All geek questions in one place

Proper s3 permissions for users uploading carrier-supported image files

At the end of chapter 11 of the Rails manual by Michael Hartl, I was able to enable user upload to the Amazons S3 service by creating a bucket, using IAM to install the user and provide the user with AmazonS3FullAccess policy. It feels dirty and very insecure to allow an unknown user on my website to have full access to the bucket for uploading images to my website, and I'm not sure I should feel that way. I created a custom policy in

What it is:

  {
       "Version": "2012-10-17",
       "Statement": [
         {
           "Sid": "Stmt1445501067518",
           "Action": [
             "s3: GetObject",
             "s3: PutObject"
           ],
           "Effect": "Allow",
           "Resource": "arn: aws: s3 ::: bucketname"
         }
       ]
    }

I am not sure of my decision and cannot find answers to search queries in order to do this best. I use wavewave (with intent to use carrierwave_direct for my own project), fog and miniature stones.

+5
source share
1 answer

The best and probably the safest way to allow users to upload files to your site (like S3) is to use browser-based downloads.

This allows users to directly boot to S3 without having to go through your servers. On your servers, you simply create a request signature using your access keys.

You can read more about this here: Browser-based download using message

I am not familiar with the carrier wave, but you may find it useful: Direct loading onto S3 in rails

+4
source

Source: https://habr.com/ru/post/1234252/

More articles:


All Articles