0

I'm using the Ruby Gem called Fog to access S3 and I'm trying to tighten permissions. One of the things I'm doing is this:

storage.files.head(file_name)

where storage was obtained like this:

storage = Fog::Storage.new(AWS_CREDENTIALS).directories.new(key: "bucket-name")

This is unfortunately failing with this error:

#<Excon::Response:0x00000101aa8050 @data={:body=>"", :headers=>{"x-amz-request-id"=>"1BD5F221BD5F22", "x-amz-id-2"=>"rh9CJHBQW+1uY/Ajki/m1jzpYacyhrh9CJHBQW+1uY/Ajki/m1jzpYacyh", "Content-Type"=>"application/xml", "Transfer-Encoding"=>"chunked", "Date"=>"Wed, 13 Aug 2014 01:12:25 GMT", "Connection"=>"close", "Server"=>"AmazonS3"}, :status=>403, :remote_ip=>"178.178.178.178", :local_port=>58870, :local_address=>"10.0.0.1"}, @body="", @headers={"x-amz-request-id"=>"1BD5F221BD5F22", "x-amz-id-2"=>"rh9CJHBQW+1uY/Ajki/m1jzpYacyhrh9CJHBQW+1uY/Ajki/m1jzpYacyh", "Content-Type"=>"application/xml", "Transfer-Encoding"=>"chunked", "Date"=>"Wed, 13 Aug 2014 01:12:25 GMT", "Connection"=>"close", "Server"=>"AmazonS3"}, @status=403, @remote_ip="178.178.178.178", @local_port=58870, @local_address="10.0.0.1">

While my permissions policy for this bucket is:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action":[
        "s3:DeleteObject",
        "s3:GetObject",
        "s3:PutObject"],
      "Resource": ["arn:aws:s3:::bucket-name/*"]
    }
  ]
}

Any ideas which permissions I'm missing or how to find out?

Pablo Fernandez
  • 279,434
  • 135
  • 377
  • 622

1 Answers1

2

The solution was to add s3:ListBucket permissions to the bucket, like this:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action":[
        "s3:ListBucket"],
      "Resource": ["arn:aws:s3:::bucket-name"]
    },
    {
      "Effect": "Allow",
      "Action":[
        "s3:DeleteObject",
        "s3:GetObject",
        "s3:PutObject"],
      "Resource": ["arn:aws:s3:::bucket-name/*"]
    }
  ]
}
Pablo Fernandez
  • 279,434
  • 135
  • 377
  • 622