Search code examples
amazon-web-servicesamazon-s3permissionslaravel-6

Setting up AWS S3 bucket permissions

I have an S3 bucket (e.g. mybucket) which currently has permissions set as follows:

Block all public access
On
 |
 |_Block public access to buckets and objects granted through new access control lists (ACLs)
 | On
 |
 |_Block public access to buckets and objects granted through any access control lists (ACLs)
 | On
 |
 |_Block public access to buckets and objects granted through new public bucket or access point policies
 | On
 |
 |_Block public and cross-account access to buckets and objects through any public bucket or access point policies
   On

Inside this bucket I have two folders:

 images  (e.g. https://mybucket.s3.us-west-2.amazonaws.com/images/puppy.jpg)
 private (e.g. https://mybucket.s3.us-west-2.amazonaws.com/private/mydoc.doc)

I want the images folder to be publicly accessible so that I can display images on my site.

I want the private folder to be restricted and can only be accessible using an IAM account programmatically.

How do I set these permissions? I've tried switching the above permissions off, I've also clicked on the images and unders actions, clicked on 'make public'. I then attempt the following to upload:

   $image = Image::make($file->getRealPath())->resize(360, 180);
   Storage::disk('s3')->put($filePath, $image->stream());

File gets uploaded but when I try to display the image as follows I get 403 error:

   <img src="{{ Storage::disk('s3')->url($file->path) }}" />

And to download a private documents i have the following:

    $response =  [
        'Content-Type' => $file->mime_type,
        'Content-Length' => $file->size,
        'Content-Description' => 'File Transfer',
        'Content-Disposition' => "attachment; filename={$file->name}",
        'Content-Transfer-Encoding' => 'binary',
    ];

   
    return Response::make(Storage::disk('s3')->get($file->path), 200, $response);

What's the correct way to set up these permissions?

I'm new to S3 storage.

Solution

  • Amazon S3 Block Public Access is a bucket-level configuration that will prevent you making any of the objects in that bucket public. So, if you want to make one or more objects public, e.g. images/*, then you need to disable S3 Block Public Access for this bucket.

    That, in and of itself, will not make any of your objects public, of course. S3 buckets are private by default. To make the objects in images/ public, you will need to configure an S3 bucket policy, for example:

    {
  "Id": "id101",
  "Statement": [
    {
      "Sid": "publicimages",
      "Action": "s3:GetObject",
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::mybucket/images/*",
      "Principal": "*"
    }
  ]
}