s3-plugin-webpack
s3-plugin-webpack copied to clipboard
Document minimum AMI user permissions/ACLs in order for accesssing an AWS bucket
Took me awhile to sort this out, and was surprised that I couldn't find a record of it in the issue queue. Copy-pasting this in to the JSON editor allowed it to finally work: https://docs.aws.amazon.com/AmazonS3/latest/dev/example-policies-s3.html#iam-policy-ex0
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Action": "s3:ListAllMyBuckets",
"Resource":"arn:aws:s3:::*"
},
{
"Effect":"Allow",
"Action":["s3:ListBucket","s3:GetBucketLocation"],
"Resource":"arn:aws:s3:::awsexamplebucket1"
},
{
"Effect":"Allow",
"Action":[
"s3:PutObject",
"s3:PutObjectAcl",
"s3:GetObject",
"s3:GetObjectAcl",
"s3:DeleteObject"
],
"Resource":"arn:aws:s3:::awsexamplebucket1/*"
}
]
}
Giving full S3 permissions on the bucket also worked, but that felt like overkill, and it would be bad to incentivize users to do that.
It would be nice to see documented exactly which actions are required for this plugin to work. I do not like giving more privileges than necessary. I use the following policy for other services and it works. But with s3-plugin-webpack
I get Access Denied
. So what else is this plugin trying to do?
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::mybucket/*"
}
]
}
Another policy example is in issue #62.
Well, after going through all the permissions myself it turns out that s3-plugin-webpack
also needs the PutObjectAcl
by default, unless ACL: "",
is added to the s3UploadOptions
, which was mentioned on #28.
This is really helpful @SunSparc :) I'll try to upstream a doc change when I'm next using this plugin
Ok, after some experimentation, found the minimal permissions for bucket and plugin setup is:
{
s3Options: {
// ...
},
s3UploadOptions: {
ACL: '',
Bucket: 'YOURBUCKET'
}
}
IAM > Users > YOURUSER > Permissions > Add inline policy (JSON):
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:PutObject"
],
"Resource": "arn:aws:s3:::YOURBUCKET/*"
}
]
}
S3 > YOURBUCKET > Permissions > Block public access: All "OFF"
S3 > YOURBUCKET > Permissions > Bucket Policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowPublicRead",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::YOURBUCKET/*"
}
]
}
@patcon Does
{
s3Options: {
// ...
},
s3UploadOptions: {
ACL: '',
Bucket: 'YOURBUCKET'
}
}
"YOURBUCKET" have to be a hardcoded string? Having a difficult time passing this value from an .env using process.env
or even using an environment.js
file that takes the .env vars and exports them to webpack.
I don't think so, @mapineda :(