Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

required s3 permissions should be documented #21

Open
XertroV opened this issue Oct 19, 2020 · 5 comments
Open

required s3 permissions should be documented #21

XertroV opened this issue Oct 19, 2020 · 5 comments

Comments

@XertroV
Copy link

XertroV commented Oct 19, 2020

At least s3:PutObjectAcl is required (because I got access denied before that)

Sample policy which works:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:GetObjectAcl",
                "s3:ListBucket",
                "s3:ListObjects",
                "s3:PutObject",
                "s3:PutObjectAcl"
            ],
            "Resource": [
                "arn:aws:s3:::<BUCKET_NAME>/*"
            ]
        }
    ]
}
@xcpep
Copy link

xcpep commented Oct 29, 2020

Thank you, this should definitely be added to the documentation.

@slorber slorber mentioned this issue Mar 23, 2021
Open
@slorber
Copy link

slorber commented Mar 23, 2021
edited
Loading

Is this the error you got?

Cannot read property 'Key' of undefined

#27

Also, are you sure s3:ListObjects exists?

I get an error with this specific action (which I'd prefer to use because it does not use Docker and is faster), while another action is able to upload to s3 fine 😅

@slorber
Copy link

slorber commented Mar 23, 2021

I'm using "s3:*" and it does not work either.

I believe this action fails because it tries to force public-read on the uploaded files, while I don't allow public reads on my bucket.

That may be worth it to make this optional

@XertroV
Copy link
Author

XertroV commented Mar 23, 2021

re #21 (comment)

Looking at https://iam.cloudonaut.io/reference/s3.html, s3:ListObjects might not exist, not sure where I got that from.

re:

I believe this action fails because it tries to force public-read on the uploaded files, while I don't allow public reads on my bucket.

That sounds reasonable, but I can't test it via a bucket that explicitly disallows public-read atm.

@slorber
Copy link

slorber commented Mar 23, 2021

So I can confirm, and my minimal bucket ACL looks like this to make this action work:

{
    "Version": "2012-10-17",
    "Id": "<ANY>",
    "Statement": [
        {
            "Sid": "<ANY>",
            "Effect": "Allow",
            "Principal": {
                "AWS": "<MY_ARN>"
            },
            "Action": [
                "s3:PutObject",
                "s3:PutObjectAcl"
            ],
            "Resource": "arn:aws:s3:::<MY_BUCKET>/*"
        },
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::<MY_BUCKET>/*"
        }
    ]
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@slorber @XertroV @xcpep