2

I am using AWS STS Federation Token to get temporary credentials, with below statement.

Statement putStatement = new Statement(Statement.Effect.Allow)
        .withId("TempCreds")
        .withActions(S3Actions.PutObject)
        .withResources(new S3ObjectResource(bucketName, "*"));

Now I am able to get temp creds, but when I am uploading a file using PutObjectRequest:

s3Client.putObject(new PutObjectRequest(bucketName, keyName, file));

but this is default PRIVATE ACL. Question is how to set PUBLIC ACL?

because when i use below code,

s3Client.putObject(new PutObjectRequest(bucketName, keyName, file)
                        .withCannedAcl(CannedAccessControlList.PublicRead));

the upload fails.

If in the above statement for Getting federation token, I add ACL like below

Statement putStatement = new Statement(Statement.Effect.Allow)
        .withId("TempCreds")
        .withActions(S3Actions.PutObject)
        .withResources(new S3ObjectResource(bucketName, "*"))
        .withConditions(S3ConditionFactory.newCannedACLCondition(CannedAccessControlList.PublicRead));

the upload still fails.

So how to set Public ACL when using Short term credentials?

I have given below policy to the IAM User, which is going to generate STS.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1507714071000",
            "Effect": "Allow",
            "Action": [
                "sts:GetFederationToken"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}
Ankit Choudhary
  • 31
  • 1
  • 6
  • Can you post the error you get and does the role you are using with STS have permissions to set ACL on the S3 bucket? – strongjz Nov 16 '17 at 13:52
  • I have added the policy in question which i have given to the user which is generating STS. Not sure how to give ACL permission in the Policy. Error which I am getting is just "Access Denied", when i am trying to set ACL. – Ankit Choudhary Nov 17 '17 at 07:57
  • Do you have access to the bucket via an IAM policy on the user or the group the user is a member of? – strongjz Nov 17 '17 at 13:12
  • @strongjz yes I do have access to the bucket. – Ankit Choudhary Nov 19 '17 at 09:29
  • I'm talking about the Policy attached to the STS creds, what is policy attached to that. – strongjz Nov 21 '17 at 15:19
  • `code`{ "Version": "2012-10-17", "Statement": [{ "Sid": "S3BucketPutPolicy", "Effect": "Allow", "Action": ["s3:PutObject"], "Resource": ["arn:aws:s3:::/*"], "Condition": { "StringEquals": { "s3:x-amz-acl": ["public-read"] } } }] }`code` @strongjz this is the policy attached – Ankit Choudhary Nov 27 '17 at 07:47

0 Answers0