I have successfully created a simple HTML form that submits a downloaded file to my Amazon S3 bucket. I followed the instructions below: http://aws.amazon.com/articles/1434
Now I am trying to create a minimal policy for a user who can execute the HTML POST form.
Here's the setting:
userID: s3-uploader<br/> ACCESS-KEY-ID: AXAXAXAXAXAXAXAXAXAX
Here's the HTML form:
<!DOCTYPE html> <html> <head> <title>S3 POST Form</title> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> </head> <body> <form action="https://<cname-for-upload-bucket>/" method="post" enctype="multipart/form-data"> <input type="hidden" name="key" value="foo/${filename}"> <input type="hidden" name="AWSAccessKeyId" value="AXAXAXAXAXAXAXAXAXAX"> <input type="hidden" name="acl" value="private"> <input type="hidden" name="success_action_redirect" value="https://s3.amazonaws.com/<bucket-01-name>/upload-success.html"> <input type="hidden" name="policy" value="eyJleHBpcmF0aW9uIjogIjIwMTQtMTItMTNUMDA6MDA6MDBaIiwKICAgICJjb25kaXRpb25zIjogWwogICAgICAgIHsiYnVja2V0IjogInMzLXVwLmdyaWR3YXJkLm5ldCJ9LAogICAgICAgIFsic3RhcnRzLXdpdGgiLCAiJGtleSIsICJwZWQvIl0sCiAgICAgICAgeyJhY2wiOiAicHJpdmF0ZSJ9LAogICAgICAgIHsic3VjY2Vzc19hY3Rpb25fcmVkaXJlY3QiOiAiaHR0cHM6Ly9zMy5hbWF6b25hd3MuY29tL2dkd2QvdXBsb2FkLXN1Y2Nlc3MuaHRtbCJ9LAogICAgICAgIFsic3RhcnRzLXdpdGgiLCAiJENvbnRlbnQtVHlwZSIsICIiXSwKICAgICAgICBbImNvbnRlbnQtbGVuZ3RoLXJhbmdlIiwgMCwgMTA0ODU3Nl0KICAgIF0KfQ=="> <input type="hidden" name="signature" value="WnbMCo0OY7g8oYkfxrVb8np4l94="> <input type="hidden" name="Content-Type" value="image/jpeg"> File to upload to S3: <input name="file" type="file"> <br> <input type="submit" value="Upload File to S3"> </form> </body> </html>
... and then I have this unencoded version of the "politician" hidden input form:
{"expiration": "2014-12-13T00:00:00Z", "conditions": [ {"bucket": "<cname-for-upload-bucket>"}, ["starts-with", "$key", "foo/"], {"acl": "private"}, {"success_action_redirect": "https://s3.amazonaws.com/<bucket-01-name>/upload-success.html"}, ["starts-with", "$Content-Type", ""], ["content-length-range", 0, 1048576] ] }
This all works when userId: s3-uploader has a policy:
{ "Statement": [ { "Effect": "Allow", "Action": "s3:*", "Resource": "*" } ] }
... but if I change the policy to be something more explicit, but apparently reasonable, I get the <AccessDenied /> message back from the same HTML message.
Here is the more stringent policy I tried:
{ "Statement": [ { "Sid": "AllowS3uploader", "Action": [ "s3:ListAllMyBuckets", "s3:ListBucket", "s3:PutBucketAcl", "s3:PutBucketPolicy", "s3:PutObject", "s3:PutObjectAcl" ], "Effect": "Allow", "Resource": "arn:aws:s3:::<cname-for-upload-bucket>", "Principal": { "AWS": [ "arn:aws:iam::756342427722:user/s3-uploader" ] } } ] }
I read the document here without getting any further clarity:
http://docs.aws.amazon.com/AmazonS3/latest/dev/UsingIAMPolicies.html
So I ask my colleague overflow, what am I missing? I would prefer the user s3-uploader userId to not be able to perform any action (i.e. 'S3: *') in the bucket.