Permissions of files on s3

2018-06-05 05:50:09

I have a bucket on S3 named xyz. Inside the bucket I have html file at 786/html/index.html and multiple images inside 786/html/images/. The folders and files have the permissions of full control for owner. I am using aws ruby-sdk for generating the url for 786/html/index.html and page is working fine but the images at 786/html/images are not being rendered in 786/html/index.html. It is giving me the following error on browser console:-

Failed to load resource: the server responded with a status of 403 (Forbidden)

Now I gave public read permission to 786/html/images. 786 and 786/html have the permissions for only owner. Now 786/html/index.html is able to render the images, but now the images are also accessible by public_url. I am confused as 786 and 786/html does not have public permissions still images are accessible.

A possible solution can be to append AwsAccessKey and signature to the source of image present inside the index.html. But as we have multiple images hence we need to have a generic signature.

Suggestions need

Thanks, Apurva Mayank

S3 is an object store. It is not a hierarchical filesystem and does not actually have "folders."

Object keys can have prefixes which are delimited by convention with / .

This gives the illusion of folders, but this isn't the same as there being an actual hierarchy. Every object's permissions are independent, subject to policies (which can also include prefix references).

But to say "786 and 786/html does not have public permission" but "786/html/images" does have public permission has no meaning in S3 since the objects "under" those "folders" are not actually associated with them.

Whatever you are using to work with your bucket may be giving you an impression that things are otherwise, or may be manpulating permissions of objects "in a folder" and giving you the impression that these permissions are inherited.

If your intention is to make the html file viewable only with a signed URL, or to make the images visible only with the page (and not downloadable on their own) then your code will also need to fully-qualify and sign the urls for the embedded images (and the file, if you want that to be private as well).

When you create the image add the following header:

x-amz-acl: public-read