Granting s3 listObjects permission


#1

I am following this guide for setting up iam-policies with iam_policy(“s3”) inside a controller in front of a method, which is documented to grant full s3 permission:

{
  action: ["s3:*"],
  effect: "Allow",
  resource: "*",
}

http://rubyonjets.com/docs/iam-policies/

However, in cloudformation it was interpreted as

          - Action:
            - s3:ListAllMyBuckets
            - s3:HeadBucket
            Effect: Allow
            Resource: arn:aws:s3:::*

Any trick to get the desired behavior?

ps: I am also using class_iam_policy in the same Controller for granting dynamodb permission, and discovered that having class_iam_policy will cause CloudFormation error. The use of iam-policies was to get around this problem. To get multiple policies inside class_iam_policy would work, too.

Thank you.

Yuhan


#2

@yuhanz Think what you’re seeing is the IAM policy from the “inherited” application-wide policy.

The ListAllMyBuckets part of the IAM permissions comes from the default application-wide IAM policy. Part of the default IAM application-wide policy is:

          - Action:
            - s3:ListAllMyBuckets
            - s3:HeadBucket
            Effect: Allow
            Resource: arn:aws:s3:::*

When iam_policy is used, it adds to the IAM policy.

iam_policy(“s3”)  # adds to the IAM policies inherited from lower levels

From the docs: http://rubyonjets.com/docs/iam-policies/

“So the IAM policies are additive.”

Took this decision because found it to be the more common case. Originally, iam_policies would not “inherit” and the code turned out not very DRY, since found that I would have to duplicate the original iam policy permissions each and every time iam_policy was used.

If you would like to remove or change the default application-wide policy, you can override the “Application-wide IAM policy” also.

Brings Another Question

This brings up another question. Originally, the application-wide policy was needed before official Ruby support was introduced. Unsure if we need those s3 permissions now :thinking: Will have to dig into it and test more thoroughly though before removing.

class_iam_policy causing CloudFormation Error?

RE: ps: I am also using class_iam_policy in the same Controller for granting dynamodb permission, and discovered that having class_iam_policy will cause CloudFormation error.

Odd, just tried both class_iam_policy and iam_policy with code like this:

class PostsController < ApplicationController
  class_iam_policy "dynamodb"
  iam_policy "s3"
  def index
    @posts = Post.all
  end
...

That produced this:

  PostsControllerIndexIamRole:
    Type: AWS::IAM::Role
    Properties:
...
      Policies:
      - PolicyName: demo-dev-posts-controller-index-policy
        PolicyDocument:
          Version: '2012-10-17'
          Statement:
          - Action:
            - s3:*
            Effect: Allow
            Resource: "*"
          - Action:
            - dynamodb:*
            Effect: Allow
            Resource: "*"
          - Action:
            - logs:*
            Effect: Allow
            Resource: arn:aws:logs:us-west-2:112233445566:log-group:/aws/lambda/demo-dev-*
          - Action:
            - s3:Get*
            - s3:List*
            Effect: Allow
            Resource: arn:aws:s3:::demo-dev-s3bucket-8txudw3uiqfw*
          - Action:
            - s3:ListAllMyBuckets
            - s3:HeadBucket
            Effect: Allow
            Resource: arn:aws:s3:::*

And the stack deployed successfully. Wondering what was the CloudFormation error? Here’s a CloudFormation Debugging Tip that may help identify the error.


#3

The error happens when multiple statements of class_iam_policy are provided in the same Controller. The error message says something like “Another process is already running to update the iam role.” I was able to get around by iam_policy.

Thanks for the note on the application-level policy override. I will following this approach.