[Suggestion]: Update Docs about bucket permissions

[tyrauber]

Amazing piece of software! Seriously. Excellent performance. Easy deployment. 👍

Ran into one issue that took me a few minutes to figure out. If you want to lock down bucket access you need to specific the ApiGateway as the principal not the cloudfront arn. Duh. An example policy like so works:

{
    "Version": "2012-10-17",
    "Id": "PolicyForCloudFrontApiGatewayPrivateContent",
    "Statement": [
        {
            "Sid": "1",
            "Effect": "Allow",
            "Principal": {
                "Service": "apigateway.amazonaws.com"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::BUCKET_NAME/*"
        }
    ]
}

Although, perhaps you have additional suggestions for bucket security.

Just thought I'd point it out the issue as it tripped me up. Might be worth updating the docs.

Thanks again.

[Mosnar]

Thanks, glad you're enjoying the project! So, I was reviewing this and I realized that the deployment already automatically creates a role and inline policy to "GetObject" on your bucket and that role gets applied the the lambda function. I'm not exactly sure why adding the policy to allow an ApiGateway to access a bucket would make a difference since the ApiGateway doesn't serve content directly from the bucket - everything gets proxied through your Lambda function. Perhaps there's something unique about your setup that's making this necessary?

I did a test deployment where I created a new bucket with all of the defaults ticked (restrict all access) and made a deployment and was able to generate transforms from that bucket. Let me know if you have any additional info that could help me better understand what's going on here.

[tyrauber]

@Mosnar Could it be that we needed to use an existing bucket?

We've deployed this in our staging environment and are preparing to roll this out on production. We've got a lot of images and do a lot of page / image requests. Our team has pointed out a few bugs, but I'll investigate and open new issues if it is library related. I might even dig in and submit a PR or two if I can. The environment is a pleasure to work in.

[Mosnar]

Let's leave this open until we can figure out how to reproduce the issue from scratch - I'd rather people not have to worry about this at all.

[tyrauber]

I could be wrong, but I think the issues stems directly from migrating from an existing bucket in a live environment. I ran a fresh install without an existing bucket and I didn't have this issue.

To replicate the issue:

1. create an s3 bucket (any permissions will do, I believe. It won't overwrite the existing permissions). For the sake of this example though, set the policy to private.
2. update settings.yml to point to that bucket
3. deploy

The Gateway shouldn't be able to access the image. If you like, I can run through the steps again to confirm.