest ways is to use CLI and run aws s3api list-buckets command. You will get the ID in the output.

There are other ways also for getting the canonical ID and are clearly described in the aws docs: https://docs.aws.amazon.com/general/latest/gr/acct-identifiers.html

list-buckets aws docs: https://docs.aws.amazon.com/cli/latest/reference/s3api/list-buckets.html