merefield
September 13, 2018, 5:52pm
1
Getting an Access Denied issue in error log … which seems to be causing Sidekiq to stay paused after backups!! (which is interesting on its own) - is my access policy on IAM not generous enough?:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:ListAllMyBuckets"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::my-discourse-backups"
]
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::my-discourse-backups/*"
]
}
]
}
merefield
September 13, 2018, 6:01pm
2
Going to try an element of this policy here:
I noticed that all of the tutorials i found for Discourse S3 access granted the user absolute authority over the bucket – they allow ‘s3:*’ authority.
This is an extremely unwise policy, since it allows significantly more control over the bucket than is reasonable. Should you be using S3 for Discourse backup storage, a rampaging attacker would be able to delete your bucket and your backups on the way out.
There are two ways to combat this: One, a tighter policy…
{
"Version": "2012-10-17",…
merefield
September 13, 2018, 6:14pm
3
Went with policy in the guide, will monitor for a few days before accepting this as solution:
So, you want to use S3 to handle image uploads? Here’s the definitive guide:
S3 registration
Head over to https://aws.amazon.com/free/ and click on [Create a Free Account]
During the create account process, make sure you provide payment information, otherwise you won’t be able to use S3. There’s no registration fee, you will only be charged for what you use , if you exceed the AWS Free Usage Tier .
Bucket
Go to S3 and click on Create bucket, then fill out the Bucket name. Remember this name bec…
2 Likes
merefield
September 16, 2018, 11:31am
4
Actually had to use a slightly different policy to make mine work,
I had to add:
"s3:GetBucketLocation",
my top level one now looks like:
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:HeadBucket",
"s3:GetBucketLocation",
"s3:ListAllMyBuckets"
],
"Resource": "*"
},
But otherwise based on:
So, you want to use S3 to handle image uploads? Here’s the definitive guide:
S3 registration
Head over to https://aws.amazon.com/free/ and click on [Create a Free Account]
During the create account process, make sure you provide payment information, otherwise you won’t be able to use S3. There’s no registration fee, you will only be charged for what you use , if you exceed the AWS Free Usage Tier .
Bucket
Go to S3 and click on Create bucket, then fill out the Bucket name. Remember this name bec…
2 Likes
system
October 16, 2018, 11:41am
5
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.