AWS S3 bucket policy to make all files public (+CORS)

bucket_policy.js

{
  "Statement": [
    {
      "Sid": "AllowPublicRead",
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::bucket_name_here/*"
    }
  ]
}

client.js

// https://github.com/elasticsales/s3upload-coffee-javascript
var s3upload = new S3Upload({
  file_dom_selector: '#files', // an <input type="file"> element
  s3_sign_put_url: '/sign_s3_put',
  onProgress: function(percent, message, publicUrl, file) { // Use this for live upload progress bars
    console.log('Upload progress: ', percent, message);
  },
  onFinishS3Put: function(public_url, file) { // Get the URL of the uploaded file
    console.log('Upload finished: ', public_url);
  },
  onError: function(status, file) {
    console.log('Upload error: ', status);
  }
});

cors.xml

<?xml version="1.0" encoding="UTF-8"?>
<CORSConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
    <CORSRule>
        <AllowedOrigin>*</AllowedOrigin>
        <AllowedMethod>GET</AllowedMethod>
        <MaxAgeSeconds>3000</MaxAgeSeconds>
        <AllowedHeader>Authorization</AllowedHeader>
    </CORSRule>
    <CORSRule>
        <AllowedOrigin>*</AllowedOrigin>
        <AllowedMethod>PUT</AllowedMethod>
        <MaxAgeSeconds>3000</MaxAgeSeconds>
        <AllowedHeader>Content-Type</AllowedHeader>
        <AllowedHeader>x-amz-acl</AllowedHeader>
        <AllowedHeader>origin</AllowedHeader>
    </CORSRule>
</CORSConfiguration>

iam_policy.js

{
    "Statement": [{
        "Action": [
            "s3:GetObject",
            "s3:PutObject",
            "s3:PutObjectAcl"
        ],
        "Effect": "Allow",
        "Resource": [
            "arn:aws:s3:::bucket_name_here/*"
        ]
    }]
}

view.py

import time, os, json, base64, urllib, hmac, sha

@app.route('/sign_s3_put/')
@login_required
def sign_s3_put():
    """
    Provide a temporary signature so that users can upload files directly from their
    browsers to our AWS S3 bucket.
    The authorization portion is taken from Example 3 on
    http://s3.amazonaws.com/doc/s3-developer-guide/RESTAuthentication.html
    """
    # don't give user full control over filename - avoid ability to overwrite files
    random = base64.urlsafe_b64encode(os.urandom(2))
    object_name = random+request.args.get('s3_object_name')
    object_name = urllib.quote_plus(object_name) # make sure it works for filenames with spaces, etc.
    mime_type = request.args.get('s3_object_type')

    expires = int(time.time()+300) # PUT request to S3 must start within X seconds
    amz_headers = "x-amz-acl:public-read" # set the public read permission on the uploaded file
    resource = '%s/%s' % (app.config['AWS_EMAIL_ATTACHMENTS_BUCKET_NAME'], object_name)
    str_to_sign = "PUT\n\n{mime_type}\n{expires}\n{amz_headers}\n/{resource}".format(
        mime_type=mime_type,
        expires=expires,
        amz_headers=amz_headers,
        resource=resource
    )
    sig = urllib.quote_plus(base64.encodestring(hmac.new(app.config['AWS_EMAIL_ATTACHMENTS_SECRET_ACCESS_KEY'], str_to_sign, sha).digest()).strip())

    url = 'https://%s.s3.amazonaws.com/%s' % (app.config['AWS_EMAIL_ATTACHMENTS_BUCKET_NAME'], object_name)
    return json.dumps({
        'signed_request': '{url}?AWSAccessKeyId={access_key}&Expires={expires}&Signature={sig}'.format(
            url=url,
            access_key=app.config['AWS_EMAIL_ATTACHMENTS_ACCESS_KEY_ID'],
            expires=expires,
            sig=sig
        ),
        'url': url
    })

@philfreo THANK YOU! 👍