At the end of Chapter 11 of The Rails Tutorial by Michael Hartl I successfully managed to enable user uploads to Amazons S3 service by creating a bucket, using IAM to set a user and granting the user an AmazonS3FullAccess policy. It feels dirty and very insecure to allow an unknown user on my website to have full access to a bucket for image upload on my website and I'm not sure if I should feel this way. I created a custom policy at
- http://awspolicygen.s3.amazonaws.com/policygen.html
Which is the following:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "Stmt1445501067518", "Action": [ "s3:GetObject", "s3:PutObject" ], "Effect": "Allow", "Resource": "arn:aws:s3:::bucketname" } ] }
I am not confident in my solution and could not find any answers googling for the best way to go about this. I am using carrierwave (with intentions of using carrierwave_direct for my own project), fog, and mini_magick gems.