When working with Mattermost chat server, I decided to move the media (attachment, images, etc …) to Amazon AWS S3 bucket.
Setup
AWS S3 Bucket creation
The first thing you have to setup is the bucket itself, Amazon (with a little bit of googling) makes this very easy.
Amazon Guide on creating a bucket
Once you have set it up, note somewhere its ID. Usually, it’s arn:aws:s3:::NAME-OF-BUCKET. You’ll need this later when creating the access policy.
IAM user and Policy
First, create a user than doesn’t have a password, you won’t need it for your application.
Create a user using the console
When asked to give it some right, you’ll need to create a policy.
Policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": [
"arn:aws:s3:::YOUR-BUCKET"
]
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::YOUR-BUCKET/*"
]
}
]
}
We create a policy specifically for this bucket with different rights:
| Policy | Description |
| ListBucket | To be able to list the content of the bucket and the storage used. |
| GetBucketLocation | To get in which region the bucket is located. Some library will use it to be sure they are accessing the right region when interaction with your bucket. |
| PutObject | Add/replace objects. |
| GetObject | Get an existing object. |
| DeleteObject | Delete an existing object. |
We need to create two different effects, as one is on the bucket resource itself, with the listing the content and gathering the location. And the second one is about the content of the bucket, you could restrain the access to a specific directory in the bucket instead of the root with /* . In my case, the application has access to the full bucket.
Now assign the created policy to the user, and get the client/secret keys for your application.
Leave a Reply