Thomas' Tech Tips

Create publicly readable S3 Bucket and access token to use from app via API

3 December 2025 - Thomas Damgaard

Create the bucket

In AWS Console, open the S3 service.

Click Create Bucket.

Enter Name and Region.

Under Object Ownership, select ACLs enabled (This is sometimes needed for legacy public access, though Bucket Policy is the preferred method).

Under Block Public Access settings for this bucket, uncheck “Block all public access” and confirm the warning.

Click Create bucket.

Add a Bucket Policy (Public Read Access)

Open the new bucket and go to the Permissions tab.

Scroll to the Bucket policy section and click Edit.

Paste the following JSON, replacing your-bucket-name with your actual bucket name:

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "PublicReadGetObject",
			"Effect": "Allow",
			"Principal": "*",
			"Action": "s3:GetObject",
			"Resource": "arn:aws:s3:::your-bucket-name/*"
		}
	]
}

Click Save.

Confirm the warning that bucket is public.

Create IAM User and Access Key

In AWS console, open IAM service

Go to Policies and click Create policy.

Select the JSON tab and paste the following, replacing your-bucket-name with your actual bucket name. This grants minimum permissions for listing the bucket and uploading files.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:PutObjectAcl" 
            ],
            "Resource": "arn:aws:s3:::your-bucket-name/*"
        },
        {
            "Effect": "Allow",
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::your-bucket-name"
        }
    ]
}

Click Next: Tags, then Next: Review. Name the policy (e.g., AppS3UploadPolicy) and click Create policy.

Create IAM User and Attach Policy:

Go to Users and click Create user.

Enter a User name (e.g., AppUploader).

For AWS access type, select Access key - Programmatic access.

Click Next

On the Permissions page, select Attach existing policies directly and search for and select the AppS3UploadPolicy you just created.

Click Next: Tags, then Next: Review and Create user.

Retrieve Access Key/Secret Key:

The final screen will show the Access key ID and Secret access key.

Crucially, copy and securely save both of these. They will not be shown again. These are the credentials your app will use for uploading.

Filed under: aws, cloud, howto, s3, tips

Back to article list