Skip to content

Instantly share code, notes, and snippets.

@jdecode

jdecode/aws-s3-and-iam-policies.md

Last active January 17, 2024 11:45
Show Gist options
  • Save jdecode/23a42aaa8fb01feb03f73164c15dc557 to your computer and use it in GitHub Desktop.
Save jdecode/23a42aaa8fb01feb03f73164c15dc557 to your computer and use it in GitHub Desktop.
Download ZIP
S3 and IAM policy and configuration setup
Raw
aws-s3-and-iam-policies.md

Following is the CORS configuration that goes under Bucket > Permissions

<?xml version="1.0" encoding="UTF-8"?>
<CORSConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
<CORSRule>
    <AllowedOrigin>*</AllowedOrigin>
    <AllowedMethod>GET</AllowedMethod>
    <AllowedMethod>POST</AllowedMethod>
    <AllowedHeader>*</AllowedHeader>
</CORSRule>
</CORSConfiguration>
@jdecode
Copy link
Author

jdecode commented Aug 13, 2020

The API key ID and SECRET pair MUST NOT be made accessible to front-end applications - neither web-based apps (React.JS/Vue etc) nor mobile apps (React Native, Swift/Java etc).

The secret keys MUST stay at the server end only, and should be used by client-end (front-end) apps (web/mobile) to get signed/pre-signed URLs to access or save files to S3 - but never store the API keys

@er-pkumar
Copy link

New/JSON CORS

[{
  "AllowedHeaders": [],
  "AllowedMethods": [
      "GET",
      "POST"
  ],
  "AllowedOrigins": [
      "*"
  ],
  "ExposeHeaders": []
}]

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment