Unable to attach IAM role in S3 bucket policy

[rajasekaran07]

Hi Team,

I am trying to provide my s3 bucket access to only specific IAM role instances. I applied below policy but it is not working.

{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "Stmt1371012493903",
"Effect": "Deny",
"NotPrincipal": {
"AWS": "arn:aws:iam::(Account-no):role/(my-role)"
},
"Action": [
"s3:List*",
"s3:Get*"
],
"Resource": "arn:aws:s3:::my-bucket/*"
}
]
}

Also I configured aws using aws configure with my temporary access and secret access key using curl http://169.254.169.254/latest/meta-data/iam/security-credentials/ but still I am seeing

curl https://s3.amazonaws.com/my-bucket/myfile.json

AccessDeniedAccess Denied1C272502A24D780DYRP7gKyKfSQRzlKeOx/YpxHCjdh9AlBb80hcfwy9fjAAY9tlDNfmziRhfWzdIkDmgt/TWwT8Ink=

Regards,
Raja

[rajasekaran07]

I followed the below link and modified my s3 policy as below I am unable to curl in both account.
https://aws.amazon.com/blogs/security/how-to-restrict-amazon-s3-bucket-access-to-a-specific-iam-role/

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Principal": "",
"Action": "s3:",
"Resource": [
"arn:aws:s3:::my-bucket",
"arn:aws:s3:::bucket/"
],
"Condition": {
"StringNotLike": {
"aws:userId": [
"AROAJZ45MYWZWL7SPA56W:",
"27*******646"
]
}
}
}
]
}

[robindierckx]

+1 would be great to have an example S3 bucket configuration policy for an access key