Configuring Amazon S3 programmatic PUT access

Question

I have a bucket set up in S3, test-bucket, and I am trying to configure a user IAM policy to allow programmatic access from my web app hosted elsewhere. This just a simple flat bucket with no folders.

I added a User in the IAM configuration, and created a set of access keys. Finally, I set up an access policy that looks like this:

{
   "Statement":[
      {
         "Effect":"Allow",
         "Action":[
            "s3:ListAllMyBuckets"
         ],
         "Resource":"arn:aws:s3:::*"
      },
      {
         "Effect":"Allow",
         "Action":[
            "s3:ListBucket",
            "s3:GetBucketLocation"
         ],
         "Resource":"arn:aws:s3:::test-bucket"
      },
      {
         "Effect":"Allow",
         "Action":[
            "s3:PutObject",
            "s3:GetObject", 
            "s3:DeleteObject"
         ],
         "Resource":"arn:aws:s3:::test-bucket/*"
      }
   ]
}

Using this, I can successfully programmatically list the contents of my bucket and download individual files in the bucket. But when I try to upload something programmatically I get an Access Denied error:

<Error>
  <Code>AccessDenied</Code>
  <Message>Access Denied</Message>
  ...
</Error>

I know that this policy works for GET and LIST: for instance, when I remove the line "s3:GetObject" from the policy, download no longer works. But for the life of me I can't figure out why upload doesn't work. I'm testing this all out via my webapp running on localhost. Any ideas on how to get upload working?

Answer 1

Turns out I needed to add the following permission:

"s3:PutObjectAcl"

So that the allowed actions look like this now:

"Action":[
        "s3:PutObject",
        "s3:PutObjectAcl"
        "s3:GetObject", 
        "s3:DeleteObject"
     ]

I got the idea from here, but I'm not completely sure why this applies to me since I'm not changing the permissions of the files. But it works.