What are the appropriate S3 permissions to deploy an Elastic Beanstalk app using CodeShip? When deploying a new version to a tomcat app I get these errors:
Service:Amazon S3, Message:You do not have permission to perform the
's3:ListBucket' action. Verify that your S3 policies and your ACLs
allow you to perform these actions.
Service:Amazon S3, Message:You do
not have permission to perform the 's3:GetObject' or 's3:ListBucket'
action. Verify that your S3 policies and your ACLs allow you to
perform these actions.
If I give the CodeShip user full access to S3 everything works, but this is not ideal. The current S3 permissions for my CodeShip user are
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:PutObjectAcl",
"s3:GetObject",
"s3:GetObjectAcl",
"s3:ListBucket",
"s3:DeleteObject",
"s3:GetBucketPolicy"
],
"Resource": [
"arn:aws:s3:::codeshipbucket/*"
]
}
]
}
My S3 bucket I have given CodeShip is a subfolder under codeshipbucket if it matters.
What are appropriate permissions?
These are the S3 permissions we had to give the IAM user we use with Codeship:
{
"Action": [
"s3:CreateBucket",
"s3:GetObject"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"s3:ListBucket",
"s3:GetObjectAcl",
"s3:GetBucketPolicy",
"s3:DeleteObject",
"s3:PutObject",
"s3:PutObjectAcl"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::elasticbeanstalk-[region]-[account-id]",
"arn:aws:s3:::elasticbeanstalk-[region]-[account-id]/*"
]
}
We executed eb deploy --debug and added the permissions one-by-one.
In our internal test we've been able to deploy to ElasticBeanstalk with just the following S3 permissions
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::YOUR_S3_BUCKET_NAME/*"
]
}
]
}
And this is what we currently recommend in our documentation available at https://codeship.com/documentation/continuous-deployment/deployment-to-elastic-beanstalk/#s3
That said, one of our awesome users published a very extensive guide on how to deploy to Elastic Beanstalk, which is available at http://nudaygames.squarespace.com/blog/2014/5/26/deploying-to-elastic-beanstalk-from-your-continuous-integration-system and recommends a broader set of S3 permissions.
Disclaimer: I work for Codeship, but you probably already guessed so from my answer.
Related
After I set up Imagekit connecting to S3 bucket correctly with IAM policy having the s3:GetObject to the bucket, I got an error accessing the image through Imagekit url.
The error message is
EACCES - Access denied by AWS S3. Check attached IAM policy on AWS
Imagekit actually needs more than just action s3:GetObject in the policy if your objects in the S3 buckets are server-side encrypted. It will kms:Decrypt as well. This is not in their documentation as 2022/06/16.
My IAM policy is like the following to make Imagekit access correctly.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ImagekitObjectAccess",
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::[imagekit-bucket-name]/*"
]
},
{
"Sid": "ImagekitObjectEncryptingKeyAccess",
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:us-east-1:187681360541:key/[object-encrypting-key-id]"
]
}
]
}
In minio. when you set bucket policy to download with mc command like this:
mc policy set download server/bucket
The policy of bucket changes to:
{
"Statement": [
{
"Action": [
"s3:GetBucketLocation",
"s3:ListBucket"
],
"Effect": "Allow",
"Principal": {
"AWS": [
"*"
]
},
"Resource": [
"arn:aws:s3:::public-bucket"
]
},
{
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Principal": {
"AWS": [
"*"
]
},
"Resource": [
"arn:aws:s3:::public-bucket/*"
]
}
],
"Version": "2012-10-17"
}
I understand that in second statement we give read access to anonymous users to download the files with url. What I don't understand is that why do we need to allow them to the actions s3:GetBucketLocation, s3:ListBucket.
Can anyone explain this?
Thanks in advance
GetBucketLocation is required to find the location of a bucket in some setups, and is required for compatibility with standard S3 tools like the awscli and mc tools.
ListBuckets is required to list the objects in a bucket. Without this permission you are still able to download objects, but you cannot list and discover them anonymously.
These are standard permissions that are safe to use and setup automatically by the mc anonymous command (previously called mc policy). It is generally not required to change them - though you can do so by directly calling the PutBucketPolicy API.
I'm setting up a new policy so my website can store images on S3, and I'm trying to keep it as secure as possible.
I can put an object and read it, but can not delete it, even though it appears I've followed the recommendations from Amazon. I am not using versioning.
