Document minimum AMI user permissions/ACLs in order for accesssing an AWS bucket

[patcon]

Took me awhile to sort this out, and was surprised that I couldn't find a record of it in the issue queue. Copy-pasting this in to the JSON editor allowed it to finally work: https://docs.aws.amazon.com/AmazonS3/latest/dev/example-policies-s3.html#iam-policy-ex0

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Action": "s3:ListAllMyBuckets",
         "Resource":"arn:aws:s3:::*"
      },
      {
         "Effect":"Allow",
         "Action":["s3:ListBucket","s3:GetBucketLocation"],
         "Resource":"arn:aws:s3:::awsexamplebucket1"
      },
      {
         "Effect":"Allow",
         "Action":[
            "s3:PutObject",
            "s3:PutObjectAcl",
            "s3:GetObject",
            "s3:GetObjectAcl",
            "s3:DeleteObject"
         ],
         "Resource":"arn:aws:s3:::awsexamplebucket1/*"
      }
   ]
}

Giving full S3 permissions on the bucket also worked, but that felt like overkill, and it would be bad to incentivize users to do that.

[SunSparc]

It would be nice to see documented exactly which actions are required for this plugin to work. I do not like giving more privileges than necessary. I use the following policy for other services and it works. But with s3-plugin-webpack I get Access Denied. So what else is this plugin trying to do?

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::mybucket/*"
        }
    ]
}

Another policy example is in issue #62.

[SunSparc]

Well, after going through all the permissions myself it turns out that s3-plugin-webpack also needs the PutObjectAcl by default, unless ACL: "", is added to the s3UploadOptions, which was mentioned on #28.

[patcon]

This is really helpful @SunSparc :) I'll try to upstream a doc change when I'm next using this plugin

[patcon]

Ok, after some experimentation, found the minimal permissions for bucket and plugin setup is:

{
  s3Options: {
    // ...
  },
  s3UploadOptions: {
    ACL: '',
    Bucket: 'YOURBUCKET'
  }
}

IAM > Users > YOURUSER > Permissions > Add inline policy (JSON):

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject"
            ],
            "Resource": "arn:aws:s3:::YOURBUCKET/*"
        }
    ]
}

S3 > YOURBUCKET > Permissions > Block public access: All "OFF"

S3 > YOURBUCKET > Permissions > Bucket Policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowPublicRead",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::YOURBUCKET/*"
        }
    ]
}

[mapineda]

@patcon Does

{
  s3Options: {
    // ...
  },
  s3UploadOptions: {
    ACL: '',
    Bucket: 'YOURBUCKET'
  }
}

"YOURBUCKET" have to be a hardcoded string? Having a difficult time passing this value from an .env using process.env or even using an environment.js file that takes the .env vars and exports them to webpack.

[patcon]

I don't think so, @mapineda :(