How to make all Objects in AWS S3 bucket public by default?
I am using a PHP library to upload a file to my bucket. I have set the ACL to public-read-write and it works fine but the file is still private.
I found that if I change the Grantee to Everyone it makes the file public. What I want to know is how do I make the default Grantee on all objects in my bucket to be set to "Everyone". Or is there another solution to make files public by default?
Code I am using is below:
public static function putObject($input, $bucket, $uri, $acl = self::ACL_PRIVATE, $metaHeaders = array(), $requestHeaders = array()) {
if ($input === false) return false;
$rest = new S3Request('PUT', $bucket, $uri);
if (is_string($input)) $input = array(
'data' => $input, 'size' => strlen($input),
'md5sum' => base64_encode(md5($input, true))
);
// Data
if (isset($input['fp']))
$rest->fp =& $input['fp'];
elseif (isset($input['file']))
$rest->fp = @fopen($input['file'], 'rb');
elseif (isset($input['data']))
$rest->data = $input['data'];
// Content-Length (required)
if (isset($input['size']) && $input['size'] >= 0)
$rest->size = $input['size'];
else {
if (isset($input['file']))
$rest->size = filesize($input['file']);
elseif (isset($input['data']))
$rest->size = strlen($input['data']);
}
// Custom request headers (Content-Type, Content-Disposition, Content-Encoding)
if (is_array($requestHeaders))
foreach ($requestHeaders as $h => $v) $rest->setHeader($h, $v);
elseif (is_string($requestHeaders)) // Support for legacy contentType parameter
$input['type'] = $requestHeaders;
// Content-Type
if (!isset($input['type'])) {
if (isset($requestHeaders['Content-Type']))
$input['type'] =& $requestHeaders['Content-Type'];
elseif (isset($input['file']))
$input['type'] = self::__getMimeType($input['file']);
else
$input['type'] = 'application/octet-stream';
}
// We need to post with Content-Length and Content-Type, MD5 is optional
if ($rest->size >= 0 && ($rest->fp !== false || $rest->data !== false)) {
$rest->setHeader('Content-Type', $input['type']);
if (isset($input['md5sum'])) $rest->setHeader('Content-MD5', $input['md5sum']);
$rest->setAmzHeader('x-amz-acl', $acl);
foreach ($metaHeaders as $h => $v) $rest->setAmzHeader('x-amz-meta-'.$h, $v);
$rest->getResponse();
} else
$rest->response->error = array('code' => 0, 'message' => 'Missing input parameters');
if ($rest->response->error === false && $rest->response->code !== 200)
$rest->response->error = array('code' => $rest->response->code, 'message' => 'Unexpected HTTP status');
if ($rest->response->error !== false) {
trigger_error(sprintf("S3::putObject(): [%s] %s", $rest->response->error['code'], $rest->response->error['message']), E_USER_WARNING);
return false;
}
return true;
}
Solution 1:
Go to http://awspolicygen.s3.amazonaws.com/policygen.html Fill in the details such as: In Action select "GetObject" Select "Add Statement" Then select "Generate Policy"
Copy the text example:
{
"Id": "Policy1397632521960",
"Statement": [
{
"Sid": "Stmt1397633323327",
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::bucketnm/*",
"Principal": {
"AWS": [
"*"
]
}
}
]
}
Now go to your AWS S3 console, At the bucket level, click on Properties, Expand Permissions, then Select Add bucket policy. Paste the above generated code into the editor and hit save.
All your items in the bucket will be public by default.
Solution 2:
If you want to make all objects public by default, the simplest way is to do it trough a Bucket Policy instead of Access Control Lists (ACLs) defined on each individual object.
You can use the AWS Policy Generator to generate a bucket policy for your bucket.
For example, the following policy will allow anyone to read every object in your S3 bucket (just replace <bucket-name>
with the name of your bucket):
{
"Id": "Policy1380877762691",
"Statement": [
{
"Sid": "Stmt1380877761162",
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::<bucket-name>/*",
"Principal": {
"AWS": [
"*"
]
}
}
]
}
The Bucket Policy contains a list of Statements
and each statement has an Effect
(either Allow
or Deny
) for a list of Actions
that are performed by Principal
(the user) on the specified Resource
(identified by an Amazon Resource Name
or ARN
).
The Id
is just an optional policy id and the Sid
is an optional unique statement id.
For S3 Bucket Policies, the Resource ARNs take the form:
arn:aws:s3:::<bucket_name>/<key_name>
The above example allows (Effect: Allow
) anyone (Principal: *
) to access (Action: s3:GetObject
) any object in the bucket (Resource: arn:aws:s3:::<bucket-name>/*
).
Solution 3:
My problem was slightly different, but since this question is on the top of google search I'll leave my solution, maybe it'll help somebody.
I already had had full access to S3 bucket before, but one day it just started to return Access Denied
to all my files. The solution was straightforward simple.
- Go to
Services
-S3
- Click on your S3 bucket
- Switch to
Permissions
tab, then go toBucket Policy
tab - And click the
Save
button.
It should reassign permission on all your files.
Anyway, here is full bucket policy
that allows makes all object public
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowPublicRead",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::enter-here-your-media-bucket-name/*"
}
]
}
Solution 4:
The JSON above did not work for me, but I found this to be working. I have tested it on multiple buckets. I can write to the buckets programmatically and read from them at the same time
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AddCannedAcl",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::<bucket_name>/*"
}
]
}