Correct S3 Policy For Pre-Signed URLs

Question

I need to issue pre-signed URLs for allowing users to GET and PUT files into a specific S3 bucket. I created an IAM user and use its keys to create the pre-signed URLs, and

Answer 1

Bucket Permissions vs Object Permissions

The following permissions from your policy should be at the Bucket level (arn:aws:s3:::MyBucket), rather than a sub-path within the Bucket (eg arn:aws:s3:::MyBucket/*):

• s3:CreateBucket
• s3:DeleteBucket
• s3:DeleteBucketPolicy
• s3:GetBucketPolicy
• s3:GetLifecycleConfiguration
• s3:ListBucket
• s3:ListBucketMultipartUploads
• s3:PutBucketPolicy
• s3:PutLifecycleConfiguration

See: Specifying Permissions in a Policy

However, that is not the cause of your inability to PUT or GET files.

GET

The fact that your have assigned GetObject permissions means that you should be able to GET an object from the S3 bucket. I tested this by assigning your policy to a User, then using that User's credentials to access an object and it worked correctly.

PUT

I also used your policy to upload via a web form and it worked correctly.

Here is the form I used to upload:

     

  

   
    

      
      
       
      
      
      
      
      

      File to upload to S3: 
       
      
 
       
    
 

Here is how I generated the Signature:

#!/usr/bin/python
import base64
import hmac, hashlib

policy_document = '{"expiration": "2018-01-01T00:00:00Z", "conditions": [ {"bucket": ""}, ["starts-with", "$key", "uploads/"], {"acl": "private"}, {"success_action_redirect": "http://BUCKET-NAME.s3.amazonaws.com/ok.html"}, ["starts-with", "$Content-Type", ""], ["content-length-range", 0, 1048000] ] }'

AWS_SECRET_ACCESS_KEY = ""

policy = base64.b64encode(policy_document)

signature = base64.b64encode(hmac.new(AWS_SECRET_ACCESS_KEY, policy, hashlib.sha1).digest())

print policy
print
print signature