Writing an IAM Policy and CORS Configuration for Amazon S3

Question

Writing an IAM Policy and CORS Configuration for Amazon S3

I am very new to all of this, but I was able to upload an avatar / image downloader to work in my Rails application. A user can upload a new avatar to my S3 bucket, and the avatar will appear in the web application.

To this end, I had to provide the user with the "AmazonS3FullAccess" policy. This seems too big, because the user from the application only needs to write (upload his avatar) and read (show the avatar on the web page).

Do you agree that it is better to write your own policy and not use AmazonS3FullAccess? If so, I tried the policy code (adopted from here ) below, but it did not work (403 Forbidden error while trying to load avatar image). Any suggestions for fixing this code?

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["s3:ListBucket"],
      "Resource": ["arn:aws:s3:::mybucket"]
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:PutObject",
        "s3:GetObject",
        "s3:DeleteObject"
      ],
      "Resource": ["arn:aws:s3:::mybucket/*"]
    }
  ]
}

+4

ruby-on-rails cloud amazon-s3 amazon-web-services amazon-iam

Nick May 20, '15 at 19:00

source share

1 answer

Nycen · Accepted Answer · 2015-05-20T21:47:38+0000

I grew up trying to figure out the correct configuration. Here is one that works for me:

{
    "Statement": [
        {
            "Sid": "AllowPublicRead",
            "Action": [
                "s3:ListBucket",
                "s3:GetObject",
                "s3:PutObject",
                "s3:PutObjectAcl",
                "s3:DeleteObject"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::mybucket/*",
                "arn:aws:s3:::mybucket"
            ]
        }
    ]
}

( " " ), . API/Access, " " . , .

, , "": "*", @therealprashant , . docs .

CORS. S3, , ( ) "", .

<?xml version="1.0" encoding="UTF-8"?>
<CORSConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
    <CORSRule>
        <AllowedOrigin>http://*.example.com</AllowedOrigin>
        <AllowedMethod>GET</AllowedMethod>
        <AllowedMethod>POST</AllowedMethod>
        <AllowedMethod>PUT</AllowedMethod>
        <MaxAgeSeconds>3000</MaxAgeSeconds>
        <AllowedHeader>*</AllowedHeader>
    </CORSRule>
    <CORSRule>
        <AllowedOrigin>http://example.com</AllowedOrigin>
        <AllowedMethod>GET</AllowedMethod>
        <AllowedMethod>POST</AllowedMethod>
        <AllowedMethod>PUT</AllowedMethod>
        <MaxAgeSeconds>3000</MaxAgeSeconds>
        <AllowedHeader>*</AllowedHeader>
    </CORSRule>
</CORSConfiguration>

CORSRule, , https.

, .

Edit

, .

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:AbortMultipartUpload",
                "s3:ListBucket",
                "s3:GetObject",
                "s3:PutObject",
                "s3:PutObjectAcl",
                "s3:DeleteObject",
                "s3:GetObjectVersion"
            ],
            "Resource": [
                "arn:aws:s3:::mybucket/*",
                "arn:aws:s3:::mybucket"
            ]
        }
    ]
}

. "" (, ) IAM, , IAM. "" , .

Writing an IAM Policy and CORS Configuration for Amazon S3

More articles: