Reputation: 427
s3 bucket policy post
I'm trying to do a post to my bucket, and I'm a little confused on how the policy for the formdata is supposed to match the policy for my bucket.
@time = Time.now.utc
@time_policy = @time.strftime('%Y%m%dT000000Z')
@date_stamp = @time.strftime('%Y%m%d')
ret = {"expiration" => 1.day.from_now.utc.xmlschema,
"conditions" => [
{"bucket" => Rails.application.secrets.aws_bucket},
{"x-amz-credential": "#{Rails.application.secrets.aws_access_key_id}/#{@date_stamp}/us-west-2/s3/aws4_request"},
{"x-amz-algorithm": "AWS4-HMAC-SHA256"},
{"x-amz-date": @time_policy },
]
}
@policy = Base64.encode64(ret.to_json).gsub(/\n|\r/, '')
Bucket Policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Allow Get",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::example-development/*"
},
{
"Sid": "AddPerm",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789:user/example"
},
"Action": "s3:*",
"Resource": ["arn:aws:s3:::example-development/*","arn:aws:s3:::example-development"]
}
]
}
Do these match? I haven't stumbled upon any documentation that shows a good side by side comparison of the two.
Upvotes: 0
Views: 440
Answers (1)
Reputation: 270144
The conditions are independent to the policy.
The conditions enforce particular attributes of the upload. For example, { "{acl": "public-read" } enforces the rule that the upload must set the ACL to public-read. If the upload doesn't set that value, the upload will be rejected.
The bucket policy is enforced whenever something tries to access Amazon S3. So, "s3:x-amz-acl": "public-read" says that people can access the bucket as long as that value is true. This is a very strange thing to put in a bucket policy, because that attribute is only relevant for a PutObject operation. When reading an object from S3, it does not apply.
See Specifying Conditions in a Policy for an example of it with using PutObject.
Upvotes: 1