Amazon S3 bucket policy for uploading and viewing pictures

Question

I have an app that users log in with facebook and then can upload images to s3 bucket and view them. I used Cognito service to allow every logged in user to upload and view all files.

I have no idea how to set the correct permissions on the s3 bucket. This is my attempt at it, but I get can't save the policy and get Statement is missing required element - Statement "NO_ID-0" is missing "Principal" element

{
    "Version": "2012-10-17",
    "Id": "Policy1457546546214",
    "Statement": [
        {
            "Sid": "Stmt1475657256771436",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::bucket-name/*"
        },
        {
            "Sid": "Stmt16577654572138125",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:PutObject",
            "Resource": [
                "bucket-name/identity-pool-id*"
            ]
        }
    ]
}

This is the client part, if it helps:

FB.login(function (response) {
    if (response.authResponse) {

      AWS.config.region = 'eu-west-1';
      AWS.config.credentials = new AWS.CognitoIdentityCredentials({
        IdentityPoolId: 'eu-west-1:xxxxxxxxxxx',
        Logins: {
          'graph.facebook.com': response.authResponse.accessToken
        }
      })

      var bucket = new AWS.S3({params: {Bucket: 'name'}})
      var fileChooser = document.getElementById('file-chooser')
      var button = document.getElementById('upload-button')

      button.addEventListener('click', function() {
        var file = fileChooser.files[0]
        var params = {Key: file.name, ContentType: file.type, Body: file}
        bucket.upload(params, function (err, data) {
        ...

Cognito IAM > Roles > Cognito_myappAuth_Role :

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "cognito-identity:*"
            ],
            "Effect": "Allow",
            "Resource": [
                "*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:PutObject",
                "s3:PutObjectAcl"
            ],
            "Resource": [
                "arn:aws:s3:::bucket/${cognito-identity.amazonaws.com:sub}/*",
                "arn:aws:s3:::bucket/${cognito-identity.amazonaws.com:sub}"
            ]
        }
    ]
}

Answer 1

Have you checked out this blog post ? It has a good example of how to set up a role that allows S3 bucket access for users. Cutting out the list bucket part out, the access policy you would link to your identity pool roles might look something like this:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "s3:GetObject",
        "s3:PutObject"
      ],
      "Effect": "Allow",
      "Resource": ["arn:aws:s3:::mybucket/${cognito-identity.amazonaws.com:sub}/*"]
    }
  ]
}

---

Edit:

Tl;dr from comments for future readers:

• Apply the policy to the pool's auth role instead of bucket

• If the app use case requires a common area, use the bucket root directory, otherwise use a directory for each identity defined in the policy (as described in the blog)

• The role itself doesn't apply until after the authentication occurs. The policy just defines what the credentials given back will have access to do and to what.