|
| 1 | +# AWS Roles And Permissions (IAM) |
| 2 | + |
| 3 | +This can be a deep rabbit hole to go down - we will try and keep it simple! |
| 4 | + |
| 5 | +In general, we can consider these access options: |
| 6 | + |
| 7 | +- **IAM User**: for _people_. Long-term access keys. Generally for manual |
| 8 | + user usage. |
| 9 | +- **IAM Role**: for _code_. Temporary credentials via OIDC, STS, etc, |
| 10 | + for usage in things like Github workflows. |
| 11 | +- **Resource Policy**: permissions directly on a _service_ (e.g. S3 bucket). |
| 12 | +- Other AWS-specific ways to login such as EC2 instance profiles |
| 13 | + (granting an EC2 machine access to certain things by default), |
| 14 | + or IAM roles for service accounts used with Kubernetes. |
| 15 | + |
| 16 | +It may be possible to use a bit of the above, and conflict can occur, |
| 17 | +so it's key to be consistent for what type of configuration you set. |
| 18 | + |
| 19 | +## S3 Bucket Permissions |
| 20 | + |
| 21 | +- There are two key things to consider: |
| 22 | + 1. Bucket permissions: which bucket, and what permissions. |
| 23 | + 2. CORS policy: which websites can access the bucket. |
| 24 | + |
| 25 | +### Bucket Permissions |
| 26 | + |
| 27 | +- The simplest way to access a bucket (e.g. from AWS CLI): |
| 28 | + - Create an IAM user. |
| 29 | + - Grant the user permission to read/write the specific bucket. |
| 30 | + |
| 31 | + ```json |
| 32 | + { |
| 33 | + "Version": "2012-10-17", |
| 34 | + "Statement": [ |
| 35 | + { |
| 36 | + "Effect": "Allow", |
| 37 | + "Action": ["s3:GetObject", "s3:PutObject"], |
| 38 | + "Resource": "arn:aws:s3:::my-example-bucket/*" |
| 39 | + } |
| 40 | + ] |
| 41 | + } |
| 42 | + ``` |
| 43 | + |
| 44 | + - Generate access credentials for the IAM user. |
| 45 | + - Login to your terminal or app using the provided credentials. |
| 46 | + |
| 47 | +- For pushing to buckets from CI/CD workflows, it might be best |
| 48 | + to use temporary credentials granted via |
| 49 | + [OIDC & roles](https://aws.amazon.com/blogs/security/use-iam-roles-to-connect-github-actions-to-actions-in-aws). |
| 50 | +- For accessing a bucket from an EC2 instance, |
| 51 | + [EC2 instance profiles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2_instance-profiles.html) |
| 52 | + may be best. |
| 53 | +- Example policy written **directly on the bucket** instead: |
| 54 | + |
| 55 | + ```json |
| 56 | + { |
| 57 | + "Version": "2012-10-17", |
| 58 | + "Statement": [ |
| 59 | + { |
| 60 | + "Sid": "NameThePolicyWhateverYouWant", |
| 61 | + "Effect": "Allow", |
| 62 | + "Principal": { |
| 63 | + "AWS": "arn:aws:iam::123456789012:role/my-ci-role" |
| 64 | + }, |
| 65 | + "Action": ["s3:GetObject", "s3:PutObject"], |
| 66 | + "Resource": "arn:aws:s3:::my-example-bucket/*" |
| 67 | + } |
| 68 | + ] |
| 69 | + } |
| 70 | + ``` |
| 71 | + |
| 72 | +### Bucket CORS Policy |
| 73 | + |
| 74 | +To simply allow access from all sites, use: |
| 75 | + |
| 76 | +```json |
| 77 | +{ |
| 78 | + "CORSRules": [ |
| 79 | + { |
| 80 | + "AllowedOrigins": ["*"], |
| 81 | + "AllowedMethods": ["GET", "HEAD"], |
| 82 | + "AllowedHeaders": ["*"] |
| 83 | + } |
| 84 | + ] |
| 85 | +} |
| 86 | +``` |
| 87 | + |
| 88 | +To grant specific access to different sites, use: |
| 89 | + |
| 90 | +```json |
| 91 | +{ |
| 92 | + "CORSRules": [ |
| 93 | + { |
| 94 | + "AllowedOrigins": ["https://example.com", "https://app.example.org"], |
| 95 | + "AllowedMethods": ["GET", "HEAD", "PUT"], |
| 96 | + "AllowedHeaders": ["Authorization", "Content-Type"], |
| 97 | + "ExposeHeaders": ["ETag"], |
| 98 | + "MaxAgeSeconds": 3000 |
| 99 | + } |
| 100 | + ] |
| 101 | +} |
| 102 | +``` |
0 commit comments