How to share a folder via S3 bucket policy in federated identities context?Enabling AWS IAM Users access to shared bucket/objectss3 Policy has invalid action - s3:ListAllMyBucketss3 bucket policy chrome bugS3TransferManager-Sample | IAM getList policy issuesHow to Give Amazon SES Permission to Write to Your Amazon S3 BucketError executing “PutObject” on “https://s3.ap-south-1.amazonaws.com/buckn/uploads/5th.jpg”; AWS HTTP error: Client error: `PUTAWS S3 Server side encryption Access denied errorAWS S3 buckets inside master account not getting listed in member accountsAn error occurred (AccessDenied) when calling the ListObjects operation: Access Denied while trying access with another userHow can I recover from Access Denied Error on AWS S3?

Trouble understanding overseas colleagues

At which point does a character regain all their Hit Dice?

Why are on-board computers allowed to change controls without notifying the pilots?

There is only s̶i̶x̶t̶y one place he can be

Hide Select Output from T-SQL

Personal Teleportation as a Weapon

What is the opposite of 'gravitas'?

Star/Wye electrical connection math symbol

What would be the benefits of having both a state and local currencies?

Ways to speed up user implemented RK4

Why did Kant, Hegel, and Adorno leave some words and phrases in the Greek alphabet?

Is there a problem with hiding "forgot password" until it's needed?

Displaying the order of the columns of a table

Failed to fetch jessie backports repository

How do I keep an essay about "feeling flat" from feeling flat?

Is a roofing delivery truck likely to crack my driveway slab?

What is difference between behavior and behaviour

How does it work when somebody invests in my business?

Coordinate position not precise

How to be diplomatic in refusing to write code that breaches the privacy of our users

Is there any reason not to eat food that's been dropped on the surface of the moon?

Can I use my Chinese passport to enter China after I acquired another citizenship?

Everything Bob says is false. How does he get people to trust him?

What defines a dissertation?



How to share a folder via S3 bucket policy in federated identities context?


Enabling AWS IAM Users access to shared bucket/objectss3 Policy has invalid action - s3:ListAllMyBucketss3 bucket policy chrome bugS3TransferManager-Sample | IAM getList policy issuesHow to Give Amazon SES Permission to Write to Your Amazon S3 BucketError executing “PutObject” on “https://s3.ap-south-1.amazonaws.com/buckn/uploads/5th.jpg”; AWS HTTP error: Client error: `PUTAWS S3 Server side encryption Access denied errorAWS S3 buckets inside master account not getting listed in member accountsAn error occurred (AccessDenied) when calling the ListObjects operation: Access Denied while trying access with another userHow can I recover from Access Denied Error on AWS S3?













0















If you want to create a central storage for logs coming from many AWS accounts and share these logs respectively with their owners, this official AWS knowledge article explains how to do this very well with IAM based users.



However, I fail to understand how to do same if you use federated identities (SAML).



Let's assume you have accounts 111111111111 and 222222222222 logging to a bucket in the account 999999999999. For simplicity, let's reference these as A1, A2 and A9.



Further, accounts A1 and A2 can be accessed by federated users allowed to assume the role ADMIN, and have CloudTrails logging to the bucket BUCKET in A9.



So I have so far the following bucket policy. For simplicity, statement blocks have got Sids (statement IDs) 1,2,3 and 4.



The problem:



  • ADMIN from A1 can explore the folder structure in the bucket folder *AWSLogs/111111111111/** but an attempt to download an objects leads to the "access denied" error.

How comes? What is missing?




