Tiffany B. Brown

04 September 2014

Use a bucket policy to make all objects in an S3 bucket publicly readable by default

I'm still working out my Pelican/S3 workflow. For the last few days, the workflow has been Write a post → Generate the pages → Upload them using Cyberduck → futz about with permissions.

Now, that's cool if you're uploading one or two files. But when you're uploading an entire set of regenerated files — blog post, updated home page, updated archive page, updated tag page, etc — it quickly become a pain in the you-know-what.

What I wanted was the ability to make everything in a bucket public by default. This is where S3's bucket policy comes in handy.

Bucket policies let you specify what actions a particular user or group of users may perform on a bucket. My web site's bucket policy is below.

{
  "Version": "2012-10-17",
  "Statement": [{
        "Sid": "MakeItPublic",
        "Effect": "Allow",
        "Principal": "*", 
        "Action": "s3:GetObject",
        "Resource": "arn:aws:s3:::yourbucketname.com/*"
    }]
}

An explanation of each line follows.

  • "Version" specifies which version of Access Policy Language we're using.
  • "Statement" is where we define the actual statement.
  • "Sid" sets a name for this policy.
  • "Effect" has two options, Allow and Deny and determines whether or not to permit the listed actions.
    • "Principal" indicates the user or group permitted to or prevented from performing an action. In this case, it's a wildcard, and allows access to all.
    • "Action" is either a single action, or an array of actions that are allowed / prohibited. There are defined lists of operations that you can perform on objects and buckets.
    • "Resource:" specifies which bucket or objects are controlled by this policy.

It's much like setting chmod 444 on a *nix directory and its contents. Adding this bucket policy means that everything in or added to this bucket will be world-readable by default.

The easiest way to set a bucket policy is by logging in to your AWS Console. Go to the S3 section, click a bucket, open the Permissions panel, and click the Add bucket policy button. Paste the bucket policy text in the Bucket Policy Editor text area.