Giter VIP home page Giter VIP logo

Comments (6)

zackdotcomputer avatar zackdotcomputer commented on May 19, 2024 1

In the end, I wound up not needing to do the Policy Generator step because I used CloudFront as my CDN. However, before I went that route, I was able to just give my IAM for the adapter the following roles and get things working:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::my-s3-bucket.blog.assets"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObjectAcl",
                "s3:GetObject",
                "s3:PutObjectVersionAcl",
                "s3:DeleteObject",
                "s3:PutObjectAcl"
            ],
            "Resource": "arn:aws:s3:::my-s3-bucket.blog.assets/*"
        }
    ]
}

One thing I ran into that should also be noted in the README is that: even if you give your blog these permissions and allow public ACL's on your S3 bucket, if your account follows AWS's recommendation of blocking public ACLs on S3 buckets it will override the per-bucket setting and then this adapter will be unable to set any ACL value other than private on new items. (Specifically, you'll get an "access denied" error in the logs.) That was what got me to switch to CloudFront in the end, though even there I have the same IAM policy as above so my adapter can continue writing to the bucket albeit now with the private ACL.

from ghost-storage-adapter-s3.

graemec23 avatar graemec23 commented on May 19, 2024

I have also run into it, not sure what to use

from ghost-storage-adapter-s3.

colinmeinke avatar colinmeinke commented on May 19, 2024

@christianreed do you have any thoughts on this?

from ghost-storage-adapter-s3.

NaxAlpha avatar NaxAlpha commented on May 19, 2024

Same here

from ghost-storage-adapter-s3.

zackdotcomputer avatar zackdotcomputer commented on May 19, 2024

Note that in this IAM policy we have both the ListBucket action on the bucket itself, and the GetObject action on the items in the bucket. I'm assuming one (or both?) of these is what was intended by the GetBucket permission in the README, which does not itself appear to exist.

from ghost-storage-adapter-s3.

danielthank avatar danielthank commented on May 19, 2024

@genuinezack Same here. With just IAM set up, it just works!

from ghost-storage-adapter-s3.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.