When you want to use your MinIO S3 server as a makeshift CDN, as I talked about in the previous post, you have to make sure you setup your Access Policies properly.
If you do what people say on the internet and set mc anonymous policy set download you are in big trouble, because:
- it shows your bucket files listing
- allows files modification, deletion and upload
How I know that? Yeah, accidentally removing a bunch of files makes you think about stuff… Good thing I had my backups in place.
What you really need is to set something like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": ["*"]
},
"Action": ["s3:GetBucketLocation"],
"Resource": ["arn:aws:s3:::bucket"]
},
{
"Effect": "Allow",
"Principal": {
"AWS": ["*"]
},
"Action": ["s3:GetObject"],
"Resource": ["arn:aws:s3:::bucket/*"]
}
]
}
You can use either MinIO web GUI to update the policy or save it to some json file and use mc set-json.