stackoom
  简体   繁体   中英

S3 IAM policy issues with ROR

 原文  2020-07-02 09:17:46       ruby-on-rails/ ruby/ amazon-web-services/ amazon-s3/ amazon-iam

Question

was wondering if someone could help me out. I currently have a ruby on rails application which uses paperclip.

I want to upload the images to S3 storage.

I've managed to make it work on public settings, but then i make it private it does not.

What I've done. created s3 bucket created user assigned s3fullaccess policy assigned a custom policy

{
"Version": "2012-10-17",
"Statement": [
    {
        "Action": [
            "s3:ListAllMyBuckets"
        ],
        "Effect": "Allow",
        "Resource": "arn:aws:s3:::*"
    },
    {
        "Action": "s3:*",
        "Effect": "Allow",
        "Resource": "arn:aws:s3:::bucket-name"
    },
    {
        "Action": "s3:*",
        "Effect": "Allow",
        "Resource": "arn:aws:s3:::bucket-name/*"
    }
]

}

i have then assigned the iam policy. configured app with the user access and secret key

yet whenever try to upload something i get the error

Excon::Error::Forbidden (Expected(200) <=> Actual(403 Forbidden) excon.error.response

I've gone through the web looking for a solution but nothing.

This is for an ecommerce store, if i was to make it public what are the issues that could arise?

hope someone can help thank you:)

Update: just adding the files for credentials and how they are used Secrets.yml file

development:
 aws_access_key_id: ‘XXXXXXX'
 aws_secret_access_key: 'XXXXX'
 s3_bucket_name: ‘XXXXXXX'
 s3_region_name: ‘XXXXXX’

production:
 aws_access_key_id: ‘XXXXXXX'
 aws_secret_access_key: 'XXXXX'
 s3_bucket_name: ‘XXXXXXX'
 s3_region_name: ‘XXXXXX’

test:
 aws_access_key_id: ‘XXXXXXX'
 aws_secret_access_key: 'XXXXX'
 s3_bucket_name: ‘XXXXXXX'
 s3_region_name: ‘XXXXXX’

paperclip.rb

if Rails.application.secrets.aws_access_key_id
    Paperclip::Attachment.default_options.merge!(
        storage: :fog,
        fog_credentials: {
            provider: 'AWS',
            aws_access_key_id: Rails.application.secrets.aws_access_key_id,
            aws_secret_access_key: Rails.application.secrets.aws_secret_access_key,
            region: Rails.application.secrets.s3_region_name,
        },
        fog_directory: Rails.application.secrets.s3_bucket_name
    )

    Spree::Image.attachment_definitions[:attachment].delete(:url)
    Spree::Image.attachment_definitions[:attachment].delete(:path)
end

1 answers

solution1
 0  2020-07-02 15:34:14

That policy will grant enough privilege to upload to the S3 bucket.

But, you mentioned that you created a user and assigned this custom policy. How does the Rails app act as this user? How do you provide the user credentials to the rails app?

Please update your question with the answer to that. As doing this incorrectly is likely To be the problem.

Making the bucket public will have different issues depending on what data you're storing in it. But, it's almost certainly a bad idea - you should follow the principle of least privilege when it comes to securing your app. See https://en.m.wikipedia.org/wiki/Principle_of_least_privilege

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question AWS S3 IAM policy for read and write permissions on a single bucket Simple Amazon IAM policy for s3 using Rails and Paperclip Writing an IAM policy and CORS configuration for Amazon S3 AWS S3 403 Forbidden Error on newly created IAM inline policy for a new IAM user Policy and Signature issues for a rails post form to s3 upload S3 “Invalid according to Policy: Policy expired” RoR, Paperclip and S3 upload image error RoR: not able to connect paperclip to Amazon S3 Configuring ActiveStorage to use S3 with IAM role Basic AWS IAM permissions for an S3 bucket
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM