Clean Up IAM Policy #123
Open
Clean Up IAM Policy #123
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The existing policy tries to set some bucket policies against S3 objects which is invalid per AWS docs here: http://docs.aws.amazon.com/AmazonS3/latest/dev/using-with-s3-actions.html This change sets read/write/delete permissions on all objects in the bucket / bucket and prefix if given and listing permissions for the bucket with a conditional prefix if given. All bucket sub resource operations have also been moved into a separate rule (readonly) for the bucket. I think these are might not be needed by S3-Uploads as they were not specified properly before but it seems harmless to give read permissions to the key and may be useful in the future for the plugin to trigger different actions depending on how the S3 bucket is configured. As examples under the updated policy, here's the full policy returned when `S3_UPLOADS_BUCKET` is set to a bucket only, `static.xyu.io`: ``` { "Version": "2012-10-17", "Statement": [ { "Sid": "ObjectOperationsReadWriteDelete", "Effect": "Allow", "Resource": "arn:aws:s3:::static.xyu.io/*", "Action": [ "s3:GetObject", "s3:PutObject", "s3:GetObjectAcl", "s3:PutObjectAcl", "s3:DeleteObject", "s3:AbortMultipartUpload", "s3:ListMultipartUploadParts" ] }, { "Sid": "BucketOperationsListContents", "Effect": "Allow", "Resource": "arn:aws:s3:::static.xyu.io", "Condition": { "StringLike": { "s3:prefix": [ "*" ], "s3:delimiter": [ "/" ] } }, "Action": [ "s3:ListBucket" ] }, { "Sid": "BucketSubresourceOperationsRead", "Effect": "Allow", "Resource": "arn:aws:s3:::static.xyu.io", "Action": [ "s3:GetAccelerateConfiguration", "s3:GetBucketAcl", "s3:GetBucketCORS", "s3:GetBucketVersioning", "s3:GetBucketRequestPayment", "s3:GetBucketLocation", "s3:GetBucketPolicy", "s3:GetBucketNotification", "s3:GetBucketLogging", "s3:GetBucketTagging", "s3:GetBucketWebsite", "s3:GetLifecycleConfiguration", "s3:GetReplicationConfiguration" ] } ] } ``` And when `S3_UPLOADS_BUCKET` is set to a bucket and path, `static.xyu.io/test`: ``` { "Version": "2012-10-17", "Statement": [ { "Sid": "ObjectOperationsReadWriteDelete", "Effect": "Allow", "Resource": "arn:aws:s3:::static.xyu.io/test/*", "Action": [ "s3:GetObject", "s3:PutObject", "s3:GetObjectAcl", "s3:PutObjectAcl", "s3:DeleteObject", "s3:AbortMultipartUpload", "s3:ListMultipartUploadParts" ] }, { "Sid": "BucketOperationsListContents", "Effect": "Allow", "Resource": "arn:aws:s3:::static.xyu.io", "Condition": { "StringLike": { "s3:prefix": [ "test/*" ], "s3:delimiter": [ "/" ] } }, "Action": [ "s3:ListBucket" ] }, { "Sid": "BucketSubresourceOperationsRead", "Effect": "Allow", "Resource": "arn:aws:s3:::static.xyu.io", "Action": [ "s3:GetAccelerateConfiguration", "s3:GetBucketAcl", "s3:GetBucketCORS", "s3:GetBucketVersioning", "s3:GetBucketRequestPayment", "s3:GetBucketLocation", "s3:GetBucketPolicy", "s3:GetBucketNotification", "s3:GetBucketLogging", "s3:GetBucketTagging", "s3:GetBucketWebsite", "s3:GetLifecycleConfiguration", "s3:GetReplicationConfiguration" ] } ] } ```
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The existing policy tries to set some bucket policies against S3 objects which is invalid per AWS docs here:
http://docs.aws.amazon.com/AmazonS3/latest/dev/using-with-s3-actions.html
This change sets read/write/delete permissions on all objects in the bucket / bucket and prefix if given and listing permissions for the bucket with a conditional prefix if given. All bucket sub resource operations have also been moved into a separate rule (readonly) for the bucket. I think these are might not be needed by S3-Uploads as they were not specified properly before but it seems harmless to give read permissions to the key and may be useful in the future for the plugin to trigger different actions depending on how the S3 bucket is configured.
As examples under the updated policy, here's the full policy returned when
S3_UPLOADS_BUCKETis set to a bucket only,static.xyu.io:And when
S3_UPLOADS_BUCKETis set to a bucket and path,static.xyu.io/test: