I am trying to understand exactly how to setup a bucket that is generally private but allows anonymous uploads with restrictions. The specific criteria are:
Questions I have are:
The expiration seems settable via the S3 Management Console but is only limited to 1 day as the smallest expiration. Can I put a decimal in that field? Permissions seem to apply to an entire bucket instead of just a prefix. This is making me think I just need two buckets. If I keep with one bucket I think I need to create an IAM policy and apply that to the bucket but it is beyond my limited knowledge of S3 and I want to ensure I don't leave a hole in the permissions that allow people to do more than I want them to.
I have found lots of documentation on doing anonymous uploads to S3 via a HTTP form post. I could adapt that into code but I am wondering since I am in application code (and not a HTTP form post) is there an easier way?
What you describe can be implemented within one bucket. You can allow anonymous access to specific folder via bucket policy, check examples or use AWS Policy Generator. In your case it could look something like this:
{
"Version": "2008-10-17",
"Id": "Policy1346097257207",
"Statement": [
{
"Sid": "Allow anonymous upload to /incoming",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::[your_bucket]/incoming/*"
}
]
}
It is also possible to upload files to your bucket anonymously using a simple html form:
<form action="http://[your_bucket].s3.amazonaws.com/" method="post" enctype="multipart/form-data">
<input type="hidden" name="acl" value="public-read" />
Name: <input type="text" name="key" value="incoming/[filename]" /><br/>
File: <input type="file" name="file" /> <br />
<input type="submit" name="submit" value="Upload" />
</form>
S3 browser based uploads are described here in detail.