search

jpillora / grunt-aws

A Grunt interface into the Amazon Node.JS SDK
171 stars 44 forks source link

Access Denied when acessKeyId has some restrictions #10

Open ghost opened 10 years ago

ghost commented 10 years ago

Hi, I'm getting Access Denied when trying to upload files to my bucket.

The accessKey that I need to use has some restrictions in the S3 directory, it can only see 1 bucket, and can't list/access others.

The IT guys at my company are setting the S3 access with this kind of policy now, when the keys are setted with "fullaccess" the api works fine, but now that they are changing I'm getting this error.

Is there anyway to define that kind of access in options?

Here's how I'm using this api to upload to the bucket.

        aws: grunt.file.readJSON("credentials.json"),
        s3: {
            options: {
                accessKeyId: "<%= aws.accessKeyId %>",
                secretAccessKey: "<%= aws.secretAccessKey %>",
                bucket: "cdn-html5",
                cacheTTL: 0
            },
            build: {
                files: [
                    {
                        cwd: "<%= yeoman.dist %>",
                        src: ["scripts/**", "styles/**", "images/**", "doc/**", "swf/**"],
                        dest: "reader_api/<%= yeoman.version %>/"
                    },
                    {
                        cwd: "<%= yeoman.dist %>",
                        src: ["static/**"],
                        dest: "reader_api/"
                    }
                ]
            }
        }

I really don't know if its something with the access settings, or with the api. I'm trying to see with the IT department too.

NOTE: Opening in the 3Hub app (for Mac) I can login with the credentials and read/write the 'cdn-html5' bucket without any problem.

erem-ifg commented 10 years ago

Are you using IAM credentials?

brendanberg commented 10 years ago

Hey, this looks like the same error I'm getting when I try to upload using IAM credentials. When I use regular credentials it works fine. My guess is that I'm not setting a policy correctly somewhere on AWS. Any tips?

Thanks :)

luhtonen commented 9 years ago

What about S3 Full Access? Does it work? It looks like following:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:*",
      "Resource": "*"
    }
  ]
}
brendanberg commented 9 years ago

OK, my issue lay entirely with my lack of understanding of S3 policies. Full access made it work and, through trial and error, I found out that the trailing /* is necessary in the statement allowing s3:GetObject, s3:PutObject, and s3:DeleteObject actions.

For reference, here's the policy that ended up working for me: https://gist.github.com/brendanberg/90129878e519647fdad3

ravenscar commented 9 years ago

I would suggest that something should be added to the documentation regarding an example IAM policy. I had a look through the code to see what a minimum policy would be to lock it down to one bucket and I came up with this:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["s3:ListObjects"],
      "Resource": ["arn:aws:s3:::YOURBUCKET"]
    },
    {
      "Effect": "Allow",
      "Action": ["s3:PutObject", "s3:PutObjectAcl"],
      "Resource": ["arn:aws:s3:::YOURBUCKET/*"]
    }
  ]
}

It was the s3:PutObjectAcl that was tripping me up. The error information returned from Amazon is not super helpful, but when I read the code (it's also in the docs), it became apparent that it sets the ACL to public-read.

It doesn't seem to download or delete files (I see it's on the TODO list) but it may be a good idea to add those too (s3:GetObject and s3:DeleteObject).

You need to add extra permissions if you are using a enableWeb or createBucket. Probably something like s3:ListAllMyBuckets, s3:CreateBucket, s3:GetBucketWebsite, s3:PutBucketWebsite etc.

jpillora commented 9 years ago

Yep good idea - will update the docs when I get a chance

On Tuesday, December 9, 2014, ravenscar notifications@github.com wrote:

I would suggest that something should be added to the documentation regarding an example IAM policy. I had a look through the code to see what a minimum policy would be to lock it down to one bucket and I came up with this:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["s3:ListObjects"], "Resource": ["arn:aws:s3:::YOURBUCKET"] }, { "Effect": "Allow", "Action": ["s3:PutObject", ["s3:PutObjectAcl"], "Resource": ["arn:aws:s3:::YOURBUCKET/*"] } ] }

It was the "s3:PutObjectAcl" that was tripping me up. The error information returned from Amazon is not super helpful, but when I read the code (it's also in the docs) it became apparent that it set's the ACL to public-read.

It doesn't seem to download or delete files (I see it's on the TODO list) but it may be a good idea to add those too (s3:getObject and s3:deleteObject).

You need to add extra permissions if you are using a enableWeb or createBucket. Probably something like s3:ListAllMyBuckets, s3:CreateBucket, s3:GetBucketWebsite, s3:PutBucketWebsite etc.

— Reply to this email directly or view it on GitHub https://github.com/jpillora/grunt-aws/issues/10#issuecomment-66219454.

Haraldson commented 9 years ago

Status on the IAM docs?