Skip to content

4. Managing AWS S3 access

Maksym Zaporozhets edited this page Jun 9, 2023 · 1 revision

Managing AWS S3 access

This part is for those who manages developer roles and access.

Lat's assume that developers should have access to the limited set of S3 buckets for security reasons. For example, developer or a team of developers should have access to one or multiple buckets. Every bucket contains several database dump from one or multiple projects from the same client. General concept is the following:

  1. Create IAM groups for different access levels.
  2. Create IAM policies that grant access to specific S3 buckets.
  3. Attach the policies to the IAM groups.
  4. Create IAM users and add them to the appropriate IAM groups.
  5. Instruct developers to configure the AWS CLI with their IAM user credentials.
  6. Define and describe who is responsible for IAM. Developers must know whom to contact and when.

You can implement another access schema that better suits your needs. This is an example one to demonstrate how the things work.

Step 1: Create IAM groups

  1. Log in to the AWS Management Console and navigate to the IAM service.
  2. Click on User Groups in the left-hand menu, then click the Create Group button.
  3. Give the group a meaningful name, e.g., S3-Department-ACME depending on the access level you want to provide.
  4. Repeat this process to create additional groups for different access levels as needed.

We recommend creating group per project, per projects group or per client. For example, in the Default Value we create a group to provide access to the bucket related to a particular client and their projects.

Step 2: Create IAM policies that grant access to specific S3 buckets

  1. In the IAM service, click on Policies in the left-hand menu, then click the Create policy button.
  2. Choose the JSON tab and enter a policy that grants the necessary permissions to specific S3 buckets. Here's an example policy that allows access to a single bucket:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:GetObject",
                "s3:PutObject",
                "s3:DeleteObject"
            ],
            "Resource": [
                "arn:aws:s3:::your-bucket-name",
                "arn:aws:s3:::your-bucket-name/*"
            ]
        }
    ]
}

Replace your-bucket-name with the name of the actual bucket you want to grant access to.

  1. Add a meaningful tag to your policy, for example
  2. Click Review policy, give the policy a name and description, and click Create policy.

Step 3: Attach the policies to the IAM groups

  1. Go back to the User Groups page in the IAM service.
  2. Click on the group you created earlier, then click the Permissions > Add Permissions > Attach Policy button.
  3. Search for the policy you created in Step 2 and select it, then click the Add permissions button.

Step 4: Create IAM users and add them to the appropriate IAM groups

  1. In the IAM service, click on Users in the left-hand menu, then click the Add user button.
  2. Enter a username, then click Next: Permissions
  3. Click the Add user to group button and select the appropriate group you created earlier, then click Next: Tags.
  4. Optionally, add tags to help identify the user, then click Next: Review.
  5. Review the user information and click Create user.
  6. Choose user, then navigate to Security Credentials > Access keys to provide the new user with their Access key ID and Secret access key. They will need this information to configure the AWS CLI in the next step.

Step 5: Instruct developers to configure the AWS CLI with their IAM user credentials

See the next article Using AWS credentials with Dockerizer

Additional IAM user with global access

Configure one IAM user that can read all relevant S3 buckets. This user is required for the CI/CD pipeline to download the database dump to the S3 bucket (see GitLab pipeline to build DB images).

IAM Identity Center

To be investigated: Use the AWS CLI V2 and enable authentication through a user in IAM Identity Center. Ideally, we should implement this in PHP, so that Dockizer can use AWS CLI V2 data or can populate it when needed. Contributions are welcome.

Clone this wiki locally