All Amazon S3 resources are private and can be accessed only by the resource’s creator. However, the resource owner can grant permissions to certain persons with the help of an access policy. The access policy also helps to maintain the S3 access control.
On that note, consider the below example of granting only programmatic access to a user to perform S3 operations.
How to Create a User in IAM
These are the steps to create a user in IAM.
Step 1: Log in as a user with sufficient AWS console privileges.
Step 2: Navigate to IAM (https://console.aws.amazon.com/iam/home).
Step 3: Go to Users and click on Add User.
Step 4: Create a user with programmatic access only.
Step 5: Provide the User name, check the box next to “Programmatic access”, and click Next: Permissions.
Step 6: On the next page, we define access policies for the User.
Step 7: Select attach existing policies directly. We can now see all access policies defined for a User.
Step 8: Click next without selecting any policies, which we will discuss later.
Step 9: Go ahead by giving tags, reviewing your settings, and creating the User.
Adding Permissions to the User by Defining Policies
Here’s how you can define policies in IAM.
Step 1: Create a custom policy for a User to access the S3 bucket. You can create this policy during the User creation itself.
Step 2: From the Users menu, select the User name and click on Add Permissions under Summary.
Step 3: Click on attach existing policies directly and click on Create Policy.
Step 4: Click on JSON and paste the following.
| { “Version”: “2012-10-17”, “Statement”: [ { “Sid”: “VisualEditor0”, “Effect”: “Allow”, “Action”: [ “s3:ListBucket”, “s3:PutObject”, “s3:GetObject”, “s3:DeleteObject” ], “Resource”: “*” } ] } |
The above policy will allow the User to programmatically do the below actions.
s3:ListBucket – List the contents in the bucket IF the bucket name is known with action s3:ListBucket.
s3:PutObject: Write objects in the bucket with action s3:PutObject.
s3:GetObject: List the objects in the bucket using s3:GetObject. This is the same as s3:ListBucket. However, we cannot list the objects just by using action s3:GetObject alone.
s3:DeleteObject: Delete objects in the container using s3:DeleteObject.
Testing Access to Bucket
AWS CLI Output
| root@gitlab:~# aws s3 ls gitlab-backup-208 PRE 2021_05_08/ root@gitlab:~# aws s3 cp test.txt s3://gitlab-backup-208 upload: ./test.txt to s3://gitlab-backup-208/test.txt root@gitlab:~# aws s3 ls gitlab-backup-208 PRE 2021_05_08/ 2021-05-13 20:37:28 0 test.txt root@gitlab:~# aws s3 rm s3://gitlab-backup-208/test.txt delete: s3://gitlab-backup-208/test.txt |
Wrapping Up
That was all about managing access to the S3 buckets, S3 access control.
At SysAlly, we experiment with Cloud and the most useful information is passed on to the world as blogs. Signup for the updates.
Until later, here’s SysAlly signing off!
Cloud
