what IAM Permissions are required? Unable to work around 403 error

[thatjuan]

Hello,

I am trying to set up an upload form with s3. I'm using the following config:

Slingshot.createDirective( "newDocumentForm", Slingshot.S3Storage, {

    bucket: "my-bucket-name",

    acl: "public-read",

    region: "us-west-2",

    AWSAccessKeyId: "MY-ACCESS-KEY",

    AWSSecretAccessKey: "MY-SECRET",

    authorize: function () {
        if (!this.userId) {
            var message = "Please login before posting files";
            throw new Meteor.Error("Login Required", message);
        }

        return true;
    },

    key: function (file) {
        return file.name;
    }

});

On the IAM side, I have:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::my-bucket-name"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:DeleteObject"
            ],
            "Resource": [
                "arn:aws:s3:::my-bucket-name",
                "arn:aws:s3:::my-bucket-name/*"
            ]
        }
    ]
}

And when I try to upload, i get a 403 from the POST request. (the OPTIONS call succeeds)

<Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>xxDC3CExxE0D7A59</RequestId><HostId>xxx3u+T0s7qiP7ir8alVf6mebwMYdNyqxI=</HostId></Error>

Any clues? thanks!

[thomasmery]

Hi,

I trie also to use an IAM user credentials but got same error

upload worked fine with aws root credentials

wondering if someone with more insight might help here

thanks

[spawn-guy]

this is sufficient(but not squeezed down to min) to upload to bucketname. i use this Policy as EC2-Role. and read them from AWS.EC2MetadataCredentials()

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AppBucketAccess",
            "Action": [
                "s3:Get*",
                "s3:List*",
                "s3:HeadObject*",
                "s3:PutObject*",
                "s3:DeleteObject"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::bucketname",
                "arn:aws:s3:::bucketname/*"
            ]
        }
    ]
}

[gkrizek]

I was battling this for a while because I really wanted to restrict this user to only be able to upload to the bucket. This is what I came up with for minimum privileges for uploading:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "uploadS3",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject*"
            ],
            "Resource": [
                "arn:aws:s3:::bucket_name",
                "arn:aws:s3:::bucket_name/*"
            ]
        }
    ]
}

[MichaelJCole]

Together with @gkrizek 's AWS policy, I had to remove the acl setting in createDirective

Slingshot.createDirective('myFileUploads', Slingshot.S3Storage, {
  bucket: 'uptestload',

  //acl: 'public-read',

  authorize() {
    //Deny uploads if user is not logged in.
    if (!this.userId) {
      var message = 'Please login before posting files';
      throw new Meteor.Error('Login Required', message);
    }

    return true;
  },

  key(file) {
    //Store file into a directory by the user's username.
    var user = Meteor.users.findOne(this.userId);
    return user._id + '.' + file.name + '.' + Date.now();
  }
});

Here's what I did:

Created a user - got keys.
Created a group. Added an inline policy to the group
Keys -> settings.json, followed the rest of the readme.