Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add s3:PutObjectAcl to write policies #82

Open
simonw opened this issue Nov 28, 2022 · 3 comments
Open

Add s3:PutObjectAcl to write policies #82

simonw opened this issue Nov 28, 2022 · 3 comments
Labels
enhancement New feature or request

Comments

@simonw
Copy link
Owner

simonw commented Nov 28, 2022

This came up here:

It turned out django-storages nees a write policy that includes s3:PutObjectAcl: https://django-storages.readthedocs.io/en/latest/backends/amazon-S3.html#iam-policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObjectAcl",
                "s3:GetObject",
                "s3:ListBucket",
                "s3:DeleteObject",
                "s3:PutObjectAcl"
            ],
            "Principal": {
                "AWS": "arn:aws:iam::example-AWS-account-ID:user/example-user-name"
            },
            "Resource": [
                "arn:aws:s3:::example-bucket-name/*",
                "arn:aws:s3:::example-bucket-name"
            ]
        }
    ]
}

Looks like I should add s3:GetObjectAcl to the default read policies too.
@simonw simonw added the enhancement New feature or request label Nov 28, 2022
@simonw
Copy link
Owner Author

simonw commented Nov 28, 2022

Should I add s3:PutObjectTagging too? Worth reviewing these in full.

From the Wagtail docs at https://docs.wagtail.org/en/stable/advanced_topics/deploying.html#cloud-storage I found a link to this documentation about S3 ACLs: https://docs.aws.amazon.com/AmazonS3/latest/userguide/acl-overview.html#permissions

It looks like ACLs are no longer recommended (I think IAM came later) but that document DOES include a useful mapping of the old read/write ACLs to their modern permissions:

image

@simonw
Copy link
Owner Author

simonw commented Nov 28, 2022

Here's a full list of 36 Put permissions:

https://iam-definitions.vercel.app/iam/privileges?_sort=rowid&_facet=service&privilege__startswith=Put&service__exact=s3

And 50 Get permissions:

https://iam-definitions.vercel.app/iam/privileges?_sort=rowid&_facet=service&privilege__startswith=Get&service__exact=s3

@simonw
Copy link
Owner Author

simonw commented Nov 28, 2022
edited
Loading

7 for PutObject https://iam-definitions.vercel.app/iam/privileges?_nocol=resource_types&_facet=service&_sort=rowid&privilege__startswith=PutObject&service__exact=s3

13 for GetObject: https://iam-definitions.vercel.app/iam/privileges?_nocol=resource_types&_facet=service&_sort=rowid&privilege__startswith=GetObject&service__exact=s3

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@simonw