While S3 standards for Simple Storage Service, there are a number of configuration options for rights management that are somewhat complex, and not presented in the same way through the console as are available through either the API or the AWS console. Had I known these things earlier, I would have been saved time.
1. An Amazon Retail Account is Linked to an AWS Account
2. The set of rights shown on the console does NOT align with the rights through the API.
As shown, the available rights for the Grantee are only:
This is a dramatic oversimplification of the control available through bucket policies and the API. For example, upload and delete rights are separate privileges, allowing you to create an account which can provide new files to S3 in a bucket, but doesn’t the right to delete anything, even files uploaded through that account.
3. The rename function requires delete privileges
I can’t find this documented, but renaming any resource, including a folder, requires that delete privileges be granted. That’s an unfortunate limitation, since it might be useful to doanything but remove data. Still, better to plan ahead, knowing you can’t rename.
4. Renaming a file through the console without permissions fails silently
This seems like a bug, but rename simply doesn’t succeed. Your only indication of failure is that the file is not updated to the new name in your browser.
5. S3 Doesn’t Support Directories, But…
Creating a “directory” doesn’t behavior as it does on an operating system, but neither is it merely a simulation. You can create a “directory” that’s empty and something is there on the system. But you can also change your mind about what character separates virtual path elements.