Documentation Issue: "GetBucket" is not a policy action

Question

Documentation Issue: "GetBucket" is not a policy action

zackdotcomputer opened this issue 6 years ago · 6 comments

In the AWS configuration section of the README, you say we should use the Policy Generator to give the bucket the "GetBucket" action, but that isn't an option on AWS. There are many "GetBucket_____" options, but it's not clear which ones should and should not be granted.

NaxAlpha commented 6 years ago

Same here

Answer 1 · 2019-03-09T10:08:41.000Z

I have also run into it, not sure what to use

Answer 2 · 2019-03-09T10:44:17.000Z

@christianreed do you have any thoughts on this?

Answer 3 · 2019-03-09T18:31:08.000Z

In the end, I wound up not needing to do the Policy Generator step because I used CloudFront as my CDN. However, before I went that route, I was able to just give my IAM for the adapter the following roles and get things working:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::my-s3-bucket.blog.assets"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObjectAcl",
                "s3:GetObject",
                "s3:PutObjectVersionAcl",
                "s3:DeleteObject",
                "s3:PutObjectAcl"
            ],
            "Resource": "arn:aws:s3:::my-s3-bucket.blog.assets/*"
        }
    ]
}

One thing I ran into that should also be noted in the README is that: even if you give your blog these permissions and allow public ACL's on your S3 bucket, if your account follows AWS's recommendation of blocking public ACLs on S3 buckets it will override the per-bucket setting and then this adapter will be unable to set any ACL value other than private on new items. (Specifically, you'll get an "access denied" error in the logs.) That was what got me to switch to CloudFront in the end, though even there I have the same IAM policy as above so my adapter can continue writing to the bucket albeit now with the private ACL.

Answer 4 · 2019-03-09T18:32:42.000Z

Note that in this IAM policy we have both the ListBucket action on the bucket itself, and the GetObject action on the items in the bucket. I'm assuming one (or both?) of these is what was intended by the GetBucket permission in the README, which does not itself appear to exist.

Answer 5 · 2019-05-23T02:12:51.000Z

@genuinezack Same here. With just IAM set up, it just works!