Skip to content

Instantly share code, notes, and snippets.

@BigglesZX

BigglesZX/s3.iam.md

Last active December 9, 2020 17:43
Show Gist options
  • Save BigglesZX/d6b99cc23f30e460dca01ab803c61b19 to your computer and use it in GitHub Desktop.
Save BigglesZX/d6b99cc23f30e460dca01ab803c61b19 to your computer and use it in GitHub Desktop.
Download ZIP
Amazon S3 IAM User Notes
Raw
s3.iam.md

Setting up S3-bucket-specific IAM users for new sites

This provides a new site with a unique IAM access key/secret that allows read/write access to a single S3 bucket, e.g. to allow a Django site to upload media files. This assumes the bucket itself has already been created.

Note: I originally created this gist as a note-to-self so conventions shown here are particular to my setup; YMMV.

  1. Log in to the AWS Console and head to the IAM section
  2. Click Users to access the IAM user list
  3. Click Add User
  4. Enter username in the format of sitename-s3 (replacing sitename)
  5. Under Access Type tick Programmatic access; click Next
  6. Under Permissions click Attach existing policies directly
  7. Above the policy object list, click Create Policy
  8. In the policy popup, next to Create Your Own Policy click Select
  9. Under Policy Name enter s3__bucketname (replacing bucketname)
  10. Under Description enter something like "RW access to bucketname S3 bucket"
  11. Under Policy Document enter the following, substituting the bucket name:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "s3:ListAllMyBuckets",
            "Resource": "arn:aws:s3:::*"
        },
        {
            "Action": [
                "s3:*"
            ],
            "Resource": [
                "arn:aws:s3:::BUCKETNAME",
                "arn:aws:s3:::BUCKETNAME/*"
            ],
            "Effect": "Allow"
        }
    ]
}
  1. Validate the policy then click Create
  2. Back in the policy list in the previous tab, click Refresh then tick the new policy; scroll down and click Next
  3. Review and click Create User
  4. Copy the access key and secret into your config, and you're done
Raw
z.s3.bucket.policy.md

Public Bucket Policy

{
    "Version": "2008-10-17",
    "Id": "http better policy",
    "Statement": [
        {
            "Sid": "readonly policy",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::bucketname/*"
        },
        {
            "Sid": "readonly policy",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::bucketname/*/*"
        }
    ]
}

django-storages docs recommend this policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObjectAcl",
                "s3:GetObject",
                "s3:ListBucket",
                "s3:DeleteObject",
                "s3:PutObjectAcl"
            ],
            "Principal": {
                "AWS": "arn:aws:iam::example-AWS-account-ID:user/example-user-name"
            },
            "Resource": [
                "arn:aws:s3:::example-bucket-name/*",
                "arn:aws:s3:::example-bucket-name"
            ]
        }
    ]
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment