S3 POST upload minimal policy


I have successfully created a simple HTML form that POSTs an uploaded file to my Amazon S3 bucket. I followed these instructions:

Now I am trying to create the minimal policy on a user that can perform the HTML form POST.
Here’s the setup:

Here’s the HTML form:

…and then I have this is the unencoded version of the form hidden input ‘policy’:

This all works when userId: s3-uploader has a policy of:

…but if I change the policy to be something more explicit, but still seemingly reasonable I get an <AccessDenied/> message back from the exact same HTML form post.

Here’s the more restrictive policy I tried:

I’ve read through the doc here, without obtaining additional clarity:

So I ask my fellow Overflow-ites, what am I missing? I’d really rather not have the s3-uploader userId able to do any action (i.e. ‘s3:*’) on the bucket.


The ARN that you’re using in the Resource section is wrong, you must use the actual bucket name instead of the CNAME entry.

Leave a Reply