Delicious Brains

Documentation

Quick Start Guide

Log in to the AWS Console

Already have an Amazon Web Services (AWS) account? Sign in here.

If you don’t have an AWS account yet, you will need to sign up here.

IAM User

Once you have logged into the console, you will need to create a new IAM user:

  1. Navigate to https://console.aws.amazon.com/iam/home#users
  2. Click Add user
  3. Enter a name for the user in the User name field.
    Names are case insensitive and must be unique within your AWS account. User names can be a combination of up to 64 letters, digits, and these characters: plus (+), equal (=), comma (,), period (.), at sign (@), and hyphen (-).
  4. Under Access type select the checkbox for Programmatic access.
  5. Click Next: Permissions
  6. Scroll to the bottom and click Next: Review
  7. Click Create user (We will set permissions in just a moment)
  8. You will be shown the security credentials for the user, which consists of an Access Key ID and a Secret Access Key. Amazon will not show these again so copy them somewhere safe, or download them as a .csv file. If you lose them, you can always create a new set of credentials from the console but you cannot retreive these same credentials again later.

Save Access Keys

Once you have your key and secret for the user we recommend defining them in the wp-config.php of your site:

define( 'DBI_AWS_ACCESS_KEY_ID', '********************' );
define( 'DBI_AWS_SECRET_ACCESS_KEY', '************************************' );

These should be placed before:

/* That's all, stop editing! Happy blogging. */

/** Absolute path to the WordPress directory. */
if ( !defined('ABSPATH') )
    define('ABSPATH', dirname(__FILE__) . '/');

/** Sets up WordPress vars and included files. */
require_once(ABSPATH . 'wp-settings.php');

You can also save your key and secret in the database, but we recommend not doing so for security and to guard against accidents should you clone your database to another server.

Continue with the following steps to grant access for the new user to your bucket.

S3 Permissions

When you create a new IAM user, by default it has no permissions at all. We need to give our new user access to manage files in S3:

  1. While in the IAM Management Console, click Users from the navigation on the left (you now should see a list of all users in your AWS account)
  2. Click on the new user you just created
  3. The Permissions tab should already be active, click + Add inline policy in the lower right of the tab’s content
  4. Click Custom Policy and click the Select button
  5. Enter a name for the policy (e.g. S3Access)
  6. Copy the below policy and paste it into the Policy Document editor
  7. When you are done editing your policy, click Apply Policy
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:CreateBucket",
                "s3:DeleteObject",
                "s3:Put*",
                "s3:Get*",
                "s3:List*"
            ],
            "Resource": [
                "arn:aws:s3:::*"
            ]
        }
    ]
}

This policy allows the user to create buckets, delete files (not buckets), upload files, download files, and list files and buckets. This is the basic level of permissions the plugin requires to function.

Bucket Restrictions

This policy can be further tightened to restrict the user access to a specific bucket. Simply replace the ‘Resource’ section with the following:

"Resource": [
    "arn:aws:s3:::mybucket",
    "arn:aws:s3:::mybucket/*"
]

It’s important to note that if you do restrict access like this, the plugin will give you an Access Denied error when trying to select a bucket. The user does not have permission to list all the buckets in your account. Fortunately you can simply type the bucket name in.

You can read more about IAM policies here and AWS can generate one for you here.

Cron Setup

We highly recommend that you configure a proper cron job on your server as WP Offload S3 relies heavily on background processing. See our Cron Setup doc for details on how to accomplish this.