bucket restriction does not seem to be working #25
Description
I have deployed TiTiler using the clickable button on the homepage of this repo.
During the setup phase, I indicated the name of the bucket I wish to restrict our service to: static-content-libmaps.nus.edu.sg
Once deployed, I see I can still use the deployed TiTiler with COGs that are hosted outside of my S3 bucket, for instance https://sentinel-cogs.s3.us-west-2.amazonaws.com/sentinel-s2-l2a-cogs/36/Q/WD/2020/7/S2A_36QWD_20200701_0_L2A/TCI.tif
At the moment this can be tried out here:
https://p3fzuczz5m.execute-api.ap-southeast-1.amazonaws.com/api.html#/Cloud%20Optimized%20GeoTIFF/info_cog_info_get
The generated TiTilerRolePolicy1 reads like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:GetObject",
"s3:HeadObject"
],
"Resource": [
"arn:aws:s3:::static-content-libmaps.nus.edu.sg/*"
],
"Effect": "Allow"
}
]
}Following the comments found here, I have changed it to this:
(As mentioned there, the editor does give an error related to s3:HeadObject.)
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::static-content-libmaps.nus.edu.sg/*"
],
"Effect": "Allow"
},
{
"Action": [
"s3:GetObject"
],
"Resource": [
"*"
],
"Effect": "Deny"
}
]
}But I can still use my deployment with a COG that is outside of my bucket.
Any clues?