Skip to content
More support Sign in
Contact us
  • There are no suggestions because the search field is empty.

How to Grant Full Bucket Access in the Impossible Cloud Storage Console via UI

This guide shows how to create users, attach fine-grained inline policies, and control access permissions via the ICSC UI.

Overview

Impossible Cloud Storage is an S3 Compatible Storage which includes support for industry-ready Identity and Access Management (IAM) features. This feature enables root users to manage access and permissions for different IAM users in Impossible Cloud Storage Console (ICSC) using users, policies, and groups.

To access resources, each IAM user must be assigned a policy, either directly via inline policies or through group assignments. Access keys created for a user will inherit that user’s permissions.

This guide explains how to assign a policy directly to a IAM user for giving access to a specific bucket. We will use inline policy and generate an access key with matching permissions using the Impossible Cloud Storage Console (ICSC).

Step-By-Step Process

1. Create a New IAM User:

2. Create an Inline Policy for the User:

  • After the user has been created, click on the newly created user under the Users tab.
  • Navigate to the Inline-Policies tab and click on Create New Policy.
  • Define the policy to grant the user access to a specific bucket.
  • Here is a simple example of such a policy that grants full access to a bucket named 'your-bucket':
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowFullAccessToOneBucket",
      "Effect": "Allow",
      "Action": "s3:*",
      "Resource": [
        "arn:aws:s3:::your-bucket",
        "arn:aws:s3:::your-bucket/*"
      ]
    },
    {
      "Sid": "AllowBucketListing",
      "Effect": "Allow",
      "Action": "s3:ListAllMyBuckets",
      "Resource": "*"
    }
  ]
}

Why the policy has two statements

Statement 1 grants all S3 actions (s3:*) on the specified bucket and its objects. The two Resource entries cover the bucket itself (for operations like ListBucket) and the objects inside it (for operations like GetObject, PutObject, DeleteObject).

Statement 2 grants s3:ListAllMyBuckets, which allows the user to retrieve the list of all buckets in the storage account. This permission is required by many S3 clients to configure a connection.

Notes:

  • "Action": "s3:*" allows all S3 actions.
  • The Resource lines specify the bucket itself and all objects within it.
  • The statement s3:ListAllMyBuckets allows the user to see the names of all buckets in the whole storage account. This is required by most S3-client tools to configure a connection to a particular bucket (e.g. a drop-down menu). The user will see all bucket names but cannot access objects in any bucket other than your-bucket. This is a standard S3 limitation: the ListBuckets API response cannot be filtered per bucket.
  • To grant access to a different bucket, replace your-bucket with the name of the desired bucket.
  • For more fine-grained permissions, you can modify the Action list to allow only specific actions such as s3:ListBucket for listing objects or s3:GetObject for downloading objects.
  • Assigning an inline policy can also be done using the AWS CLI.

Tips: When creating your own policy, always validate the policy JSON via an online JSON validator to prevent formatting error.

3. Add Access Key:

  • Go to the Access Keys tab of the IAM user you created and click on Add access key.
  • The access key will inherit the permissions defined in the inline policy.

Why the IAM user can see all buckets but not access them

The s3:ListAllMyBuckets action returns the names of all buckets in the account. This is a standard S3 behavior and cannot be scoped to individual buckets. The S3 API does not support filtering the ListBuckets response by resource.

This means the IAM user will see the names of all buckets when listing them, but any attempt to read, write, or list objects in a bucket other than my-bucket will return an Access Denied error. The bucket names are visible, the content is not.

Note: If your use case does not require listing buckets at all (for example, a backup tool that connects directly to a known bucket), you can omit the second statement. The tool must then be configured with the exact bucket name and endpoint, because it will not be able to discover buckets by listing them.

Links and References

Learn more about the Impossible Cloud Storage IAM Features in our documentation.