Skip to main content
In this lesson, we’ll explore how to grant an IAM user temporary upload access to an S3 bucket by using session policies. Our user currently has a policy allowing only the s3:GetObject action, but now needs permission to upload files (s3:PutObject). We’ll create a session policy, attach the upload permissions to it, and generate temporary credentials that enforce both the user’s existing rights and the new session policy.
The image illustrates a process for allowing temporary uploads to an S3 bucket, involving an IAM user, a policy for S3:GetObject, and temporary keys with a session policy for S3:PutObject.

What Are Session Policies?

Session policies are inline JSON policies you pass when you assume a role. They:
  • Define the maximum permissions an IAM principal can have during a session
  • Are temporary and apply only for the session’s duration
  • Further restrict permissions granted by identity or resource policies
  • Enable fine-grained, scenario-specific access control
The image explains session policies, highlighting their role in defining maximum permissions for IAM users, their temporary nature, and their use in conjunction with IAM roles for granular access control.
Session policies never grant more permissions than allowed by the user’s identity or resource policies. They only tighten the scope for the session.

Demo: Granting Temporary Upload Access

In this demo, we will:
  1. Identify an IAM user with read-only S3 access
  2. Create a session policy granting s3:PutObject
  3. Assume a role with that session policy to obtain temporary credentials
  4. Verify the ability to upload objects to the bucket
First, sign in to the AWS Management Console, navigate to IAM, and begin creating the session policy.
The image is a slide titled "Create Session Policies" with a graphic of a person pointing to a "Demo" sign, and instructions for allowing S3 read-only access to upload files to an S3 bucket.

1. Create the Session Policy JSON

Save the following JSON as session-policy.json. Replace YOUR_BUCKET_NAME with your actual bucket name. 
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::YOUR_BUCKET_NAME/*"
    }
  ]
}

2. Assume the Role with Session Policy

Use the AWS CLI to assume the role and apply your session policy: 
aws sts assume-role \
  --role-arn arn:aws:iam::ACCOUNT_ID:role/ROLE_NAME \
  --role-session-name uploadSession \
  --policy file://session-policy.json \
  --duration-seconds 3600
This returns temporary credentials: 
{
  "Credentials": {
    "AccessKeyId": "ASIAXXXX...",
    "SecretAccessKey": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYzEXAMPLEKEY",
    "SessionToken": "IQoJb3JpZ2luX2VjEO3//////////wEaCXVzLWVhc3QtMSJGMEQCH3...",
    "Expiration": "2023-08-01T12:34:56Z"
  }
}

3. Export Temporary Credentials

export AWS_ACCESS_KEY_ID="ASIAXXXX..."
export AWS_SECRET_ACCESS_KEY="wJalrXUtnFEMI/K7MDENG/bPxRfiCYzEXAMPLEKEY"
export AWS_SESSION_TOKEN="IQoJb3JpZ2luX2VjEO3//////////wEaCXVzLWVhc3QtMSJGMEQCH3..."
These credentials are temporary. Do not commit them to source control or share them publicly.

4. Verify Upload Capability

Now try uploading a file: 
echo "Hello, S3!" > test.txt
aws s3 cp test.txt s3://YOUR_BUCKET_NAME/
If successful, you’ve confirmed that the session policy is working as expected.

Policy Comparison

Policy TypeScopeDurationPurpose
Identity PolicyUser or RolePermanentGrants base permissions
Session PolicySTS SessionTemporaryRestricts permissions during a session

Watch Video