Minimum bucket policy requirements for Kentico S3 integration?

Jason S asked on December 7, 2017 15:05

I have a support case open with Kentico on this, but I don't have an answer yet, so I'm curious if anyone else may have information they can share. When configuring Kentico 10 to use AWS S3 storage, what are the minimum permissions needed in the IAM/Bucket policy at S3 to support Kentico's use of S3?

The following still yields an "Access Denied" response when trying to upload images to a media library:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "s3:ListAllMyBuckets",
                "s3:ListBucket",
                "s3:GetBucketLocation"
            ],
            "Resource": "*"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:PutObjectTagging",
                "s3:DeleteObject"
            ],
            "Resource": "arn:aws:s3:::BUCKETNAMEHERE/*"
        }
    ]
}

Recent Answers

David te Kloese answered on December 11, 2017 00:37

Jason for future reference could you update us with an answer when you get it working?

0 votesVote for this answer Mark as a Correct answer

David G answered on March 26, 2018 22:46

Three months too late, but I came across this same issue recently. I was able to get it working with the following policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:GetBucketLocation"
            ],
            "Resource": [
                "arn:aws:s3:::<bucketname>"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:PutObject",
                "s3:DeleteObject"
            ],
            "Resource": [
                "arn:aws:s3:::<bucketname>/*"
            ]
        }
    ]
}

This removes the capability to list all buckets, bucket locations, and objects in an account while still granting rights to the specific bucket.

I also left out the "s3:PutObjectTagging" operation on the objects in the specified bucket, haven't seen any errors from Kentico yet. Does Kentico try to tag objects it creates in S3 buckets?

0 votesVote for this answer Mark as a Correct answer

   Please, sign in to be able to submit a new answer.