Access Denied S3 with Paperclip

Question

I'm getting acquainted with using S3 with ruby to upload files to Amazon Web Service. I recently was confronted with the following error: AWS::S3::Errors::AccessDenied Access Denied. In poking around on google, I found this post on the error. It claims that the bucket policies aren't sufficient to allow access via the web-app and that the user must be given "Administrator Access" as well.

I've given this a try and it works fine but I feel like this is an indication that I'm not doing it right, given that administrator access isn't mentioned in any other documentation I've read. I'm using the aws-sdk gem. Could anyone weigh in on whether admin access is necessary? Many thanks!

Answer 1

None of the existing answers actually state which policies you need to grant, so here they are: s3:PutObject, s3:DeleteObject, and s3:PutObjectAcl.

Here's the complete S3 bucket policy I'm using to allow Paperclip to put objects with the :public_read permission:

{
    "Version": "2008-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::IAM_USER_ID:user/IAM_USER_NAME"
            },
            "Action": [
                "s3:PutObject",
                "s3:DeleteObject",
                "s3:PutObjectAcl"
            ],
            "Resource": "arn:aws:s3:::S3_BUCKET_NAME/*"
        }
    ]
}

Answer 2

You should not really need the Admin Access to achieve this. Make sure you have AWS access_key_id and secret_access_key setup in your heroku config. And, you also would need to make sure your user account has an Access Policy set in the AWS IAM Console.

See this post for some more info.

The default permission for Paperclip is :public_read unless you specify the bucket to be private.

See this for information about Module: Paperclip::Storage::S3

Answer 3

As explained in the accepted answer, you should not need "Admin Access". However, the typical policy for giving access to a bucket, as documented in some examples given by Amazon, could not be enough for paperclip.

The following policy worked for me:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetBucketLocation",
                "s3:ListAllMyBuckets"
            ],
            "Resource": "arn:aws:s3:::*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::bucket-name-to-be-set-by-you"
            ]
        },
        {
            "Effect": "Allow",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::bucket-name-to-be-set-by-you/*"
            ]
        }
    ]
}