 "Version": "2012-10-17",
 "Statement": [
 
 "Sid":"1",
 "Effect": "Allow",
 "Principal": 
 "Service": "cloudtrail.amazonaws.com"
 ,
 "Action": "s3:GetBucketAcl",
 "Resource": "arn:aws:s3:::BUCKET"
 ,
 
 "Sid":"2",
 "Effect": "Allow",
 "Principal": 
 "Service": "cloudtrail.amazonaws.com"
 ,
 "Action": "s3:PutObject",
 "Resource": [
 "arn:aws:s3:::BUCKET/AWSLogs/111111111111/*",
 "arn:aws:s3:::BUCKET/AWSLogs/222222222222/*"
 ],
 "Condition": 
 "StringEquals": 
 "s3:x-amz-acl": "bucket-owner-full-control"
 
 
 ,
 
 "Sid":"3",
 "Effect": "Allow",
 "Principal": 
 "AWS": "arn:aws:iam::111111111111:role/ADMIN"
 ,
 "Action": [
 "s3:List*"
 ],
 "Resource": "arn:aws:s3:::BUCKET",
 "Condition": 
 "StringLike": 
 "s3:prefix": "AWSLogs/111111111111/*"
 
 
 ,
 
 "Sid":"4",
 "Effect": "Allow",
 "Principal": 
 "AWS": "arn:aws:iam::111111111111:role/ADMIN"

 ,
 "Action": [
 "s3:List*",
 "s3:Get*"
 ],
 "Resource": "arn:aws:s3:::BUCKET/AWSLogs/111111111111/*"
 

 ]






amazon-web-services amazon-s3







share|improve this question



















  • 1





    The "s3:Get*" is missing in the first Action array

    – Yoga
    Mar 5 at 14:59












  • applying this (add "s3:Get*" in the first Action), I get the error on saving the policy: "Conditions do not apply to combination of actions and resources in statement ".

    – J. Doe
    Mar 5 at 15:45







  • 1





    Sharing access to objects varies by the way the objects were created, and the "AWSLogs" prefix implies that these logs were created by an AWS service, which carries an additonal caveat that the role can only be a role from the same account that owns the bucket, thus this example is only viable where account 111111111111 is the owner of both the bucket and the role. Confirm that this is what you are doing? Otherwise you'd be able to list but not get.

    – Michael - sqlbot
    Mar 5 at 17:01











  • Hi, @Michael-sqlbot, thanks for your input! Your guess is right so I have extended the question to achieve full context transparency. Do you mean, the problem is that if I try to download an object, the canned ACL from Sid2 kicks in? But if so, why does the current configuration of the bucket policy still allow for browsing log folders (Sid3)?

    – J. Doe
    Mar 6 at 6:48
















0















If you want to create a central storage for logs coming from many AWS accounts and share these logs respectively with their owners, this official AWS knowledge article explains how to do this very well with IAM based users.



However, I fail to understand how to do same if you use federated identities (SAML).



Let's assume you have accounts 111111111111 and 222222222222 logging to a bucket in the account 999999999999. For simplicity, let's reference these as A1, A2 and A9.



Further, accounts A1 and A2 can be accessed by federated users allowed to assume the role ADMIN, and have CloudTrails logging to the bucket BUCKET in A9.



So I have so far the following bucket policy. For simplicity, statement blocks have got Sids (statement IDs) 1,2,3 and 4.



The problem:



  • ADMIN from A1 can explore the folder structure in the bucket folder *AWSLogs/111111111111/** but an attempt to download an objects leads to the "access denied" error.

How comes? What is missing?




 "Version": "2012-10-17",
 "Statement": [
 
 "Sid":"1",
 "Effect": "Allow",
 "Principal": 
 "Service": "cloudtrail.amazonaws.com"
 ,
 "Action": "s3:GetBucketAcl",
 "Resource": "arn:aws:s3:::BUCKET"
 ,
 
 "Sid":"2",
 "Effect": "Allow",
 "Principal": 
 "Service": "cloudtrail.amazonaws.com"
 ,
 "Action": "s3:PutObject",
 "Resource": [
 "arn:aws:s3:::BUCKET/AWSLogs/111111111111/*",
 "arn:aws:s3:::BUCKET/AWSLogs/222222222222/*"
 ],
 "Condition": 
 "StringEquals": 
 "s3:x-amz-acl": "bucket-owner-full-control"
 
 
 ,
 
 "Sid":"3",
 "Effect": "Allow",
 "Principal": 
 "AWS": "arn:aws:iam::111111111111:role/ADMIN"
 ,
 "Action": [
 "s3:List*"
 ],
 "Resource": "arn:aws:s3:::BUCKET",
 "Condition": 
 "StringLike": 
 "s3:prefix": "AWSLogs/111111111111/*"
 
 
 ,
 
 "Sid":"4",
 "Effect": "Allow",
 "Principal": 
 "AWS": "arn:aws:iam::111111111111:role/ADMIN"

 ,
 "Action": [
 "s3:List*",
 "s3:Get*"
 ],
 "Resource": "arn:aws:s3:::BUCKET/AWSLogs/111111111111/*"
 

 ]






amazon-web-services amazon-s3







share|improve this question



















  • 1





    The "s3:Get*" is missing in the first Action array

    – Yoga
    Mar 5 at 14:59












  • applying this (add "s3:Get*" in the first Action), I get the error on saving the policy: "Conditions do not apply to combination of actions and resources in statement ".

    – J. Doe
    Mar 5 at 15:45







  • 1





    Sharing access to objects varies by the way the objects were created, and the "AWSLogs" prefix implies that these logs were created by an AWS service, which carries an additonal caveat that the role can only be a role from the same account that owns the bucket, thus this example is only viable where account 111111111111 is the owner of both the bucket and the role. Confirm that this is what you are doing? Otherwise you'd be able to list but not get.

    – Michael - sqlbot
    Mar 5 at 17:01











  • Hi, @Michael-sqlbot, thanks for your input! Your guess is right so I have extended the question to achieve full context transparency. Do you mean, the problem is that if I try to download an object, the canned ACL from Sid2 kicks in? But if so, why does the current configuration of the bucket policy still allow for browsing log folders (Sid3)?

    – J. Doe
    Mar 6 at 6:48














0












0








0








If you want to create a central storage for logs coming from many AWS accounts and share these logs respectively with their owners, this official AWS knowledge article explains how to do this very well with IAM based users.



However, I fail to understand how to do same if you use federated identities (SAML).



Let's assume you have accounts 111111111111 and 222222222222 logging to a bucket in the account 999999999999. For simplicity, let's reference these as A1, A2 and A9.



Further, accounts A1 and A2 can be accessed by federated users allowed to assume the role ADMIN, and have CloudTrails logging to the bucket BUCKET in A9.



So I have so far the following bucket policy. For simplicity, statement blocks have got Sids (statement IDs) 1,2,3 and 4.



The problem:



  • ADMIN from A1 can explore the folder structure in the bucket folder *AWSLogs/111111111111/** but an attempt to download an objects leads to the "access denied" error.

How comes? What is missing?




 "Version": "2012-10-17",
 "Statement": [
 
 "Sid":"1",
 "Effect": "Allow",
 "Principal": 
 "Service": "cloudtrail.amazonaws.com"
 ,
 "Action": "s3:GetBucketAcl",
 "Resource": "arn:aws:s3:::BUCKET"
 ,
 
 "Sid":"2",
 "Effect": "Allow",
 "Principal": 
 "Service": "cloudtrail.amazonaws.com"
 ,
 "Action": "s3:PutObject",
 "Resource": [
 "arn:aws:s3:::BUCKET/AWSLogs/111111111111/*",
 "arn:aws:s3:::BUCKET/AWSLogs/222222222222/*"
 ],
 "Condition": 
 "StringEquals": 
 "s3:x-amz-acl": "bucket-owner-full-control"
 
 
 ,
 
 "Sid":"3",
 "Effect": "Allow",
 "Principal": 
 "AWS": "arn:aws:iam::111111111111:role/ADMIN"
 ,
 "Action": [
 "s3:List*"
 ],
 "Resource": "arn:aws:s3:::BUCKET",
 "Condition": 
 "StringLike": 
 "s3:prefix": "AWSLogs/111111111111/*"
 
 
 ,
 
 "Sid":"4",
 "Effect": "Allow",
 "Principal": 
 "AWS": "arn:aws:iam::111111111111:role/ADMIN"

 ,
 "Action": [
 "s3:List*",
 "s3:Get*"
 ],
 "Resource": "arn:aws:s3:::BUCKET/AWSLogs/111111111111/*"
 

 ]






amazon-web-services amazon-s3







share|improve this question
















If you want to create a central storage for logs coming from many AWS accounts and share these logs respectively with their owners, this official AWS knowledge article explains how to do this very well with IAM based users.



However, I fail to understand how to do same if you use federated identities (SAML).



Let's assume you have accounts 111111111111 and 222222222222 logging to a bucket in the account 999999999999. For simplicity, let's reference these as A1, A2 and A9.



Further, accounts A1 and A2 can be accessed by federated users allowed to assume the role ADMIN, and have CloudTrails logging to the bucket BUCKET in A9.



So I have so far the following bucket policy. For simplicity, statement blocks have got Sids (statement IDs) 1,2,3 and 4.



The problem:



  • ADMIN from A1 can explore the folder structure in the bucket folder *AWSLogs/111111111111/** but an attempt to download an objects leads to the "access denied" error.

How comes? What is missing?




 "Version": "2012-10-17",
 "Statement": [
 
 "Sid":"1",
 "Effect": "Allow",
 "Principal": 
 "Service": "cloudtrail.amazonaws.com"
 ,
 "Action": "s3:GetBucketAcl",
 "Resource": "arn:aws:s3:::BUCKET"
 ,
 
 "Sid":"2",
 "Effect": "Allow",
 "Principal": 
 "Service": "cloudtrail.amazonaws.com"
 ,
 "Action": "s3:PutObject",
 "Resource": [
 "arn:aws:s3:::BUCKET/AWSLogs/111111111111/*",
 "arn:aws:s3:::BUCKET/AWSLogs/222222222222/*"
 ],
 "Condition": 
 "StringEquals": 
 "s3:x-amz-acl": "bucket-owner-full-control"
 
 
 ,
 
 "Sid":"3",
 "Effect": "Allow",
 "Principal": 
 "AWS": "arn:aws:iam::111111111111:role/ADMIN"
 ,
 "Action": [
 "s3:List*"
 ],
 "Resource": "arn:aws:s3:::BUCKET",
 "Condition": 
 "StringLike": 
 "s3:prefix": "AWSLogs/111111111111/*"
 
 
 ,
 
 "Sid":"4",
 "Effect": "Allow",
 "Principal": 
 "AWS": "arn:aws:iam::111111111111:role/ADMIN"

 ,
 "Action": [
 "s3:List*",
 "s3:Get*"
 ],
 "Resource": "arn:aws:s3:::BUCKET/AWSLogs/111111111111/*"
 

 ]






amazon-web-services amazon-s3




amazon-web-services amazon-s3






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Mar 8 at 9:34







J. Doe

















asked Mar 5 at 14:41









J. DoeJ. Doe

284116




284116







  • 1





    The "s3:Get*" is missing in the first Action array

    – Yoga
    Mar 5 at 14:59












  • applying this (add "s3:Get*" in the first Action), I get the error on saving the policy: "Conditions do not apply to combination of actions and resources in statement ".

    – J. Doe
    Mar 5 at 15:45







  • 1





    Sharing access to objects varies by the way the objects were created, and the "AWSLogs" prefix implies that these logs were created by an AWS service, which carries an additonal caveat that the role can only be a role from the same account that owns the bucket, thus this example is only viable where account 111111111111 is the owner of both the bucket and the role. Confirm that this is what you are doing? Otherwise you'd be able to list but not get.

    – Michael - sqlbot
    Mar 5 at 17:01











  • Hi, @Michael-sqlbot, thanks for your input! Your guess is right so I have extended the question to achieve full context transparency. Do you mean, the problem is that if I try to download an object, the canned ACL from Sid2 kicks in? But if so, why does the current configuration of the bucket policy still allow for browsing log folders (Sid3)?

