CODEWITHSUNDEEP
amazon-web-servicescurlpostamazon-s3
UltrasoundJelly
UltrasoundJelly

Reputation: 1900

Amazon AWS S3 bucket anonymous upload using curl

I'm trying to set up an S3 bucket to accept anonymous uploads while allowing the bucket owner full rights and preventing public read access. Following the code from here I've set up the bucket policy below. I'd like to use curl to upload to the bucket, but all I'm getting is

Access Denied

Here's the bucket policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "allow-anon-put",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::[mybucket]/uploads/*",
            "Condition": {
                "StringEquals": {
                    "s3:x-amz-acl": "bucket-owner-full-control"
                }
            }
        },
        {
            "Sid": "deny-other-actions",
            "Effect": "Deny",
            "NotPrincipal": {
                "AWS": "arn:aws:iam::[myid]:root"
            },
            "NotAction": [
                "s3:PutObject",
                "s3:PutObjectAcl"
            ],
            "Resource": "arn:aws:s3:::[mybucket]/*"
        }
    ]
}

And the curl POST:

curl --request PUT --upload-file "thefile.gif" -k https://[mybucket].s3.amazonaws.com/uploads/

Upvotes: 2

Views: 4520

Answers (1)

Michael - sqlbot
Michael - sqlbot

Reputation: 179194

Anonymous uploads are a bad idea, but at least this policy constraint requires that the uploader give you control of the object:

        "Condition": {
            "StringEquals": {
                "s3:x-amz-acl": "bucket-owner-full-control"
            }
        }

It's not intuitively obvious, but owning a bucket doesn't mean you own the objects. If they are not uploaded with credentials from your account, then you don't own them. You pay for them, of course, but if an object is uploaded into your bucket by another account or by the anonymous user, the only privilege you may end up with on that object is that you can delete it -- you can end up with objects you can't download or copy, just delete.

With this policy in place, the uploads have to comply with the policy, setting the object ACL to give you control:

curl ... -H 'x-amz-acl: bucket-owner-full-control'

Upvotes: 3

Related Questions