docs: Include full policy for avatars and uploads buckets.

The documentation included the full policy for the file uploads bucket, but only one additional statement for the avatars bucket; the reader needed to assemble the full policy themselves. Switch to explicitly providing the full policy for both. Fixes #23110.
2025-11-03 05:23:35 +00:00 · 2022-11-18 12:05:56 -05:00
parent d276fe4a01
commit 8d2e1ad145
1 changed files with 49 additions and 20 deletions
--- a/docs/production/upload-backends.md
+++ b/docs/production/upload-backends.md
@@ -77,11 +77,12 @@ below for those steps.

 ## S3 bucket policy

-The best way to do the S3 integration with Amazon is to create a new
-IAM user just for your Zulip server with limited permissions. For
-each of the two buckets, you'll want to
-[add an S3 bucket policy](https://awspolicygen.s3.amazonaws.com/policygen.html)
-entry that looks something like this:
+The best way to do the S3 integration with Amazon is to create a new IAM user
+just for your Zulip server with limited permissions. For both the user uploads
+bucket and the user avatars bucket, you'll need to adjust the [S3 bucket
+policy](https://awspolicygen.s3.amazonaws.com/policygen.html).
+
+The file uploads bucket should have a policy of:

 ```json
 {
@@ -114,25 +115,53 @@ entry that looks something like this:
 }
 ```

-The avatars bucket is intended to be world-readable, so you'll also
-need a block like this:
-
-```json
-{
-    "Sid": "Stmt1468991795389",
-    "Effect": "Allow",
-    "Principal": {
-        "AWS": "*"
-    },
-    "Action": "s3:GetObject",
-    "Resource": "arn:aws:s3:::BUCKET_NAME_HERE/*"
-}
-```
-
 The file-uploads bucket should not be world-readable. See the
 [documentation on the Zulip security model](security-model.md) for
 details on the security model for uploaded files.

+However, the avatars bucket is intended to be world-readable, so its
+policy should be:
+
+```json
+{
+    "Version": "2012-10-17",
+    "Id": "Policy1468991802322",
+    "Statement": [
+        {
+            "Sid": "Stmt1468991795380",
+            "Effect": "Allow",
+            "Principal": {
+                "AWS": "ARN_PRINCIPAL_HERE"
+            },
+            "Action": [
+                "s3:GetObject",
+                "s3:DeleteObject",
+                "s3:PutObject"
+            ],
+            "Resource": "arn:aws:s3:::BUCKET_NAME_HERE/*"
+        },
+        {
+            "Sid": "Stmt1468991795381",
+            "Effect": "Allow",
+            "Principal": {
+                "AWS": "ARN_PRINCIPAL_HERE"
+            },
+            "Action": "s3:ListBucket",
+            "Resource": "arn:aws:s3:::BUCKET_NAME_HERE"
+        },
+        {
+            "Sid": "Stmt1468991795382",
+            "Effect": "Allow",
+            "Principal": {
+                "AWS": "*"
+            },
+            "Action": "s3:GetObject",
+            "Resource": "arn:aws:s3:::BUCKET_NAME_HERE/*"
+        }
+    ]
+}
+```
+
 ## Migrating from local uploads to Amazon S3 backend

 As you scale your server, you might want to migrate the uploads from