AWS S3 ListMultipartUploads : access denied

Question

I have followed this blog in order to setup my AWS IAM and S3 accounts with Web Identity Federation. I am able to authenticate and receive session credentials and tokens all fine. I am also able to Download and Upload objects. However, I am getting:

access denied

on the following ListMultipartUploads request:

var request = new ListMultipartUploadsRequest()
{
    BucketName = bucketName,
    Prefix = $"{UserId}/"
};

var response = await s3Client.ListMultipartUploadsAsync(request);

The access policy attached to my IAM role is:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:AbortMultipartUpload",
                "s3:DeleteObject",
                "s3:GetObject",
                "s3:PutObject"
            ],
            "Resource": "arn:aws:s3:::mybucket/${myidentityprovider:userId}/*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:ListBucketMultipartUploads"
            ],
            "Resource": [
                "arn:aws:s3:::mybucket"
            ],
            "Condition": {
                "StringLike": {
                    "s3:prefix": "${myidentityprovider:userId}/"
                }
            }
        }
    ]
}

As you can see, I have the permission "s3:ListBucketMultipartUploads", so the user should be able to perform ListMultiPartUploads on their buckets. What am I doing wrong?

Answer 1

Per AWS documentation, s3Prefix is not a valid condition keys for ListBucketMultipartUploads. I'm running into the same issue as well, and it's unfortunate because when using Spark to write to S3 with the recommended s3a committers, this permission is required. Would love to see what others have come up with to workaround the issue.