What am I doing wrong?
Here's my policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObjectAcl",
"s3:GetObject",
"s3:DeleteObjectVersion",
"s3:PutLifecycleConfiguration",
"s3:DeleteObject",
"s3:ListObjects"
],
"Resource": "*"
}
]
}
After screwing around with multiple permission actions it turns out I needed to add s3:ListBucket and s3:ListObjects. Once added I can now delete objects.
I'm trying to define a policy for a specific user.
I have several buckets in my S3 but I want to give the user access to some of them.
I created the following policy:
{
"Version":"2012-10-17",
"Statement":[
{
"Sid":"AddPerm",
"Effect":"Allow",
"Principal": "*",
"Action":["s3:GetObject",
"s3:ListBucket",
"s3:ListAllMyBuckets",
"s3:GetBucketLocation",
"s3:PutObject"],
"Resource":["arn:aws:s3:::examplebucket"]
}
when I try to add a list of resources like this:
"Resource":["arn:aws:s3:::examplebucket1","arn:aws:s3:::examplebucket2"]
I get access denied
The only option that works for me (I get buckets lists) is:
"Resource": ["arn:aws:s3:::*"]
whats the problem?
Some Amazon S3 API calls operate at the Bucket-level, while some operate at the Object-level. Therefore, you will need a policy like:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["s3:ListBucket"],
"Resource": ["arn:aws:s3:::test"]
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": ["arn:aws:s3:::test/*"]
}
]
}
See: AWS Security Blog - Writing IAM Policies: How to Grant Access to an Amazon S3 Bucket
I found that its an AWS limitation.
There is no option get filtered list of buckets.
Once you give permissions to ListAllMyBuckets like this:
{
"Sid": "AllowUserToSeeBucketListInTheConsole",
"Action": ["s3:GetBucketLocation", "s3:ListAllMyBuckets"],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::*"]
}
you get the list of all bucket (including buckets that you don't have permissions to it).
More info could be found here: https://aws.amazon.com/blogs/security/writing-iam-policies-grant-access-to-user-specific-folders-in-an-amazon-s3-bucket/
Few workarounds could be found here: Is there an S3 policy for limiting access to only see/access one bucket?
I have setup an unauthenticated role under Amazon Cognito Identity pool. My goal is that guest users of my mobile app would be able to upload debugging logs (small text files) to my S3 bucket so I can troubleshoot issues. I notice I would get "Access Denied" from S3 if I don't modify my S3 bucket permission. If I add allow "Everyone" to have "Upload/Delete" privilege, the file upload succeeded. My concern is someone would then be able to upload large files to my bucket and cause a security issue. What is the recommend configuration for my need above? I am a newbie to S3 and Cognito.
I am using Amazon AWS SDK for iOS but I suppose this question is platform neutral.
Edit:
My policy is as follows:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iam:GetUser",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:CreateBucket",
"s3:DeleteBucket",
"s3:DeleteObject",
"s3:GetBucketLocation",
"s3:GetObject",
"s3:ListBucket",
"s3:PutObject"
],
"Resource": ["arn:aws:s3:::import-to-ec2-*", "arn:aws:s3:::<my bucket name>/*"]
}
]
}
You don't need to modify the S3 bucket permission, but rather the IAM role associated with your identity pool. Try the following:
Visit the IAM console.
Find the role associated with your identity pool.
Attach a policy similar to the following to your role:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["s3:PutObject"],
"Resource": ["arn:aws:s3:::MYBUCKET/*"]
}
]
}
Replace MYBUCKET with your bucket name
Access your bucket as normal from your application use the iOS SDK and Cognito
You may want to consider limiting permissions further, including ${cognito-identity.amazonaws.com:sub} to partition your users, but the above policy will get you started.
The answer above is incomplete as of 2015, you need to authorize BOTH the role AND the bucket polity in S3 to authorize that Role to write to the bucket. Use s3:PutObject in both cases. The console has wizards for both cases
As #einarc said (cannot comment yet), to make it works I had to edit role and Bucket Policy. This is good enough for testing:
Bucket Policy:
{
"Id": "Policy1500742753994",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1500742752148",
"Action": "s3:*",
"Effect": "Allow",
"Resource": "arn:aws:s3:::admin1.user1",
"Principal": "*"
}
]
}
Authenticated role's policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::*"
]
}
]
}