documentation icon indicating copy to clipboard operation
documentation copied to clipboard
verified publisher icon strapi

["REQUEST"] AWS S3 configuration docs are missing permissions requirements for the IAM user owning the AWS_ACCESS_KEY

Open markokhman opened this issue 4 years ago • 0 comments

Hi guys, i've been recently configuring my staging environment and I've created a new user on S3 with programmatic only access and I want to restrict it's access to only one bucket.

I think you need to specify list of permissions, that the AWS_ACCESS_KEY_ID has to have in order for Strapi to function properly. I can only guess now that it will be enough to have read/put/delete permissions, but to make sure my Strapi works - I have to leave all the other permissions in the policy that I've created for this user.

What i'm sure about is to disable the S3 * and ListAllMyBuckets for this user, but however I'm not feeling safe to leave all the other permissions without understanding that those are needed.

After debugging a little bit, i ended up using such policy:

{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "s3:ListStorageLensConfigurations", "s3:ListAccessPointsForObjectLambda", "s3:GetAccessPoint", "s3:PutAccountPublicAccessBlock", "s3:GetAccountPublicAccessBlock", "s3:ListAllMyBuckets", "s3:ListAccessPoints", "s3:ListJobs", "s3:PutStorageLensConfiguration", "s3:CreateJob" ], "Resource": "" }, { "Sid": "VisualEditor1", "Effect": "Allow", "Action": "s3:", "Resource": [ "arn:aws:s3:::omb-strapi-upload-staging", "arn:aws:s3::875204560975:job/", "arn:aws:s3:::omb-strapi-upload-staging/", "arn:aws:s3::875204560975:accesspoint/*" ] }, { "Sid": "VisualEditor2", "Effect": "Allow", "Action": [ "s3:ListStorageLensConfigurations", "s3:ListAccessPointsForObjectLambda", "s3:GetAccessPoint", "s3:GetAccountPublicAccessBlock", "s3:ListAccessPoints", "s3:ListJobs", "s3:PutStorageLensConfiguration" ], "Resource": "arn:aws:s3:::omb-strapi-upload-staging" } ] }

It might be good idea to provide a policy JSON template in documentation. It is working for me now but I still am not 100% sure that it is safe.

A little reference to the documentation on how to edit those permissions for specific IAM user that i found helpful: https://aws.amazon.com/premiumsupport/knowledge-center/s3-console-access-certain-bucket/

markokhman avatar May 04 '21 03:05 markokhman