Strictest possible IAM (permissions and bucket) policy required to work with Active Storage?
What is the smallest/strictest set of permissions required to set up a working app using Active Storage to work with Amazon S3?
To start with something that isn't great: AmazonS3FullAccess
Technically this works, but is very bad practice because the IAM now has full access (i.e. it can do anything) and gives access to all buckets on the account, including those that have nothing to do with the app! So we could say this doesn't adhere to the Principle of Least Privilege
Question
Using AWS's JSON format, what's the strictest possible IAM policy to allow regular functioning of Active Storage (i.e. uploading, reading, deleting images etc). Or in other words, the permissions mentioned here:
The core features of Active Storage require the following permissions:
s3:ListBucket,s3:PutObject,s3:GetObject, ands3:DeleteObject.
For the purpose of this question, please assume the app uses just one bucket called mybucket
What I know so far
After a lot of googling/reading docs, I mostly find 'examples' that don't explicitly map S3 permissions to the exact ActiveStorage requirements. In any case, here the best I have found:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["s3:ListBucket"],
"Resource": ["arn:aws:s3:::mybucket"]
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": ["arn:aws:s3:::mybucket/*"]
}
]
}
I can confirm that it 'works' (the rails app can 'see' the images, add new ones, and delete them).
Because I have not set these many times in the past, I can't confirm whether it's refined like I want it to be, or if there's anything missing that could cause problems.
TL;DR, just after the IAM policy that allows full functionality with Active Storage and nothing more.
Don't see how you can get more restricted without impacting functionality. You've limited it to only the necessary actions for the bucket you wish to manage.
- How can I disable Hotwire / Turbo (the Turbolinks replacement) for all forms in a Rails application?
- RSpec Stubbing out Date.today in order to test a method
- How to specify a prefix when uploading to S3 using activestorage's direct upload?
- Duration between two dates in Ruby (Rails)
- CMS for ecommerce website in rails
- Ruby gsub capturing groups
- Can I switch to Amazon S3 later in Rails 7 after using local storage?
- Rails 7/StimulusJS relative import: working on dev, but not production
- Rails: ActiveSupport::MessageEncryptor::InvalidMessage
- How can I unlock my gemfile so I can access the rails server?
- What do I pass to schema_migration in ActiveRecord::MigrationContext#new
- How do I stop Routing Errors errors from causing all sorts of warning?
- Where do you put your Rack middleware files and requires?
- How to prevent the <p> tag from wrapping around my input with tinymce in Rails?
- Clickable Table Rows in Ruby on Rails
- How to determine if one array contains all elements of another array
- Adding page-specific CSS to Rails Asset Pipeline
- Rails 7.1, log to STDOUT and log/production.log
- Add custom fields to object in ROR application
- Hit web endpoints behind Devise authentication with non-browser request in a Rails app
- How to revert/undo local changes to an Activerecord object?
- Disabling GraphQL introspection requests on production
- carrierwave png thumbnails from svg upload
- When rails app create database and collection when using MongoDb?
- Sidekiq sending jobs to test queue instead of developement queue
- rails assert_difference without specific difference value
- How best to propogate an `admin` status to children using Rails and Ancestry
- Rails minitest + authlogic cannot authenticate
- How does bundler work (in general)?
- `belongs_to` and `before_create` order in Rails