Production AWS setup
We will create a user with programmatic access and not grant any permissions to that user. Make sure to download the credentials
Next we navigate to policies and create a policy that we can attach directly (so the programmatic user will ONLY have access to this specific S3 bucket)
Create a customer managed policy with the following configuration (replace example.com with the name of your bucket-- which you will create later), give it a name you can quickly lookup later:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": "arn:aws:s3:::example.com"
},
{
"Action": "s3:*",
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::example.com",
"arn:aws:s3:::example.com/*"
]
}
]
}Next, attach that policy directly to the user (by searching for it, because its customer managed):
Once the policy is attached (feel free to use the policy simulator to test if it works) hop over to S3.
create a bucket with the name you provided before (for me its example.com). Navigate to the permissions tab on the bucket and click on CORS configuration:
Set the following CORS config (allow all origins) and click save.
[
{
"AllowedHeaders": [
"*"
],
"AllowedMethods": [
"PUT",
"POST",
"DELETE"
],
"AllowedOrigins": [
"*"
],
"ExposeHeaders": []
}
]Hopefully everything is correctly set and your user is able to programmatically access that specific S3 bucket (and limited only to that one). Now go to Heroku and set the following variables related to S3:
AWS_ACCESS_KEY_ID=foo
AWS_SECRET_ACCESS_KEY=foo
AWS_REGION=us-east-1
AWS_BUCKET=example.comTo test if storage works, login to the admin panel (yourdomain.com/admin) and then click on web settings to upload a company logo/favicon:
