s3-plugin-webpack icon indicating copy to clipboard operation
s3-plugin-webpack copied to clipboard

Published 20 hours ago verified publisher icon MikaAK

Document minimum AMI user permissions/ACLs in order for accesssing an AWS bucket

Open patcon opened this issue 3 years ago • 6 comments

Took me awhile to sort this out, and was surprised that I couldn't find a record of it in the issue queue. Copy-pasting this in to the JSON editor allowed it to finally work: https://docs.aws.amazon.com/AmazonS3/latest/dev/example-policies-s3.html#iam-policy-ex0

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Action": "s3:ListAllMyBuckets",
         "Resource":"arn:aws:s3:::*"
      },
      {
         "Effect":"Allow",
         "Action":["s3:ListBucket","s3:GetBucketLocation"],
         "Resource":"arn:aws:s3:::awsexamplebucket1"
      },
      {
         "Effect":"Allow",
         "Action":[
            "s3:PutObject",
            "s3:PutObjectAcl",
            "s3:GetObject",
            "s3:GetObjectAcl",
            "s3:DeleteObject"
         ],
         "Resource":"arn:aws:s3:::awsexamplebucket1/*"
      }
   ]
}

Giving full S3 permissions on the bucket also worked, but that felt like overkill, and it would be bad to incentivize users to do that.

patcon avatar Aug 11 '20 20:08 patcon

It would be nice to see documented exactly which actions are required for this plugin to work. I do not like giving more privileges than necessary. I use the following policy for other services and it works. But with s3-plugin-webpack I get Access Denied. So what else is this plugin trying to do?

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::mybucket/*"
        }
    ]
}

Another policy example is in issue #62.

SunSparc avatar Aug 28 '20 18:08 SunSparc

Well, after going through all the permissions myself it turns out that s3-plugin-webpack also needs the PutObjectAcl by default, unless ACL: "", is added to the s3UploadOptions, which was mentioned on #28.

SunSparc avatar Aug 28 '20 19:08 SunSparc

This is really helpful @SunSparc :) I'll try to upstream a doc change when I'm next using this plugin

patcon avatar Aug 29 '20 01:08 patcon

Ok, after some experimentation, found the minimal permissions for bucket and plugin setup is:

{
  s3Options: {
    // ...
  },
  s3UploadOptions: {
    ACL: '',
    Bucket: 'YOURBUCKET'
  }
}

IAM > Users > YOURUSER > Permissions > Add inline policy (JSON):

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject"
            ],
            "Resource": "arn:aws:s3:::YOURBUCKET/*"
        }
    ]
}

S3 > YOURBUCKET > Permissions > Block public access: All "OFF"

S3 > YOURBUCKET > Permissions > Bucket Policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowPublicRead",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::YOURBUCKET/*"
        }
    ]
}

patcon avatar Aug 30 '20 19:08 patcon

@patcon Does

{
  s3Options: {
    // ...
  },
  s3UploadOptions: {
    ACL: '',
    Bucket: 'YOURBUCKET'
  }
}

"YOURBUCKET" have to be a hardcoded string? Having a difficult time passing this value from an .env using process.env or even using an environment.js file that takes the .env vars and exports them to webpack.

mapineda avatar Nov 17 '21 22:11 mapineda

I don't think so, @mapineda :(

patcon avatar Nov 18 '21 03:11 patcon