amazon-s3 amazon-eks aws-iam-policy aws-s3-client

AWS S3: 403 when listing objects, but not when creating objects

I have a AWS IAM policy with 2 rules, both referring to the same specific path in a S3 bucket. Users can only list/manage files inside that path.

Managing actions works fine (creating/uploading, deleting), but when it comes to LISTING files (the first rule), I get a 403 in that specific path or anything inside it (and of course, outside of it).

The EKS service is a Quarkus app extremely simple and barebones, it only has the S3 dependency and essential stuff. No other service has access to it using that policy.

First post, so please forgive me if I'm missing any information or question format. I searched around but none of the related solutions worked for me, so my JSON must have something wrong specifically when being read by AWS.

Thank you in advance.

NOTE: the code below do not include the action that works, only the part that doesn't.

{
  "Statement": [
    {
      "Action": [
        "s3:ListBucket"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::mybucket/folderA/subfolder/*"
      ],
      "Sid": "ListObjectsInBucket"
    }
  ],
  "Version": "2012-10-17"
}

I used this documentation as basis (except the console access part): https://docs.amazonaws.cn/en_us/IAM/latest/UserGuide/reference_policies_examples_s3_rw-bucket-console.html

SOLUTION AFTER CORRECT ANSWER

Using the answer given, I added a condition to the rule in line 12 and beyond, specifying the path, while line 10 only refers to the bucket name. The below policy works like a charm now:

{
  "Statement": [
    {
      "Sid": "ListObjectsInBucket",
      "Action": [
        "s3:ListBucket"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::bucket"
      ],
      "Condition": {
        "StringLike": {
          "s3:prefix": "folderA/subfolder/*"
        }
      }
    }
  ],
  "Version": "2012-10-17"
}

Solution

You are not allowing access to the bucket but that needs to be there to able to list bucket's contents. folderA/subfolder/ etc is actually a key in the bucket. Remember in the gui you may see it like a folder but in reality everything is flat, directly in the bucket as key, value pairs, value being the content.

If you look carefully in the link you sent, you will see that there is a permission to the bucket above the one for the object as well:

{
        "Sid": "ListObjectsInBucket",
        "Effect": "Allow",
        "Action": "s3:ListBucket",
        "Resource": ["arn:aws:s3:::bucket-name"]
    }