s3-credentials create command
#3
Comments
|
Should the command allow a single credential to be created for multiple buckets? That feels like a useful ability. |
|
So the command is: It defaults to creating a brand new user with the ability to read and write content to the specified bucket (or buckets). Options will include:
|
|
Should it create the bucket if one does not exist? Or should it only do that if a I'm going to require |
|
Also |
|
And Use |
|
Open question: should this support adding new bucket permissions to existing users? I'd like to do that, but I'm not sure how to yet. |
|
I'm going to use inline policies attached directly to the users for this tool. https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html says:
Looks like response = client.put_user_policy(
UserName='string',
PolicyName='string',
PolicyDocument='string'
)
# Example provided later:
response = client.put_user_policy(
PolicyDocument='{"Version":"2012-10-17","Statement":{"Effect":"Allow","Action":"*","Resource":"*"}}',
PolicyName='AllAccessPolicy',
UserName='Bob',
)The |
|
In progress |
|
import botocore
try:
s3.meta.client.head_bucket(Bucket="static.niche-museums.com2")
print("Exists")
except botocore.exceptions.ClientError:
print("Does not exist / not accessible") |
|
If the user specifies more than one bucket then the default username of |
|
I'm skipping response = iam.create_user(**kwargs)
UserName=username,
PermissionsBoundary='string',
Tags=[
{
'Key': 'string',
'Value': 'string'
},
]
) |
No |
|
It's nearly working: |
|
I'm going to add one inline policy to the user per bucket they are allowed to access. I'll generate policy names that can be used to de-dupe these inline policies later, similar to the usernames: |
|
Need to figure out what the JSON policy documents should look like. The examples on https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-bucket-policies.html are far more complicated than I want. I just want "read-only" or "write-only" or "read-write" for a specific S3 bucket. Referring back to dogsheep/dogsheep-photos#4 (comment) Read-only: {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject*",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::dogsheep-photos-simon/*"
]
}
]
}Or these examples look more relevant to me: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_s3_rw-bucket.html |
|
https://stackoverflow.com/questions/15076645/amazon-s3-write-only-access/50839107 suggests this for write-only: {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::BUCKET_NAME/*"
]
}
]
} |
|
https://blog.antoine-augusti.fr/2018/08/aws-s3-read-only-policy-for-bucket/ suggests the following for read-only: {
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Action":[
"s3:ListBucket",
"s3:ListAllMyBuckets"
],
"Resource":"arn:aws:s3:::*"
},
{
"Effect":"Deny",
"Action":[
"s3:ListBucket"
],
"NotResource":[
"arn:aws:s3:::bucketname",
"arn:aws:s3:::bucketname/*"
]
},
{
"Effect":"Allow",
"Action":[
"s3:ListBucket",
"s3:GetObject"
],
"Resource":[
"arn:aws:s3:::bucketname",
"arn:aws:s3:::bucketname/*"
]
}
]
}Not sure why this explicitly allows |
|
Similar example here: https://coderwall.com/p/jrjwza/s3-group-policy-for-read-only-access-to-only-one-bucket
|
|
Going with these policies for the moment: s3-credentials/s3_credentials/policies.py Lines 1 to 48 in 5eea119 |
|
Last step: create the access key: https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/iam.html#IAM.Client.create_access_key |
|
I'm going to turn my work-in-progress into a PR. |
Also added a warning and request for security review, refs #7
This is the command which create a user and returns credentials for a specified bucket, optionally also creating the bucket as well.
See initial design notes in #1.
The text was updated successfully, but these errors were encountered: