What should my IAM policy look like in order to allow user my-user
to access an Amazon S3 bucket called my-bucket
?
Currently, I have the following policy assigned to my-user
:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["s3:ListBucket"],
"Resource": ["arn:aws:s3:::my-bucket"]
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": ["arn:aws:s3:::my-bucket/*"]
}
]
}
I got this policy from "Sample 1" on the following link:
http://blogs.aws.amazon.com/security/post/Tx3VRSWZ6B3SHAV/Writing-IAM-Policies-How-to-grant-access-to-an-Amazon-S3-bucket
In my production.rb
file, I have implemented the configuration settings to tell paperclip to use S3:
config.paperclip_defaults = {
:storage => :s3,
:s3_credentials => {
:bucket => 'my-bucket',
:access_key_id => ENV['AWS_ACCESS_KEY_ID'],
:secret_access_key => ENV['AWS_SECRET_ACCESS_KEY']
}
}
When I attempt to use my app to upload a photo, I receive an AWS::S3::Errors::AccessDenied
exception.
Oddly, if I load up the rails console, and run the following code to manually upload a file, it works correctly:
s3 = AWS::S3.new(access_key_id: ENV['AWS_ACCESS_KEY_ID'], secret_access_key: ENV['AWS_SECRET_ACCESS_KEY'])
bucket = s3.buckets['my-bucket']
obj = bucket.objects['new_file']
obj.write(Pathname.new('/path/to/file'))
This correctly uploads the file to my S3 bucket. I'm confused why I clearly have permission to upload a file this way, but when I try to do it via paperclip with the same credentials, I get the permission denied error.
Even more confusing, when I assign the AdministratorAccess
policy to my-user
, paperclip is able to successfully upload the file.
Any idea how I can resolve this?
The solution is here: https://stackoverflow.com/a/19185045/736864
When paperclip uploads the file to S3, it also tries to set the file to be publicly viewable, which means the user needs to be given access to set permissions. Adding the s3:PutObjectAcl
permission to my IAM policy fixed the issue.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With