was wondering if someone could help me out. I currently have a ruby on rails application which uses paperclip.
I want to upload the images to S3 storage.
I've managed to make it work on public settings, but then i make it private it does not.
What I've done. created s3 bucket created user assigned s3fullaccess policy assigned a custom policy
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:ListAllMyBuckets"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::*"
},
{
"Action": "s3:*",
"Effect": "Allow",
"Resource": "arn:aws:s3:::bucket-name"
},
{
"Action": "s3:*",
"Effect": "Allow",
"Resource": "arn:aws:s3:::bucket-name/*"
}
]
}
i have then assigned the iam policy. configured app with the user access and secret key
yet whenever try to upload something i get the error
Excon::Error::Forbidden (Expected(200) <=> Actual(403 Forbidden) excon.error.response
I've gone through the web looking for a solution but nothing.
This is for an ecommerce store, if i was to make it public what are the issues that could arise?
hope someone can help thank you:)
Update: just adding the files for credentials and how they are used Secrets.yml file
development:
aws_access_key_id: ‘XXXXXXX'
aws_secret_access_key: 'XXXXX'
s3_bucket_name: ‘XXXXXXX'
s3_region_name: ‘XXXXXX’
production:
aws_access_key_id: ‘XXXXXXX'
aws_secret_access_key: 'XXXXX'
s3_bucket_name: ‘XXXXXXX'
s3_region_name: ‘XXXXXX’
test:
aws_access_key_id: ‘XXXXXXX'
aws_secret_access_key: 'XXXXX'
s3_bucket_name: ‘XXXXXXX'
s3_region_name: ‘XXXXXX’
paperclip.rb
if Rails.application.secrets.aws_access_key_id
Paperclip::Attachment.default_options.merge!(
storage: :fog,
fog_credentials: {
provider: 'AWS',
aws_access_key_id: Rails.application.secrets.aws_access_key_id,
aws_secret_access_key: Rails.application.secrets.aws_secret_access_key,
region: Rails.application.secrets.s3_region_name,
},
fog_directory: Rails.application.secrets.s3_bucket_name
)
Spree::Image.attachment_definitions[:attachment].delete(:url)
Spree::Image.attachment_definitions[:attachment].delete(:path)
end
That policy will grant enough privilege to upload to the S3 bucket.
But, you mentioned that you created a user and assigned this custom policy. How does the Rails app act as this user? How do you provide the user credentials to the rails app?
Please update your question with the answer to that. As doing this incorrectly is likely To be the problem.
Making the bucket public will have different issues depending on what data you're storing in it. But, it's almost certainly a bad idea - you should follow the principle of least privilege when it comes to securing your app. See https://en.m.wikipedia.org/wiki/Principle_of_least_privilege
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.