All geek questions in one place

Setting the owner of objects in the S3 bucket

I experimented with S3 and they have this cool feature where you can set the ACL on the contents of the bucket using the bucket policy. So, for example, you can have a bunch of files with the actual ACL in the file set to private, but the file becomes available to certain users / IP addresses / referrers through an overriding policy.

In my case, I have a bunch of personal content in a bucket, but I want to make the files in a specific directory accessible to my site (for example, images). So I have something like this:

{ "Version": "2008-10-17", "Id": "", "Statement": [ { "Sid": "AddPerm", "Effect": "Allow", "Principal": { "AWS": "*" }, "Action": "s3:GetObject", "Resource": "arn:aws:s3:::content-racket-fm/uploaded/images/*" } ] }

Now we have some experience that I can solve. I recently found out here:

https://forums.aws.amazon.com/thread.jspa?threadID=78294

These bucket policies work only for files that are owned by the bucket owner. So, for example, if the files got into the bucket through some external service, for example encoding.com or panda, where they have their own user in your S3 bucket, you will have problems because your bucket policy will not apply to these files (this looks like amazon surveillance in my opinion, but I'm sure there is a good reason I didn't think about)

I use rails, there is a way to set the owner of an object in a bucket.

Edit

I think the best question might be ...

Is there a way to configure the Amazon bucket so that it applies the bucket policy to all files, regardless of owner.

+6
source share
1 answer

As it turned out, another limitation of S3 is that you seem to be unable to change the owner of the object in the bucket. This results in bucket policies being useless in such situations. As a job, I had to abandon the use of ACLs. You can set up a public ACL using AWS-SDK rails like this.

 class AwsHelper # This method can be used to set a public acl on any object. The parameter file_path # will be the path to the file in the bucket minus the domain info, so if your full url was # http://s3.amazonaws.com/<your-bucket>/images/image1.png, file path would be # images/image1.png def self.set_public_acl(file_path) @bucket_path = ENV['S3_BUCKET'] Rails.logger.warn "===> Loading S3" s3 = AWS::S3.new if(s3) bucket = s3.buckets[@bucket_path] if(bucket.exists?) Rails.logger.warn "===> Bucket '#{@bucket_path}' FOUND" key = bucket.objects[file_path] if(key.exists?) Rails.logger.warn "===> Key '#{file_path}' FOUND" key.acl = :public_read Rails.logger.warn "===> ACL Set to public read:" key.acl.grants.each { |grant| Rails.logger.warn "grantee => #{grant.grantee.group_uri}, permission => #{grant.permission.name}"} return key end end end end end

In cases where you do not have control over the user who creates the content, but you still want to close it (for example, when using some brands of web video encoding), you can achieve this by copying the file after it (your account will have copy), delete the old one, and then copy it back. Not perfect, but it works.

+2
source

Source: https://habr.com/ru/post/904253/

More articles:


All Articles