meta: Improve aws-node example readme

examples/aws-nodejs/README.md

@@ -8,42 +8,67 @@ Express.js). It uses presigned URL at the backend level.
 It's assumed that you are familiar with AWS, at least, with the storage service
 (S3) and users & policies (IAM).
 
-These instructions are **not fit for production** but tightening the security is
+These instructions are **not fit for production**, tightening the security is
 out of the scope here.
 
 ### S3 Setup
 
-- Create new S3 bucket in AWS (e.g. `aws-nodejs`).
-- Add a bucket policy.
-
-  ```json
-  {
-    "Version": "2012-10-17",
-    "Statement": [
-      {
-        "Sid": "PublicAccess",
-        "Effect": "Allow",
-        "Principal": "*",
-        "Action": "s3:GetObject",
-        "Resource": "arn:aws:s3:::aws-nodejs/*"
-      }
-    ]
-  }
-  ```
-
-- Make the S3 bucket public.
-- Add CORS configuration.
-
-  ```json
-  [
-    {
-      "AllowedHeaders": ["*"],
-      "AllowedMethods": ["GET", "PUT", "HEAD", "POST", "DELETE"],
-      "AllowedOrigins": ["*"],
-      "ExposeHeaders": []
-    }
-  ]
-  ```
+Assuming you’re trying to setup the user `MY-UPPY-USER` to put the uploaded
+files to the bucket `MY-UPPY-BUCKET`, here’s how you can allow `MY-UPPY-USER` to
+get STS Federated Token and upload files to `MY-UPPY-BUCKET`:
+
+1. Set CORS settings on `MY-UPPY-BUCKET` bucket:
+
+   ```json
+   [
+     {
+       "AllowedHeaders": ["*"],
+       "AllowedMethods": ["GET", "PUT", "HEAD", "POST", "DELETE"],
+       "AllowedOrigins": ["*"],
+       "ExposeHeaders": ["ETag", "Location"]
+     }
+   ]
+   ```
+
+2. Add the following Policy to `MY-UPPY-BUCKET`:
+
+   ```json
+   {
+     "Version": "2012-10-17",
+     "Statement": [
+       {
+         "Sid": "MyMultipartPolicyStatement1",
+         "Effect": "Allow",
+         "Principal": {
+           "AWS": "arn:aws:iam::*:user/MY-UPPY-USER"
+         },
+         "Action": [
+           "s3:PutObject",
+           "s3:PutObjectAcl",
+           "s3:ListMultipartUploadParts",
+           "s3:AbortMultipartUpload"
+         ],
+         "Resource": "arn:aws:s3:::MY-UPPY-BUCKET/*"
+       }
+     ]
+   }
+   ```
+
+3. Add the following Policy to `MY-UPPY-USER`: (if you don’t want to enable
+   signing on the client, you can skip this step)
+   ```json
+   {
+     "Version": "2012-10-17",
+     "Statement": [
+       {
+         "Sid": "MyStsPolicyStatement1",
+         "Effect": "Allow",
+         "Action": ["sts:GetFederationToken"],
+         "Resource": ["arn:aws:sts::*:federated-user/*"]
+       }
+     ]
+   }
+   ```
 
 ### AWS Credentials
 
@@ -55,21 +80,6 @@ You may use existing AWS credentials or create a new user in the IAM page.
   [environment variables](https://docs.aws.amazon.com/sdk-for-javascript/v3/developer-guide/loading-node-credentials-environment.html)
   or a
   [credentials file in `~/.aws/credentials`](https://docs.aws.amazon.com/sdk-for-javascript/v3/developer-guide/setting-credentials-node.html).
-- You will need at least `PutObject` and `PutObjectAcl` permissions.
-
-```json
-{
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Sid": "VisualEditor0",
-      "Effect": "Allow",
-      "Action": ["s3:PutObject", "s3:PutObjectAcl"],
-      "Resource": "arn:aws:s3:::aws-nodejs/*"
-    }
-  ]
-}
-```
 
 ## Prerequisites
 
@@ -83,7 +93,7 @@ Add a `.env` file to the root directory and define the S3 bucket name and port
 variables like the example below:
 
 ```
-COMPANION_AWS_BUCKET=aws-nodejs
+COMPANION_AWS_BUCKET=MY-UPPY-BUCKET
 COMPANION_AWS_REGION=…
 COMPANION_AWS_KEY=…
 COMPANION_AWS_SECRET=…
@@ -104,6 +114,4 @@ corepack yarn workspace @uppy-example/aws-nodejs start
 
 Dashboard demo should now be available at http://localhost:8080.
 
-You have also a Drag & Drop demo on http://localhost:8080/drag.
-
 _Feel free to check how the demo works and feel free to open an issue._