Correct S3 Policy For Pre-Signed URLs

Question

I need to issue pre-signed URLs for allowing users to GET and PUT files into a specific S3 bucket. I created an IAM user and use its keys to create the pre-signed URLs, and

Answer 1

After messing with IAM permissions for about a week, this worked. My goal was to create a presigned_url to read an S3 image (and not expire until the max 7 days).

KMS and S3 are needed.

STS may not be needed but I was messing with the "assume_role" function too.

{
"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "VisualEditor0",
        "Effect": "Allow",
        "Action": [
            "s3:PutObject",
            "s3:GetObject",
            "kms:Decrypt",
            "kms:Encrypt",
            "kms:DescribeKey",
            "kms:ReEncrypt*",
            "kms:GenerateDataKey*"
        ],
        "Resource": [
            "arn:aws:kms:*::key/*",
            "arn:aws:s3:::/*"
        ]
    },
    {
        "Sid": "VisualEditor1",
        "Effect": "Allow",
        "Action": [
            "sts:GetSessionToken",
            "sts:DecodeAuthorizationMessage",
            "sts:GetAccessKeyInfo",
            "sts:GetCallerIdentity",
            "sts:GetServiceBearerToken"
        ],
        "Resource": "*"
    },
    {
        "Sid": "VisualEditor2",
        "Effect": "Allow",
        "Action": "sts:*",
        "Resource": [
            "arn:aws:iam:::",
            "arn:aws:iam:::user/"
        ]
    }
]

}

here's the function that uses this user credentials

from botocore.config import Config
my_config = Config(
    region_name = 'us-east-2',
    signature_version = 's3v4',
    s3={'addressing_style': 'path'},
)

client = boto3.client('s3', config=my_config,
aws_access_key_id = AWS_ACCESS_KEY_ID,
aws_secret_access_key = AWS_SECRET_ACCESS_KEY
)
presigned_url = client.generate_presigned_url(
    'get_object',
    Params={'Bucket': bucket_name, 'Key': key_name},
    ExpiresIn=604800,
    HttpMethod=None
)