    – J. Doe
    Mar 6 at 6:48













  • 1





    The "s3:Get*" is missing in the first Action array

    – Yoga
    Mar 5 at 14:59












  • applying this (add "s3:Get*" in the first Action), I get the error on saving the policy: "Conditions do not apply to combination of actions and resources in statement ".

    – J. Doe
    Mar 5 at 15:45







  • 1





    Sharing access to objects varies by the way the objects were created, and the "AWSLogs" prefix implies that these logs were created by an AWS service, which carries an additonal caveat that the role can only be a role from the same account that owns the bucket, thus this example is only viable where account 111111111111 is the owner of both the bucket and the role. Confirm that this is what you are doing? Otherwise you'd be able to list but not get.

    – Michael - sqlbot
    Mar 5 at 17:01











  • Hi, @Michael-sqlbot, thanks for your input! Your guess is right so I have extended the question to achieve full context transparency. Do you mean, the problem is that if I try to download an object, the canned ACL from Sid2 kicks in? But if so, why does the current configuration of the bucket policy still allow for browsing log folders (Sid3)?

    – J. Doe
    Mar 6 at 6:48








1




1





The "s3:Get*" is missing in the first Action array

– Yoga
Mar 5 at 14:59






The "s3:Get*" is missing in the first Action array

– Yoga
Mar 5 at 14:59














applying this (add "s3:Get*" in the first Action), I get the error on saving the policy: "Conditions do not apply to combination of actions and resources in statement ".

– J. Doe
Mar 5 at 15:45






applying this (add "s3:Get*" in the first Action), I get the error on saving the policy: "Conditions do not apply to combination of actions and resources in statement ".

– J. Doe
Mar 5 at 15:45





1




1





Sharing access to objects varies by the way the objects were created, and the "AWSLogs" prefix implies that these logs were created by an AWS service, which carries an additonal caveat that the role can only be a role from the same account that owns the bucket, thus this example is only viable where account 111111111111 is the owner of both the bucket and the role. Confirm that this is what you are doing? Otherwise you'd be able to list but not get.

– Michael - sqlbot
Mar 5 at 17:01





Sharing access to objects varies by the way the objects were created, and the "AWSLogs" prefix implies that these logs were created by an AWS service, which carries an additonal caveat that the role can only be a role from the same account that owns the bucket, thus this example is only viable where account 111111111111 is the owner of both the bucket and the role. Confirm that this is what you are doing? Otherwise you'd be able to list but not get.

– Michael - sqlbot
Mar 5 at 17:01













Hi, @Michael-sqlbot, thanks for your input! Your guess is right so I have extended the question to achieve full context transparency. Do you mean, the problem is that if I try to download an object, the canned ACL from Sid2 kicks in? But if so, why does the current configuration of the bucket policy still allow for browsing log folders (Sid3)?

– J. Doe
Mar 6 at 6:48






Hi, @Michael-sqlbot, thanks for your input! Your guess is right so I have extended the question to achieve full context transparency. Do you mean, the problem is that if I try to download an object, the canned ACL from Sid2 kicks in? But if so, why does the current configuration of the bucket policy still allow for browsing log folders (Sid3)?

– J. Doe
Mar 6 at 6:48













0






active

oldest

votes











Your Answer






StackExchange.ifUsing("editor", function ()
StackExchange.using("externalEditor", function ()
StackExchange.using("snippets", function ()
StackExchange.snippets.init();
);
);
, "code-snippets");

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "1"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);













draft saved

draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f55005342%2fhow-to-share-a-folder-via-s3-bucket-policy-in-federated-identities-context%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown

























0






active

oldest

votes








0






active

oldest

votes









active

oldest

votes






active

oldest

votes















draft saved

draft discarded
















































Thanks for contributing an answer to Stack Overflow!


  • Please be sure to answer the question. Provide details and share your research!

