Skip to content
LangDua Plugin Docs

Security Policies

IAUP needs write access for upload and client read access through public delivery or presigned URLs. Keep those concerns separate.

Section titled “Recommended Model”
  • Use a dedicated upload credential.
  • Scope the credential to the ItemsAdder object prefix.
  • Avoid delete permission unless cleanup needs it.
  • Rotate keys.
  • Do not commit real credentials.

Public Read Example

Section titled “Public Read Example”
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": ["s3:GetObject"],
      "Resource": ["arn:aws:s3:::<bucket-name>/*"]
    }
  ]
}

Upload Credential Example

Section titled “Upload Credential Example”
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["s3:PutObject", "s3:PutObjectAcl", "s3:GetObject"],
      "Resource": ["arn:aws:s3:::<bucket-name>/itemsadder/*"]
    }
  ]
}

If acl: "none", s3:PutObjectAcl is not needed.