DEV Community

Setting Up Proper Amazon S3 Permissions for ActiveStorage

Kyle Keesling on January 28, 2020

If you’ve found yourself marveling at how cryptic and impenetrable understanding AWS services, then you are definitely not alone. For much too long...

Read full post

Janko Marohnić • Jan 28 '20

I believe arn:aws:s3:::*/* will allow access to objects on any bucket the IAM user has access to. You should probably use arn:aws:s3:::NAME_OF_YOUR_BUCKET_GOES_HERE/* if you want to restrict access just to that bucket.

Kyle Keesling • Jan 29 '20

I was leaning on the S3 policy builder for feedback and mid-interpreted its recommendation. Always learning 😁 thanks for the catch. I’ve updated the post to reflect this.

Janko Marohnić • Jan 29 '20

Note that the s3:ListBucket permission still needs to be on the bucket resource, i.e. arn:aws:s3:::NAME_OF_YOUR_BUCKET_GOES_HERE. This permission allows you to list objects in the bucket, which is needed for ActiveStorage's #delete_prefixed.

Kyle Keesling • Jan 29 '20 • Edited

Ahh - that must be what was causing my validation warning in the editor! How does this look?

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:DeleteObject"
            ],
            "Resource": [
                "arn:aws:s3:::BUCKET_NAME_GOES_HERE/*"
            ]
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::BUCKET_NAME_GOES_HERE"
        }
    ]
}