grunt-aws icon indicating copy to clipboard operation
grunt-aws copied to clipboard

Published 20 hours ago verified publisher icon jpillora

Access Denied when acessKeyId has some restrictions

Open ghost opened this issue 10 years ago • 7 comments

Hi, I'm getting Access Denied when trying to upload files to my bucket.

The accessKey that I need to use has some restrictions in the S3 directory, it can only see 1 bucket, and can't list/access others.

The IT guys at my company are setting the S3 access with this kind of policy now, when the keys are setted with "fullaccess" the api works fine, but now that they are changing I'm getting this error.

Is there anyway to define that kind of access in options?

Here's how I'm using this api to upload to the bucket.

        aws: grunt.file.readJSON("credentials.json"),
        s3: {
            options: {
                accessKeyId: "<%= aws.accessKeyId %>",
                secretAccessKey: "<%= aws.secretAccessKey %>",
                bucket: "cdn-html5",
                cacheTTL: 0
            },
            build: {
                files: [
                    {
                        cwd: "<%= yeoman.dist %>",
                        src: ["scripts/**", "styles/**", "images/**", "doc/**", "swf/**"],
                        dest: "reader_api/<%= yeoman.version %>/"
                    },
                    {
                        cwd: "<%= yeoman.dist %>",
                        src: ["static/**"],
                        dest: "reader_api/"
                    }
                ]
            }
        }

I really don't know if its something with the access settings, or with the api. I'm trying to see with the IT department too.

NOTE: Opening in the 3Hub app (for Mac) I can login with the credentials and read/write the 'cdn-html5' bucket without any problem.

ghost avatar Mar 13 '14 15:03 ghost

Are you using IAM credentials?

erem-ifg avatar Jul 23 '14 14:07 erem-ifg

Hey, this looks like the same error I'm getting when I try to upload using IAM credentials. When I use regular credentials it works fine. My guess is that I'm not setting a policy correctly somewhere on AWS. Any tips?

Thanks :)

brendanberg avatar Aug 27 '14 12:08 brendanberg

What about S3 Full Access? Does it work? It looks like following:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:*",
      "Resource": "*"
    }
  ]
}

luhtonen avatar Oct 27 '14 10:10 luhtonen

OK, my issue lay entirely with my lack of understanding of S3 policies. Full access made it work and, through trial and error, I found out that the trailing /* is necessary in the statement allowing s3:GetObject, s3:PutObject, and s3:DeleteObject actions.

For reference, here's the policy that ended up working for me: https://gist.github.com/brendanberg/90129878e519647fdad3

brendanberg avatar Oct 27 '14 15:10 brendanberg

I would suggest that something should be added to the documentation regarding an example IAM policy. I had a look through the code to see what a minimum policy would be to lock it down to one bucket and I came up with this:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["s3:ListObjects"],
      "Resource": ["arn:aws:s3:::YOURBUCKET"]
    },
    {
      "Effect": "Allow",
      "Action": ["s3:PutObject", "s3:PutObjectAcl"],
      "Resource": ["arn:aws:s3:::YOURBUCKET/*"]
    }
  ]
}

It was the s3:PutObjectAcl that was tripping me up. The error information returned from Amazon is not super helpful, but when I read the code (it's also in the docs), it became apparent that it sets the ACL to public-read.

It doesn't seem to download or delete files (I see it's on the TODO list) but it may be a good idea to add those too (s3:GetObject and s3:DeleteObject).

You need to add extra permissions if you are using a enableWeb or createBucket. Probably something like s3:ListAllMyBuckets, s3:CreateBucket, s3:GetBucketWebsite, s3:PutBucketWebsite etc.

ravenscar avatar Dec 09 '14 01:12 ravenscar

Yep good idea - will update the docs when I get a chance

On Tuesday, December 9, 2014, ravenscar [email protected] wrote:

I would suggest that something should be added to the documentation regarding an example IAM policy. I had a look through the code to see what a minimum policy would be to lock it down to one bucket and I came up with this:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["s3:ListObjects"], "Resource": ["arn:aws:s3:::YOURBUCKET"] }, { "Effect": "Allow", "Action": ["s3:PutObject", ["s3:PutObjectAcl"], "Resource": ["arn:aws:s3:::YOURBUCKET/*"] } ] }

It was the "s3:PutObjectAcl" that was tripping me up. The error information returned from Amazon is not super helpful, but when I read the code (it's also in the docs) it became apparent that it set's the ACL to public-read.

It doesn't seem to download or delete files (I see it's on the TODO list) but it may be a good idea to add those too (s3:getObject and s3:deleteObject).

You need to add extra permissions if you are using a enableWeb or createBucket. Probably something like s3:ListAllMyBuckets, s3:CreateBucket, s3:GetBucketWebsite, s3:PutBucketWebsite etc.

— Reply to this email directly or view it on GitHub https://github.com/jpillora/grunt-aws/issues/10#issuecomment-66219454.

jpillora avatar Dec 09 '14 03:12 jpillora

Status on the IAM docs?

Haraldson avatar Jun 15 '15 08:06 Haraldson