We use Amazon S3 on almost every project we work on, and this usually means that we end up needing to create temporary buckets for use on staging or demo sites.
Obviously, we don’t want to be reusing the same access key and secret key on every staging and development site, even if they are temporary. Instead we create a separate key pair for each.
Unfortunately, setting up a new user and key pair with access to only a single bucket is quite complex - a pathway littered with woe and despair. But fear not! It’s actually pretty straight-forward once you know the pieces of the puzzle.
This guide assumes that you have already got IAM set up and in use on your AWS account.
First, log in to AWS and create a new bucket from the S3 panel. Open the Properties for the bucket, and click Add more permissions. Set the Grantee to be Authenticated Users, and check List and Upload/Delete. Don’t forget to save!
Next, go to the IAM console and Create a New User from the Users panel. Don’t forget to note down the security credentials for later use.
We typically attach the permissions to a new group (so we can reuse
them later), but you may find that to be overkill depending on your use
case. If that’s the case, just use the policy below directly on the User.
Otherwise, select Create New Group from the Groups panel.
Select a Custom Policy, and use the following as a template:
{
"Statement": [
{
"Sid": "Stmt1344909032464",
"Action": [
"s3:*"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::BUCKETNAME",
"arn:aws:s3:::BUCKETNAME/*"
]
},
{
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "arn:aws:s3:::*"
}
]
}
You need to change “BUCKETNAME” to the name of your bucket from step earlier.
These rules specify :
* Allow all the S3 permissions on the bucket itself. Some permissions apply against the bucket directly, and this gives access.
* Allow all the S3 permissions on all the keys within the bucket. Some permissions only apply against keys, and this gives access.
* Finally, give access for S3 to enumerate all the buckets within the account. This means we can use GUI tools to navigate the bucket which will error out without this permission.
One item to remember is that this does expose all your bucket names for
an authenticated user - for our cases this isn’t a problem, but YMMV.
Finally, add the User into the Group.
That’s it! You should now be able to use the new keys and access only the bucket you specified. Easy, and no woe!