But avoid


  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f55005342%2fhow-to-share-a-folder-via-s3-bucket-policy-in-federated-identities-context%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







-

Popular posts from this blog

How to get text form Clipboard with JavaScript in Firefox 56?How to validate an email address in JavaScript?How do JavaScript closures work?How do I remove a property from a JavaScript object?How do you get a timestamp in JavaScript?How do I copy to the clipboard in JavaScript?How do I include a JavaScript file in another JavaScript file?Get the current URL with JavaScript?How to replace all occurrences of a string in JavaScriptHow to check whether a string contains a substring in JavaScript?How do I remove a particular element from an array in JavaScript?

Image
Can an x86 CPU running in real mode be considered to be basically an 8086 CPU? Why does this relative pronoun not take the case of the noun it is referring to? Email Account under attack (really) - anything I can do? Why do we use polarized capacitors? N.B. ligature in Latex Is Social Media Science Fiction? how to create a data type and make it available in all Databases? Need help identifying/translating a plaque in Tangier, Morocco How to make payment on the internet without leaving a money trail? What do you call something that goes against the spirit of the law, but is legal when interpreting the law to the letter? How can the DM most effectively choose 1 out of an odd number of players to be targeted by an attack or effect? cryptic clue: mammal sounds like relative consumer (8) Infinite past with a beginning? How do you conduct xenoanthropology after first contact? Is there an example of two elementary particles colliding to result in a single elementar...
Read more

Can't initialize raids on a new ASUS Prime B360M-A motherboard2019 Community Moderator ElectionSimilar to RAID config yet more like mirroring solution?Can't get motherboard serial numberWhy does the BIOS entry point start with a WBINVD instruction?UEFI performance Asus Maximus V Extreme

Image
"One can do his homework in the library" Why does Deadpool say "You're welcome, Canada," after shooting Ryan Reynolds in the end credits? Potential difference and current flow It's a yearly task, alright Co-worker team leader wants to inject the crap software product of his friends into our development. What should I say to our common boss? Touchscreen-controlled dentist office snowman collector game What to do when during a meeting client people start to fight (even physically) with each others? What options are left, if Britain cannot decide? How could our ancestors have domesticated a solitary predator? Professor being mistaken for a grad student When two POV characters meet Replacing Windows 7 security updates with anti-virus? What has been your most complicated TikZ drawing? Can the word "advantage" be used as an adjective? How could a female member of a species produce eggs unto death? Can the druid cantrip Thorn...
Read more

List of MPs elected to the English parliament in 1640 (April) Contents List of constituencies and members See also Notes References Navigation menueNational Archives – The Glynde Place ArchivesCobbett's Parliamentary history of England, from the Norman Conquest in 1066 to the year 1803'Aldermen in Parliament', The Aldermen of the City of London: Temp. Henry III – 1912onepage&q&f&#61, false 229

Image
Parliaments of Charles I of England1640 in England1640 in politicsLists of Members of the Parliament of England (pre-1707)English MPs 1640 (April) King Charles IShort ParliamentLong Parliament Parliaments of England 1604–1705 Parliament Date Blessed Parliament 1604 Addled Parliament 1614 3rd Parliament of King James I 1621 Happy Parliament 1624 Useless Parliament 1625 2nd Parliament of King Charles I 1626 3rd Parliament of King Charles I 1628 Short Parliament 1640 Apr Long Parliament (1) 1640 Nov Oxford Parliament 1644 Long Parliament (2) 1645 Rump Parliament (1) 1648 Barebone's Parliament 1653 First Protectorate Parliament 1654 Second Protectorate Parliament 1656 Third Protectorate Parliament 1659 Rump Parliament (2) 1659 Long Parliament (3) 1660 Convention Parliament 1660 Cavalier Parliament 1661 Habeas Corpus Parliament 1679 Exclusion Bill Parliament 1680 Oxford Parliament 1681 Loyal Parliament 1685 Convention Parliament 1689...
Read more