amazon-web-services cli - How to make all Objects in AWS S3 bucket public by default?




readable files (3)

Go to http://awspolicygen.s3.amazonaws.com/policygen.html Fill in the details such as: In Action select "GetObject" Select "Add Statement" Then select "Generate Policy"

Copy the text example:

{
  "Id": "Policy1397632521960",
  "Statement": [
    {
      "Sid": "Stmt1397633323327",
      "Action": [
        "s3:GetObject"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::bucketnm/*",
      "Principal": {
        "AWS": [
          "*"
        ]
      }
    }
  ]
}

Now go to your AWS S3 console, At the bucket level, click on Properties, Expand Permissions, then Select Add bucket policy. Paste the above generated code into the editor and hit save.

All your items in the bucket will be public by default.

I am using a PHP library to upload a file to my bucket. I have set the ACL to public-read-write and it works fine but the file is still private.

I found that if I change the Grantee to Everyone it makes the file public. What I want to know is how do I make the default Grantee on all objects in my bucket to be set to "Everyone". Or is there another solution to make files public by default?

Code I am using is below:

public static function putObject($input, $bucket, $uri, $acl = self::ACL_PRIVATE, $metaHeaders = array(), $requestHeaders = array()) {
    if ($input === false) return false;
    $rest = new S3Request('PUT', $bucket, $uri);

    if (is_string($input)) $input = array(
        'data' => $input, 'size' => strlen($input),
        'md5sum' => base64_encode(md5($input, true))
    );

    // Data
    if (isset($input['fp']))
        $rest->fp =& $input['fp'];
    elseif (isset($input['file']))
        $rest->fp = @fopen($input['file'], 'rb');
    elseif (isset($input['data']))
        $rest->data = $input['data'];

    // Content-Length (required)
    if (isset($input['size']) && $input['size'] >= 0)
        $rest->size = $input['size'];
    else {
        if (isset($input['file']))
            $rest->size = filesize($input['file']);
        elseif (isset($input['data']))
            $rest->size = strlen($input['data']);
    }

    // Custom request headers (Content-Type, Content-Disposition, Content-Encoding)
    if (is_array($requestHeaders))
        foreach ($requestHeaders as $h => $v) $rest->setHeader($h, $v);
    elseif (is_string($requestHeaders)) // Support for legacy contentType parameter
        $input['type'] = $requestHeaders;

    // Content-Type
    if (!isset($input['type'])) {
        if (isset($requestHeaders['Content-Type']))
            $input['type'] =& $requestHeaders['Content-Type'];
        elseif (isset($input['file']))
            $input['type'] = self::__getMimeType($input['file']);
        else
            $input['type'] = 'application/octet-stream';
    }

    // We need to post with Content-Length and Content-Type, MD5 is optional
    if ($rest->size >= 0 && ($rest->fp !== false || $rest->data !== false)) {
        $rest->setHeader('Content-Type', $input['type']);
        if (isset($input['md5sum'])) $rest->setHeader('Content-MD5', $input['md5sum']);

        $rest->setAmzHeader('x-amz-acl', $acl);
        foreach ($metaHeaders as $h => $v) $rest->setAmzHeader('x-amz-meta-'.$h, $v);
        $rest->getResponse();
    } else
        $rest->response->error = array('code' => 0, 'message' => 'Missing input parameters');

    if ($rest->response->error === false && $rest->response->code !== 200)
        $rest->response->error = array('code' => $rest->response->code, 'message' => 'Unexpected HTTP status');
    if ($rest->response->error !== false) {
        trigger_error(sprintf("S3::putObject(): [%s] %s", $rest->response->error['code'], $rest->response->error['message']), E_USER_WARNING);
        return false;
    }
    return true;
}

If you want to make all objects public by default, the simplest way is to do it trough a Bucket Policy instead of Access Control Lists (ACLs) defined on each individual object.

You can use the AWS Policy Generator to generate a bucket policy for your bucket.

For example, the following policy will allow anyone to read every object in your S3 bucket (just replace <bucket-name> with the name of your bucket):

{
  "Id": "Policy1380877762691",
  "Statement": [
    {
      "Sid": "Stmt1380877761162",
      "Action": [
        "s3:GetObject"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::<bucket-name>/*",
      "Principal": {
        "AWS": [
          "*"
        ]
      }
    }
  ]
}

The Bucket Policy contains a list of Statements and each statement has an Effect (either Allow or Deny) for a list of Actions that are performed by Principal (the user) on the specified Resource (identified by an Amazon Resource Name or ARN).

The Id is just an optional policy id and the Sid is an optional unique statement id.

For S3 Bucket Policies, the Resource ARNs take the form:

arn:aws:s3:::<bucket_name>/<key_name>

The above example allows (Effect: Allow) anyone (Principal: *) to access (Action: s3:GetObject) any object in the bucket (Resource: arn:aws:s3:::<bucket-name>/*).


Found the answer in an amazon aws forum.

return s3Client.putObject(
   new PutObjectRequest(bucketName, objectKey, inputStream, metadata)
      .withCannedAcl(CannedAccessControlList.PublicRead));

The answer being

.withCannedAcl(CannedAccessControlList.PublicRead)





amazon-web-services amazon-s3