What should be my IAM policy so that my-user can access the Amazon S3 bucket called my-bucket ?
Currently, I have the following policy assigned by my-user :
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["s3:ListBucket"], "Resource": ["arn:aws:s3:::my-bucket"] }, { "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject", "s3:DeleteObject" ], "Resource": ["arn:aws:s3:::my-bucket/*"] } ] }
I got this policy from "Example 1" at the following link:
http://blogs.aws.amazon.com/security/post/Tx3VRSWZ6B3SHAV/Writing-IAM-Policies-How-to-grant-access-to-an-Amazon-S3-bucket
In my production.rb file, I applied configuration options to tell paperclip to use S3:
config.paperclip_defaults = { :storage => :s3, :s3_credentials => { :bucket => 'my-bucket', :access_key_id => ENV['AWS_ACCESS_KEY_ID'], :secret_access_key => ENV['AWS_SECRET_ACCESS_KEY'] } }
When I try to use my application to upload photos, I get an AWS::S3::Errors::AccessDenied .
Oddly enough, if I load the rail console and run the following code to manually download the file, it works correctly:
s3 = AWS::S3.new(access_key_id: ENV['AWS_ACCESS_KEY_ID'], secret_access_key: ENV['AWS_SECRET_ACCESS_KEY']) bucket = s3.buckets['my-bucket'] obj = bucket.objects['new_file'] obj.write(Pathname.new('/path/to/file'))
This correctly uploads the file to my S3 bucket. I am confused why I explicitly have permission to download the file this way, but when I try to do this using paperclip with the same credentials, I get permission denied.
Even more confusing, when I assign the AdministratorAccess policy to my-user , paperclip can successfully load the file.
Any idea how I can solve this?