From 36a83cc4f9d00732b1cec97c9bff4427a61025b1 Mon Sep 17 00:00:00 2001 From: David Huerta Date: Fri, 7 Apr 2017 17:29:21 -0400 Subject: [PATCH] Update Heroku-guide.md Removing some of the confusion around what format S3 bucket names and regions should be entered as well as providing an example of an S3 policy that follows best security practices for this sort of thing. --- docs/Running-Mastodon/Heroku-guide.md | 34 +++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) diff --git a/docs/Running-Mastodon/Heroku-guide.md b/docs/Running-Mastodon/Heroku-guide.md index 754f923ed..16f6930e4 100644 --- a/docs/Running-Mastodon/Heroku-guide.md +++ b/docs/Running-Mastodon/Heroku-guide.md @@ -39,6 +39,40 @@ You will want Amazon S3 for file storage. The only exception is for development purposes, where you may not care if files are not saved. Follow a guide online for creating a free Amazon S3 bucket and Access Key, then enter the details. +If you deploy from the web, the format for all the S3 bits use Paperclip conventions: + +S3 Bucket is just the name of the bucket, e.g. `bucketname` not the full ARN. + +S3 Region is the AWS code for the region e.g. `ap-northeast-1` not the name of the city displayed on the AWS Dashboard. + +To protect the privacy of the users of the your instance, you should have permissons on the your S3 bucket set to no-read and no-write for the public and non-application-specific AWS users, with only one authorized IAM user or group set up to be able to upload or display content. This is an example of an IAM policy used for the S3 bucket used Mastadon instance hentai.loan: + + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "s3:ListAllMyBuckets" + ], + "Resource": [ + "arn:aws:s3:::*" + ] + }, + { + "Effect": "Allow", + "Action": [ + "s3:*" + ], + "Resource": [ + "arn:aws:s3:::hentailoan”, + "arn:aws:s3:::hentailoan/*" + ] + } + ] + } + + ## Deployment You can deploy from the Heroku web interface or from the command line. Run: