Fork and clone this repository.
Read over all the instructions before proceeding.
Follow the steps outlined to create and gain programatic access to an AWS S3 bucket.
- An
AWS
(Amazon Web Services) account
If you do not have an account, open AWS and click
Sign In to the Console
.
Amazon provides a free tier,
with some limitations, for twelve months after you sign-up for an AWS account.
Storing large static files is a common need for a web application. Accepting image uploads from authorized users but allowing public read access is a frequent example.
AWS provides a variety of APIs, one of which is easily used for this purpose. This guide helps ensure access to these APIs is restricted.
Why is the important?
Using any metered API has financial risks. Using many APIs may have data risks (information loss or exposure).
Using restrictive access control with AWS ensures that even if an identity is compromised, the actual risks, financial and otherwise, are limited.
- Open the AWS Consle in your browser
- From the
AWS
console open tabs forIAM
(Identity and Access Management) andS3
(Simple Storage Service).
Identities are how we grant access to AWS APIs.
In the IAM tab:
- Select
Users
in the left sidebar. - Click
Create New Users
near the top of the page. - Enter
wdi-upload
into box1.
. - Make sure
Generate an access key for each user
is checked. - Click
Create
. - Click
Download Credentials
. - Save the file
credentials.csv
to this repository. - Click
Close
- Click on the newly created user.
- Copy the
User ARN
(Amazon Resource Name) and save it in arn.txt.
We'll need the User ARN to grant access to an S3 bucket we'll use for uploads.
We'll also need an Access Key
(Access Key Id and Secret Access Key) for this
IAM User to upload files via the S3 API.
The Access Key is contained in credentials.csv.
Note well: credentials.csv contains secrets
!
Do not share them or store them in git.
The .gitignore in this repository explicitly ignores this file.
S3 stores files you upload in buckets
. A bucket is a top level namespace
for your files.
In the S3 tab:
-
Click
Create Bucket
. This opens theCreate a Bucket - Select a Bucket Name and Region
modal. -
Enter a name in the
Bucket Name
box. It must be unique among all S3 buckets. -
Select
US Standard
for theRegion
. -
Click
Create
. -
Make sure the bucket and
Properties
are selected. -
Open the
Permissions
dropdown in the right sidebar. -
Click
Add bucket policy
near the bottom of thePermissions
dropdown. -
At the bottom of the
Bucket Policy Editor
modal, clickAWS Policy Generator
. This opens the AWS Policy Generator page. -
On the AWS Policy Generator page
-
Step 1: Select Policy Type
- For
Select Type of Policy
useS3 Bucket Policy
.
- For
-
Step 2: Add Statement(s)
- Select
Allow
forEffect
. - Paste the User ARN into the
Principal
box. - Select
PutObject
andPutObjectAcl
forActions
. - Enter
arn:aws:s3:::<bucket_name>/*
into theAmazon Resource Name (ARN)
box. - Click the
Add Statement
.
- Select
-
Step 3: Generate Policy
- Click
Generate Policy
- Copy the JSON from the
Policy JSON Document
modal.
- Click
-
-
Return to the S3 tab.
-
Paste the bucket policy into the
Bucket Policy Editor
modal. -
Click
Save
. -
Click
Save
in thePermissions
dropdown.
You have now created and granted access to an S3 bucket.
These steps limit upload access to one bucket for the identity wdi-upload
.
This is one specific and restrictive way of implementing access control. AWS provides many different mechanisms to grant and restrict access.
{
"Version": "2012-10-17",
"Id": "Policy1439826519004",
"Statement": [
{
"Sid": "Stmt1439826516658",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<AWS Account Id>:user/<IAM User Name>"
},
"Action": [
"s3:PutObjectAcl",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::<bucket_name>/<key_name>"
}
]
}
- Create (or select) an AWS Identity.
- Create and download credentials for this identity.
- Create an S3 bucket.
- Create a bucket policy.
- All content is licensed under a CCBYNCSA 4.0 license.
- All software code is licensed under GNU GPLv3. For commercial use or alternative licensing, please contact [email protected].