Allowing public-read and bucket-owner-full-control in S3

4
votes

I'm trying to make a bucket of images public read even when uploaded from another AWS account. I have the current bucket policy in place:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AddPerm",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::mybucketname/*"
        }
    ]
}

This works great when I upload using credentials from the primary account, but when I upload from the other account added by ACL it doesn't apply. As I read I found that you can add bucket-owner-full-control or public-read but not both. My end goal is to allow the object to be fully accesses by both AWS accounts AND have public read access on upload. Is this possible (ideally without two requests)?

2
node.jsamazon-web-servicesamazon-s3

2 Answers

2
votes

The above accepted answer is incorrect as S3 bucket policies are ignored on objects published from another account.

The correct way to apply multiple ACLs on a cross account publish is like follows:

aws s3 cp --recursive blahdir s3://bucketname/blahdir/ --cache-control public,max-age=31536000 --grants read=uri=http://acs.amazonaws.com/groups/global/AllUsers full=id=S3_ACCOUNT_CANONICAL_ID
0
votes

No, it seems you can only specify one ACL when creating an object in Amazon S3.

For details of what each Canned ACL means, see: Canned ACL

For details of how ownership works, see: Amazon S3 Bucket and Object Ownership

Personally, I would not recommend using ACLs to control access. They are a hold-over from the early days of Amazon S3. These days, I would recommend using a Bucket Policy if you wish to make a large number of objects public, especially if they are in the same bucket/path.

Thus, an object can be uploaded with bucket-owner-full-control and the Bucket Policy can make them publicly accessible.