Discussion on: Setting Up Proper Amazon S3 Permissions for ActiveStorage

View post

Replies for: I believe arn:aws:s3:::/ will allow access to objects on any bucket the IAM user has access to. You should probably use arn:aws:s3:::NAME_OF_YOUR...

I was leaning on the S3 policy builder for feedback and mid-interpreted its recommendation. Always learning 😁 thanks for the catch. I’ve updated the post to reflect this.

Janko Marohnić • Jan 29 '20

Note that the s3:ListBucket permission still needs to be on the bucket resource, i.e. arn:aws:s3:::NAME_OF_YOUR_BUCKET_GOES_HERE. This permission allows you to list objects in the bucket, which is needed for ActiveStorage's #delete_prefixed.

Kyle Keesling • Jan 29 '20 • Edited

Ahh - that must be what was causing my validation warning in the editor! How does this look?

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:DeleteObject"
            ],
            "Resource": [
                "arn:aws:s3:::BUCKET_NAME_GOES_HERE/*"
            ]
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::BUCKET_NAME_GOES_HERE"
        }
    ]
}

Replies for: I believe arn:aws:s3:::*/* will allow access to objects on any bucket the IAM user has access to. You should probably use arn:aws:s3:::NAME_OF_YOUR...

Replies for: I believe arn:aws:s3:::/ will allow access to objects on any bucket the IAM user has access to. You should probably use arn:aws:s3:::NAME_OF_YOUR...