2
votes

I'm using the Ionic Framework and would like to upload a file to an S3 bucket using the Cordova File Transfer Plugin. All examples are utilizing a POST method...

https://forum.ionicframework.com/t/cordova-filetransfer-upload-image-to-aws-s3/20051/2 http://coenraets.org/blog/2013/09/how-to-upload-pictures-from-a-phonegap-app-to-amazon-s3/

  1. I noticed that Amazon S3 only has PUT and GET object permissions for the bucket policies which can be applied directly into the bucket as per below: http://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies.html

The examples in the above link can be found through the Amazon S3 policy generator's dropdown located in the console; From that dropdown, I noticed there was no equivalent "action" (action as defined in Bucket Policy context) for PostObject.

Is there something I'm missing here? Wouldn't I need to create a bucket policy which allows for POST methods AND/OR create a user policy which allows for this.

  1. I could also use some clarity on the AND/OR part seen above; As in, being a noob programmer, I was going to apply it both to the bucket and user policy to be extra safe.
  2. I understand there is a POST policy sent with a POST request (as per link http://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-authentication-HTTPPOST.html). This appears to be different than the Bucket Policies for GET, and PUT as the policy is sent with the request, different than being simply defined in the bucket policy section. The policy sent in the POST (as per link) also has a different format than the bucket policies. Hence the confusion.

I haven't tried sending a POST request yet, but I figure that's a task for another day. If someone could help clear this up that'd be great!

2

2 Answers

2
votes

Is there something I'm missing here?

Yes and no.

Using the POST verb doesn't change the fact that you are actually creating an object, which requires the appropriate s3:Put* permissions.

s3:PutObject and s3:PutObjectAcl particularly.

If an IAM user has permission to create an object and set its acl, that user needs to sign a request to accomplish that purpose, which can be either a PUT or a POST.

Consider, for comparison, that HEAD != GET yet sending a HEAD request for an object requires s3:GetObject.

0
votes

You can definitely add a POST policy to your Bucket. Details here: http://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-HTTPPOSTConstructPolicy.html with some example bucket POST policies here: http://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-post-example.html

With regards to your second question, you are correct that you can create user level policies, for IAM users, that have the same effect as the bucket policy. More powerfully you can use bucket, user and group policies together to control access to resources in an efficient way.