Banner ad offering free consultation
reinteractive - Ruby On Rails Development
Banner ad offering free consultation
Contact Us
Blog

Setting up an Amazon S3 Bucket with an Independent Set of Keys

Team Avatar - Mikel Lindsaar
Mikel Lindsaar
August 14, 2012

We use Amazon S3 on almost every project we work on, and this usually means that we end up needing to create temporary buckets for use on staging or demo sites.

Obviously, we don’t want to be reusing the same access key and secret key on every staging and development site, even if they are temporary. Instead we create a separate key pair for each.

Unfortunately, setting up a new user and key pair with access to only a single bucket is quite complex - a pathway littered with woe and despair. But fear not! It’s actually pretty straight-forward once you know the pieces of the puzzle.

This guide assumes that you have already got IAM set up and in use on your AWS account.

First, log in to AWS and create a new bucket from the S3 panel. Open the Properties for the bucket, and click Add more permissions. Set the Grantee to be Authenticated Users, and check List and Upload/Delete. Don’t forget to save!

Next, go to the IAM console and Create a New User from the Users panel. Don’t forget to note down the security credentials for later use.

We typically attach the permissions to a new group (so we can reuse them later), but you may find that to be overkill depending on your use case. If that’s the case, just use the policy below directly on the User. Otherwise, select Create New Group from the Groups panel. Select a Custom Policy, and use the following as a template: { "Statement": [ { "Sid": "Stmt1344909032464", "Action": [ "s3:*" ], "Effect": "Allow", "Resource": [ "arn:aws:s3:::BUCKETNAME", "arn:aws:s3:::BUCKETNAME/*" ] }, { "Effect": "Allow", "Action": "s3:ListAllMyBuckets", "Resource": "arn:aws:s3:::*" } ] } You need to change “BUCKETNAME” to the name of your bucket from step earlier. These rules specify : * Allow all the S3 permissions on the bucket itself. Some permissions apply against the bucket directly, and this gives access. * Allow all the S3 permissions on all the keys within the bucket. Some permissions only apply against keys, and this gives access. * Finally, give access for S3 to enumerate all the buckets within the account. This means we can use GUI tools to navigate the bucket which will error out without this permission. One item to remember is that this does expose all your bucket names for an authenticated user - for our cases this isn’t a problem, but YMMV. Finally, add the User into the Group.

That’s it! You should now be able to use the new keys and access only the bucket you specified. Easy, and no woe!

Ready to start your next project?
info@reinteractive.com
AUS +61 2 8019 7252
USA +1 415 745 3250
Why Ruby on Rails Download Free E-book
Get the "Why Ruby On Rails" Booklet & Join Our Newsletter
Salesforce Partner - specialising in Heroku
© reinteractive Pty Ltd 2024. All Rights Reserved.