N
Novu9mo ago
todd

S3 (Self-Hosting) bucket policy

Having used the documentation site to look for this answer (by the way, great search approach!), I can't find documentation on the setup of an AWS S3 bucket that includes the entire setup of policies. I can see CORS although that probably be more restrictive in production. I see in the source it looks to require 'public-read' for example. Do you have a recommended production settings?
9 Replies
Pawan Jain
Pawan Jain9mo ago
Hi @todd We use S3 primarily for two things, brand logo storage and email attachment storage So you can create a s3 bucket with create, read bucket + create, read and delete object permissions
Zac Clifton
Zac Clifton9mo ago
We would recommend to use {"Action": ["s3:*"]} as Novu needs to be able to run full CRUD. We have also not invested much of time in ensuring "proper" aws recommended use of this bucket as there are many other priorities we want to work on.
todd
todd9mo ago
@Zac Clifton thanks for response. Here are some of my notes for future reference if anyone is interested. Feel free to correct any mistakes or make clarifications. General design: - public read access (for logo and email attachments—all data is open for read to anyone) - write access is via pre-signed url (client-side PUT to S3 after server-side request) - private write access (get, put, delete) [<-- not sure you actually need list actions in policy] - objects are written with organisationIdTenancy/objectId (at least for brand logos) Specifics for access: - CORS access on bucket (this is documented) - bucket object do not need versioning (as all uploads are deemed unique) - ACL on buckets is 'public-read' (as part of the pre-signed URLs) - image uploads (as pre-signed) could also have rules to limit (DENY policy) on extension types (although UI also does this but leaves open a vector) - AWS (specific): ensure that Allow owenership controls is 'BucketOwnerPreferred' to allow ACL access (rather than role/user) (ie PutObjectAcl)
todd
todd9mo ago
Here is an example extract of some terraform for provisioning aws s3 bucket

novu-s3-example-extr...

Zac Clifton
Zac Clifton9mo ago
@todd You rock man, would you kindly do us a favor and make a PR to our docs repository otherwise this will get barried. https://github.com/novuhq/docs If you are unable, let me know and I can move it in instead. if you are able, Please add my github user @cliftonz and reference this discord thread so I know its not a regular hacktoberfest PR. Again Thank you so much for the detailed documentation!
Linear
Linear9mo ago
Issue DVRL-43 created.
DVRL-43 - s3 bucket policy in self-hosting
Status
Triage
DevRel
Zac Clifton
Zac Clifton9mo ago
@todd I have some time today, I will go ahead and take this documentation and merge it in.
todd
todd9mo ago
@Zac Clifton That would be rally great thanks. Agreed not to loose it. Like everyone struggling I'm struggling with workloads and the previous post was already an hour out of my day. Happy to review changes. There is the wider decision context for self-hosting on S3: - Provider: eg aws, gc, azure? and then other options - sorry ignorance - Deployment: terraform, cli Also, there are the wider design decisions that I think are important to convey that aren't about self hosting (eg the use of pre-signed urls rather than API-based proxy—I couldn't see where the indexing/key generation mechanism was)
Prosper
Prosper8mo ago
Just merged in @Zac Clifton's PR about this, we should have this live in a bit on the docs. Thanks @todd for this amazing contribution
Want results from more Discord servers?
Add your server
More Posts
Chat OverlayNot in the best place, cant click next:Change admin passwordHi all, I wanted to change the user's password, but I couldn't find a method for this in the web. CoAutomated repeatable way of deploying multiple instances of Novu with the same baseline configI'm looking for a way of having multiple instances of Novu deployed on separate hosts with the same Custom SMTP with HostGator Not sending emailsIf you configure a custom SMTP and your hosting privider is HostGator, the emails are not sent out. notification feed more than 10I want to get feed for a specific subscriberId with a filter where seen is false and page count is aReplyError: CROSSSLOT Keys in request don't hash to the same slotHi all, We recently upgraded to the latest Novu release (we were stuck to the last release without AWS InvalidClientTokenId errorI am using AWS key and secret access key and trying to send an email notification but getting { "nCan a SMS message be populated from the payload?I'm trying to build a straightforward workflow to send SMS messages. The goal is to have the messageMongoDb (Atlas) database/collections provisioningWith mongodb, I am struggling to see a database/collections. Locally as development docker-composeModificate message objectWe would like to be able to receive variables that are created in Novu when forming a message...