Databases
StackOverflow2013
Postsdbo
POAccess Denied when uploading files to Amazon using Paperclip and IAM policies
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. POAccess Denied when uploading files to Amazon using Paperclip and IAM policies
    text
    copied!<p>I am unable to get an upload working with Paperclip using an S3 IAM policy. I'm even having issues with direct jQuery uploads (no Paperclip). My scenario is as follows, I have an application that will have many sites. Each site will have it's own bucket and should only be able to access their own bucket, nobody else's. The <a href="http://docs.aws.amazon.com/AmazonS3/latest/dev/UsingIAMPolicies.html#ExamplePolicies_S3">IAM Example Policies</a> documentation explains exactly what I want to do under "Example: Allow each IAM user access to a folder in a bucket". I have an IAM group set up for the application and have one user per site within the group. These IAM users belong to the group. The policy on the group is as follows:</p> <pre><code>{ "Version":"2012-10-17", "Statement":[{ "Effect":"Allow", "Action":[ "s3:PutObject", "s3:GetObject", "s3:GetObjectVersion", "s3:DeleteObject", "s3:DeleteObjectVersion" ], "Resource":"arn:aws:s3:::my-app/${aws:username}/*" } ] } </code></pre> <p>Here is my CORS configuration on the bucket, for dev of course, it will get locked down later:</p> <pre><code>&lt;?xml version="1.0" encoding="UTF-8"?&gt; &lt;CORSConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/"&gt; &lt;CORSRule&gt; &lt;AllowedOrigin&gt;*&lt;/AllowedOrigin&gt; &lt;AllowedMethod&gt;GET&lt;/AllowedMethod&gt; &lt;AllowedMethod&gt;POST&lt;/AllowedMethod&gt; &lt;AllowedMethod&gt;PUT&lt;/AllowedMethod&gt; &lt;AllowedHeader&gt;*&lt;/AllowedHeader&gt; &lt;/CORSRule&gt; &lt;/CORSConfiguration&gt; </code></pre> <p>Here are my Paperclip settings:</p> <pre><code>has_attached_file :background_image, storage: :s3, s3_credentials: { access_key_id: "xxx", secret_access_key: "xxx" }, bucket: "my-app", s3_permissions: "public-read", path: "/background_images/:id/:filename" </code></pre> <p>I was previously working with policies directly on the bucket, which did work but wasn't as flexible as I need it to be when I move into a production environment with many "sites". As far as I can tell I've followed the documentation exactly yet anything I do results in 'Access Denied'. At this point I'm not even sure if my issue is with my IAM policy or my Paperclip configuration.</p> <p>edit: clarification.</p> <p>edit 2: FINAL SOLUTION</p> <p>Here is my final IAM policy based on <a href="http://blogs.aws.amazon.com/security/post/Tx1P2T3LFXXCNB5/Writing-IAM-policies-Grant-access-to-user-specific-folders-in-an-Amazon-S3-bucke">this article</a>:</p> <pre><code>{ "Version":"2012-10-17", "Statement": [ { "Sid": "AllowUserToSeeBucketListInTheConsole", "Action": ["s3:ListAllMyBuckets", "s3:GetBucketLocation"], "Effect": "Allow", "Resource": ["arn:aws:s3:::*"] }, { "Sid": "AllowRootAndHomeListingOfCompanyBucket", "Action": ["s3:ListBucket"], "Effect": "Allow", "Resource": ["arn:aws:s3:::my-app"], "Condition":{"StringEquals":{"s3:prefix":["","home/"],"s3:delimiter":["/"]}} }, { "Sid": "AllowListingOfUserFolder", "Action": ["s3:ListBucket"], "Effect": "Allow", "Resource": ["arn:aws:s3:::estimator-app"], "Condition":{"StringLike":{"s3:prefix":["home/${aws:username}/*"]}} }, { "Sid": "AllowAllS3ActionsInUserFolder", "Effect": "Allow", "Action": ["s3:*"], "Resource": ["arn:aws:s3:::my-app/home/${aws:username}/*"] } ] } </code></pre> <p>And my updated Paperclip settings:</p> <pre><code>has_attached_file :background_image, storage: :s3, s3_credentials: { access_key_id: "xxx", secret_access_key: "xxx" }, bucket: "estimator-app", s3_permissions: "public-read", path: "/home/my_s3_username/background_images/:id/:filename" </code></pre> <p>It was important to include the username in the Paperclip path. I was assuming Amazon would infer that from the credentials but that's not the case.</p>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload