My goal is to make a browser only upload form into an S3 bucket. I'm following the instructions here:
In it, one needs to create a policy document and then sign it using the secret access key. If I follow the instructions exactly, using my administrator-level account (e.g. access to all the things), everything works.
I would prefer to have a user account specific for this function and sign the document using that user's credentials. This way, I can easily deprecate the key (or entire user) whenever I wish. However, it is not listed in the instructions (nor can I figure out from google/experimentation) precisely what authority this user needs in IAM in order to sign the document. I've even tried being as wide as the policy below (I renamed bucket name to my-bucket), which is sufficient for the user to log into S3's web interface and manage the bucket entirely from there. However, using the upload form still yields access denied. Please note that my desired behavior is to allow this user only to upload files to a specific folder in a specific bucket. Not delete, get, etc.
{
"Statement":[
{
"Effect":"Allow",
"Action":[
"s3:ListAllMyBuckets"
],
"Resource":"arn:aws:s3:::*"
},
{
"Effect":"Allow",
"Action":[
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource":"arn:aws:s3:::my-bucket"
},
{
"Effect":"Allow",
"Action":[
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource":"arn:aws:s3:::my-bucket/*"
}
]
}
Aucun commentaire:
Enregistrer un commentaire