I have the following Servlerless config that is trying to create a public access S3 bucket that I can use for hosting images for a website. I want to make sure that it has GetObject access to anybody since they will be public images.
provider:
name: aws
runtime: nodejs18.x
timeout: 25
iam:
role:
statements:
- Effect: Allow
Action:
- 's3:GetObject'
- 's3:PutBucketPolicy'
Resource:
- 'arn:aws:s3:::my-bucket-name/*'
resources:
Resources:
WebImagesBucket:
Type: AWS::S3::Bucket
Properties:
BucketName: my-bucket-name
# AccessControl: PublicRead
# PublicAccessBlockConfiguration:
# BlockPublicAcls: false
# BlockPublicPolicy: false
# IgnorePublicAcls: false
# RestrictPublicBuckets: false
PublicReadGetObject:
Type: AWS::S3::BucketPolicy
Properties:
Bucket:
Ref: "WebImagesBucket"
PolicyDocument:
Statement:
- Effect: Allow
Sid: PublicReadGetObject
Action:
- 's3:GetObject'
Resource:
- 'arn:aws:s3:::my-bucket-name/*'
Principal: "*"
I am creating the S3 bucket resource but creating the PublicReadGetObject policy fails with a 403:
CREATE_FAILED: PublicReadGetObject (AWS::S3::BucketPolicy)
Resource handler returned message: "Access Denied (Service: S3, Status Code: 403
Do I need to update the provider iam to have some other policy actions?
I tried using AccessControl but seems like that has been deprecated in favour of policy.
Any help on getting this working would be greatly appreciated. Thanks
This is probably related to account-level or default bucket-level Block Public Access. See Configuring Block Public Access. You will need to disable BPA if you want to put a bucket policy that allows public access.
Also, note that
s3:PutBucketPolicyis a bucket-level action, not object-level, so the ARNarn:aws:s3:::my-bucket-name/*is incorrect. It needs to bearn:aws:s3:::my-bucket-name, for example: