Amazon S3 - Creating an IAM user

In order for Easy Digital Downloads to connect to your Amazon S3 account, you will need to create an IAM user and attach a permissions policy to the user. You can click  Show User Security Credentials to view the access key and secret key. These are the values you need to enter in your WordPress site at Downloads → Settings → Extensions → Amazon S3.

1. Log into your Amazon S3 account

Log into your Amazon S3 account and navigate to the Users page. This page can be found by clicking on your account name in the top left corner and clicking on Security Credentials:

If you get a popup, choose "Get started with IAM users"

2. Setup IAM User

A. Add User

If you have an existing IAM user you wish to use, click on that user. If you need to create a new user, click the blue Add User button and follow the prompts.You now need to obtain security credentials and also attach a permissions policy to the user.

B. Set user details:

User name: Create User name of your choice

Access type: Programmatic access

C. Set permissions

  1. Select "Attach existing policies directly" box. 
  2. Then, in the Filter box, enter "S3". That will filter the results down to those that are relevant for Amazon S3.
  3. Check the box for AmazonS3FullAccess and click Attach Policy.
  4. Set permissions boundary: Select "Create user without a permissions boundary"
  5. Click Next.

D. Add Tags

This is not required. Click Next.

E. Review

Review and Click Create user.

3. Get Access Keys

A. Click IAM user name created above

B. Click on the Security Credentials tab and click Create Access Key.Once the success message pops up, click Download Credentials. Save the file to a secure location on your computer.

C. Save created keys

Note: you will not be able to access the secret key ever again for this user, so make sure that you save the file. If you lose the credentials, you will need to create a new access key.

Your IAM user should now have full permission to access and upload files to the S3 bucket.

If you need more assistance creating IAM users or attaching policies, see  Amazon's guide on creating IAM users for more information. 

Limit Access to Specific Buckets

If your S3 account is used for other purposes and you want to limit your IAM account (EDD Store) to specific buckets, you can create a custom policy in place of AmazonS3FullAccess.

Update bucket-name-here with the name(s) of the buckets you want accessible via your EDD store.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObjectAcl",
                "s3:GetObject",
                "s3:ListBucketMultipartUploads",
                "s3:AbortMultipartUpload",
                "s3:ListBucket",
                "s3:ListMultipartUploadParts"
            ],
            "Resource": [
                "arn:aws:s3:::bucket-name-here",
                "arn:aws:s3:::bucket-name-here/*"
            ]
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": "s3:ListAllMyBuckets",
            "Resource": "*"
        }
    ]
}

When using this policy, all Bucket names will be viewable but only the ones you place in the Resources section are accessible. If a bucket that is not included in the Resource list is accessed via EDD, a PHP error will occur. We hope to improve this in a future release.