Correct S3 Policy For Pre-Signed URLs
I need to issue pre-signed URLs for allowing users to GET and PUT files into a specific S3 bucket. I created an IAM user and use its keys to create the pre-signed URLs, and added a custom policy embedded in that user (see below). When I use the generated URL, I get an AccessDenied error with my policy. If I add the FullS3Access policy to the IAM user, the file can be GET or PUT with the same URL, so obviously, my custom policy is lacking. What is wrong with it?
Here's the custom policy I am using that is not working:
{
"Statement": [
{
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::MyBucket"
]
},
{
"Action": [
"s3:AbortMultipartUpload",
"s3:CreateBucket",
"s3:DeleteBucket",
"s3:DeleteBucketPolicy",
"s3:DeleteObject",
"s3:GetBucketPolicy",
"s3:GetLifecycleConfiguration",
"s3:GetObject",
"s3:ListBucket",
"s3:ListBucketMultipartUploads",
"s3:ListMultipartUploadParts",
"s3:PutBucketPolicy",
"s3:PutLifecycleConfiguration",
"s3:PutObject"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::MyBucket/*"
]
}
]
}
Answer
Bucket Permissions vs Object Permissions
The following permissions from your policy should be at the Bucket level (arn:aws:s3:::MyBucket), rather than a sub-path within the Bucket (eg arn:aws:s3:::MyBucket/*):
- s3:CreateBucket
- s3:DeleteBucket
- s3:DeleteBucketPolicy
- s3:GetBucketPolicy
- s3:GetLifecycleConfiguration
- s3:ListBucket
- s3:ListBucketMultipartUploads
- s3:PutBucketPolicy
- s3:PutLifecycleConfiguration
See: Specifying Permissions in a Policy
However, that is not the cause of your inability to PUT or GET files.
GET
The fact that your have assigned GetObject permissions means that you should be able to GET an object from the S3 bucket. I tested this by assigning your policy to a User, then using that User's credentials to access an object and it worked correctly.
PUT
I also used your policy to upload via a web form and it worked correctly.
Here is the form I used to upload:
<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>S3 POST Form</title>
<style type="text/css"></style></head>
<body>
<form action="https://<BUCKET-NAME>.s3.amazonaws.com/" method="post" enctype="multipart/form-data">
<input type="hidden" name="key" value="uploads/${filename}">
<input type="hidden" name="AWSAccessKeyId" value="<ACCESS-KEY>">
<input type="hidden" name="acl" value="private">
<input type="hidden" name="success_action_redirect" value="http://<BUCKET-NAME>.s3.amazonaws.com/ok.html">
<input type="hidden" name="policy" value="<ENCODED-POLICY>">
<input type="hidden" name="signature" value="<SIGNATURE>">
<input type="hidden" name="Content-Type" value="image/jpeg">
<!-- Include any additional input fields here -->
File to upload to S3:
<input name="file" type="file">
<br>
<input type="submit" value="Upload File to S3">
</form>
Here is how I generated the Signature:
#!/usr/bin/python
import base64
import hmac, hashlib
policy_document = '{"expiration": "2018-01-01T00:00:00Z", "conditions": [ {"bucket": "<BUCKET-NAME>"}, ["starts-with", "$key", "uploads/"], {"acl": "private"}, {"success_action_redirect": "http://BUCKET-NAME.s3.amazonaws.com/ok.html"}, ["starts-with", "$Content-Type", ""], ["content-length-range", 0, 1048000] ] }'
AWS_SECRET_ACCESS_KEY = "<SECRET-KEY>"
policy = base64.b64encode(policy_document)
signature = base64.b64encode(hmac.new(AWS_SECRET_ACCESS_KEY, policy, hashlib.sha1).digest())
print policy
print
print signature