`s3-credentials create` command

[simonw]

This is the command which create a user and returns credentials for a specified bucket, optionally also creating the bucket as well.

See initial design notes in #1.

[simonw]

Should the command allow a single credential to be created for multiple buckets? That feels like a useful ability.

[simonw]

So the command is:

s3-credentials create my-bucket1 [...my-bucket2]

It defaults to creating a brand new user with the ability to read and write content to the specified bucket (or buckets).

Options will include:

• --read-only - create the user such that they can only read
• --write-only - create the user such that they can only write (useful for logging style use-cases)
• --username - specify the username to use - without this a default username of s3:read-write:my-bucket will be used

[simonw]

Should it create the bucket if one does not exist? Or should it only do that if a --create-bucket option is passed?

I'm going to require --create-bucket - shortcut -c.

[simonw]

Also --bucket-region= for creating the bucket in a specific region.

[simonw]

And --user-permissions-boundary X for setting a different user permissions boundary, see #1 (comment) - if not specified the permissions boundary will default to one that only allows read or read-write access to S3.

Use --user-permissions-boundary none to disable that default and not set one at all.

[simonw]

Open question: should this support adding new bucket permissions to existing users?

I'd like to do that, but I'm not sure how to yet.

[simonw]

I'm going to use inline policies attached directly to the users for this tool.

https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html says:

You can add as many inline policies as you want to an IAM user, role, or group. But the total aggregate policy size (the sum size of all inline policies) per entity cannot exceed the following quotas:

• User policy size cannot exceed 2,048 characters.
• Role policy size cannot exceed 10,240 characters.
• Group policy size cannot exceed 5,120 characters.

Looks like put_user_policy() is the boto3 method for this: https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/iam.html#IAM.Client.put_user_policy

response = client.put_user_policy(
    UserName='string',
    PolicyName='string',
    PolicyDocument='string'
)
# Example provided later:
response = client.put_user_policy(
    PolicyDocument='{"Version":"2012-10-17","Statement":{"Effect":"Allow","Action":"*","Resource":"*"}}',
    PolicyName='AllAccessPolicy',
    UserName='Bob',
)

The PolicyName is required. It's not clear to me what the uniqueness constraints around this are - my hunch is that it only has to be unique per-user, but I'll find that out for sure once I start testing.

[simonw]

In progress --help:

% s3-credentials create --help
Usage: s3-credentials create [OPTIONS] BUCKETS...

  Create and return new AWS credentials for specified S3 buckets

Options:
  --username TEXT                 Username to create or existing user to use
  -c, --create-bucket TEXT        Create buckets if they do not already exist
  --read-only                     Only allow reading from the bucket
  --write-only                    Only allow writing to the bucket
  --bucket-region TEXT            Region in which to create buckets
  --user-permissions-boundary TEXT
                                  Custom permissions boundary to use for
                                  created users, or 'none' to create without.
                                  Defaults to limiting to S3 based on --read-
                                  only and --write-only options.
  --help                          Show this message and exit.

[simonw]

https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/s3.html#S3.Client.head_bucket

head_bucket(**kwargs)¶

This action is useful to determine if a bucket exists and you have permission to access it. The action returns a 200 OK if the bucket exists and you have permission to access it.

[simonw]

import botocore
try:
    s3.meta.client.head_bucket(Bucket="static.niche-museums.com2")
    print("Exists")
except botocore.exceptions.ClientError:
    print("Does not exist / not accessible")

[simonw]

If the user specifies more than one bucket then the default username of s3:read-write:my-bucket doesn't make sense any more - I'll use a comma separated list of buckets as the suffix instead.

[simonw]

I'm skipping --user-tag for the moment - it would be used like so:

response = iam.create_user(**kwargs)
    UserName=username,
    PermissionsBoundary='string',
    Tags=[
        {
            'Key': 'string',
            'Value': 'string'
        },
    ]
)

[simonw]

The specified value for userName is invalid. It must contain only alphanumeric characters and/or the following: +=,.@_-

No : then.