S3 POST upload minimal policy

Question:

I have successfully created a simple HTML form that POSTs an uploaded file to my Amazon S3 bucket. I followed these instructions:
http://aws.amazon.com/articles/1434

Now I am trying to create the minimal policy on a user that can perform the HTML form POST.
Here’s the setup:

Here’s the HTML form:

…and then I have this is the unencoded version of the form hidden input ‘policy’:

This all works when userId: s3-uploader has a policy of:

…but if I change the policy to be something more explicit, but still seemingly reasonable I get an <AccessDenied/> message back from the exact same HTML form post.

Here’s the more restrictive policy I tried:

I’ve read through the doc here, without obtaining additional clarity:
http://docs.aws.amazon.com/AmazonS3/latest/dev/UsingIAMPolicies.html

So I ask my fellow Overflow-ites, what am I missing? I’d really rather not have the s3-uploader userId able to do any action (i.e. ‘s3:*’) on the bucket.

Answer:

The ARN that you’re using in the Resource section is wrong, you must use the actual bucket name instead of the CNAME entry.

Leave a Reply