First of all, setup your AWS account – and login into AWS Management Console. Then create any bucket you want.
Next step is to add new IAM user – go to https://console.aws.amazon.com/iam/home?#users, select Users and click Create new user button.
![iam_create](http://tom.meinlschmidt.org/wp-content/uploads/2014/06/iam_create.png)
Click Create and copy/paste or download your access keys.
![iam_access](http://tom.meinlschmidt.org/wp-content/uploads/2014/06/iam_access.png)
Then close window and click to summary tab – you’ll need to copy ARN notation of this user
![iam_summary](http://tom.meinlschmidt.org/wp-content/uploads/2014/06/iam_summary.png)
s3cmd
To be able to sync some folders and/or use s3cmd commandline tool, you need to setup some more policies. Click Permission tab and then Attach User Policy. Then choose Policy Generator and follow these steps:
Set permissions as shown in following image – we need ListAllMyBuckets for :::* and ListBucket and PutObject for the one, specified bucket.
![user_policy_editor](http://tom.meinlschmidt.org/wp-content/uploads/2014/06/user_policy_editor.png)
Click Continue and save new policy
![set_permission](http://tom.meinlschmidt.org/wp-content/uploads/2014/06/set_permission.png)
You can always edit the policy using Manage Policy. You should create this kind of policy file:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1402603222000",
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets"
],
"Resource": [
"arn:aws:s3:::*"
]
},
{
"Sid": "Stmt1402603306000",
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::sample_bucket/*"
]
}
]
}
That’s all. Lets move to bucket policy.
Bucket policy
Now you can open Policy Generator – http://awspolicygen.s3.amazonaws.com/policygen.html and start adding new items.
First of all, select your policy type – S3
![policy_select_type](http://tom.meinlschmidt.org/wp-content/uploads/2014/06/policy_select_type.png)
and then fill new policy – we need two policies – one for all users to read objects (GetObject) and second for your new user, to be able to upload, delete and get object as well.
![public_policy_form](http://tom.meinlschmidt.org/wp-content/uploads/2014/06/public_policy_form.png)
and click Add Statement. The list below the form should look like
![public_policy_list](http://tom.meinlschmidt.org/wp-content/uploads/2014/06/public_policy_list.png)
So, add your user the same way. As principal add your ARN notation (which you copied before) and add Actions as shown below.
![policy_user](http://tom.meinlschmidt.org/wp-content/uploads/2014/06/policy_user.png)
All set. You need to click Generate Policy button and copy freshly generated JSON policy to your clipboard
{
"Id": "Policy1402594421281",
"Statement": [
{
"Sid": "Stmt1402593998750",
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::sample_bucket/*",
"Principal": {
"AWS": [
"*"
]
}
},
{
"Sid": "Stmt1402594323930",
"Action": [
"s3:AbortMultipartUpload",
"s3:DeleteObject",
"s3:GetObject",
"s3:GetObjectAcl",
"s3:PutObject",
"s3:PutObjectAcl"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::sample_bucket/*",
"Principal": {
"AWS": [
"arn:aws:iam::024698735884:user/sample_user"
]
}
}
]
}
Last step is to add this policy to the bucket. Go back to your S3 console (https://console.aws.amazon.com/s3/home), click loupe icon next to bucket name and open Permission section. Click on Edit Bucket Policy and paste the generated policy into that window. Save and you’re done.
![bucket_permission](http://tom.meinlschmidt.org/wp-content/uploads/2014/06/bucket_permission.png)
You’ll need API keys for use with Paperclip or any other S3 storage engine, so keep them safe.
PS: when you plan to use s3 as storage for your static files, avoid using underscore in your bucket name – as it does not comply with valid FQDN. ‘sample_bucket’ was used only as an example, in the real word you should use ‘sample-bucket’.