Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support authenticated S3 access for user assets #9684

Closed
3 tasks
mattkrick opened this issue Apr 29, 2024 · 1 comment · Fixed by #9697
Closed
3 tasks

Support authenticated S3 access for user assets #9684

mattkrick opened this issue Apr 29, 2024 · 1 comment · Fixed by #9697
Labels
Platform One Items that _must_ be addressed for Platform One
Milestone
S3 Bucket Security

Comments

@mattkrick
Copy link
Member

mattkrick commented Apr 29, 2024
edited
Loading

Requirements (for S3):

  • Parabol will only use a single S3 Bucket
  • Within that bucket, all assets in the /build directory (e.g. HTML, JS, CSS) are publicly accessible so users are able to visit the app and login
  • Within that bucket, all assets in the /store directory (e.g. user uploaded avatars) are only accessible to users logged into Parabol

Approach:

  • All asset URLs will get presigned before they are sent to the client. The presigned URL will have an expiration of 1 week.
  • Platform 1 will set an S3 Bucket policy that makes the /build directory public and the /store directory private. The AWS_SECRET_ACCESS_KEY will refer to an S3 User that has write permissions to that bucket
@mattkrick mattkrick added the Platform One Items that _must_ be addressed for Platform One label Apr 29, 2024
@jordanh jordanh added this to the S3 Bucket Security milestone Apr 29, 2024
@mattkrick mattkrick mentioned this issue May 1, 2024
Merged
@mattkrick
Copy link
Member Author

mattkrick commented May 1, 2024
edited
Loading

S3 Policies to implement

<<BUCKET>>:  name of the bucket in S3
<<ENV>>   :  name of the production environment, e.g. `pre-prod`, `production`, etc. it is the part following the last `/` in `CDN_BASE_URL`

BUCKET POLICY

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "PublicBuild",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": [
                "arn:aws:s3:::<<BUCKET>>",
                "arn:aws:s3:::<<BUCKET>>/<<ENV>>/build/*"
            ]
        }
    ]
}

USER POLICY

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["s3:GetObject", "s3:PutObject", "s3:ListBucket"],
      "Resource": ["arn:aws:s3:::<<BUCKET>>"]
    }
  ]
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Platform One Items that _must_ be addressed for Platform One
Projects
None yet
Milestone
S3 Bucket Security
Development

Successfully merging a pull request may close this issue.

feat: support private S3 buckets ParabolInc/parabol
2 participants
@jordanh @mattkrick