AWS S3: The right policy to set

When working with Mattermost chat server, I decided to move the media (attachment, images, etc …) to Amazon AWS S3 bucket.

Setup

AWS S3 Bucket creation

The first thing you have to setup is the bucket itself, Amazon (with a little bit of googling) makes this very easy.

Amazon Guide on creating a bucket

Once you have set it up, note somewhere its ID. Usually, it’s arn:aws:s3:::NAME-OF-BUCKET. You’ll need this later when creating the access policy.

IAM user and Policy

First, create a user than doesn’t have a password, you won’t need it for your application.

Create a user using the console

When asked to give it some right, you’ll need to create a policy.

Policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:GetBucketLocation"
            ],
            "Resource": [
                "arn:aws:s3:::YOUR-BUCKET"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:DeleteObject"
            ],
            "Resource": [
                "arn:aws:s3:::YOUR-BUCKET/*"
            ]
        }
    ]
}

We create a policy specifically for this bucket with different rights:

Policy Description
ListBucket To be able to list the content of the bucket and the storage used.
GetBucketLocation To get in which region the bucket is located. Some library will use it to be sure they are accessing the right region when interaction with your bucket.
PutObject Add/replace objects.
GetObject Get an existing object.
DeleteObject Delete an existing object.

We need to create two different effects, as one is on the bucket resource itself, with the listing the content and gathering the location. And the second one is about the content of the bucket, you could restrain the access to a specific directory in the bucket instead of the root with /* . In my case, the application has access to the full bucket.

Now assign the created policy to the user, and get the client/secret keys for your application.

Antoine Aflalo Written by:

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *