-
Notifications
You must be signed in to change notification settings - Fork 8
4. Managing AWS S3 access
This part is for those who manages developer roles and access.
Lat's assume that developers should have access to the limited set of S3 buckets for security reasons. For example, developer or a team of developers should have access to one or multiple buckets. Every bucket contains several database dump from one or multiple projects from the same client. General concept is the following:
- Create IAM groups for different access levels.
- Create IAM policies that grant access to specific S3 buckets.
- Attach the policies to the IAM groups.
- Create IAM users and add them to the appropriate IAM groups.
- Instruct developers to configure the AWS CLI with their IAM user credentials.
- Define and describe who is responsible for IAM. Developers must know whom to contact and when.
You can implement another access schema that better suits your needs. This is an example one to demonstrate how the things work.
- Log in to the AWS Management Console and navigate to the IAM service.
- Click on
User Groups
in the left-hand menu, then click theCreate Group
button. - Give the group a meaningful name, e.g.,
S3-Department-ACME
depending on the access level you want to provide. - Repeat this process to create additional groups for different access levels as needed.
We recommend creating group per project, per projects group or per client. For example, in the Default Value we create a group to provide access to the bucket related to a particular client and their projects.
- In the IAM service, click on
Policies
in the left-hand menu, then click theCreate policy
button. - Choose the
JSON
tab and enter a policy that grants the necessary permissions to specific S3 buckets. Here's an example policy that allows access to a single bucket:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::your-bucket-name",
"arn:aws:s3:::your-bucket-name/*"
]
}
]
}
Replace your-bucket-name
with the name of the actual bucket you want to grant access to.
- Add a meaningful tag to your policy, for example
- Click
Review policy
, give the policy a name and description, and clickCreate policy
.
- Go back to the
User Groups
page in the IAM service. - Click on the group you created earlier, then click the
Permissions > Add Permissions > Attach Policy
button. - Search for the policy you created in Step 2 and select it, then click the
Add permissions
button.
- In the IAM service, click on
Users
in the left-hand menu, then click theAdd user
button. - Enter a username, then click
Next: Permissions
- Click the
Add user to group
button and select the appropriate group you created earlier, then clickNext: Tags
. - Optionally, add tags to help identify the user, then click
Next: Review
. - Review the user information and click
Create user
. - Choose user, then navigate to
Security Credentials > Access keys
to provide the new user with theirAccess key ID
andSecret access key
. They will need this information to configure the AWS CLI in the next step.
See the next article Using AWS credentials with Dockerizer
Configure one IAM user that can read all relevant S3 buckets. This user is required for the CI/CD pipeline to download
the database dump to the S3 bucket (see GitLab pipeline to build DB images
).
To be investigated: Use the AWS CLI V2 and enable authentication through a user in IAM Identity Center
.
Ideally, we should implement this in PHP, so that Dockizer can use AWS CLI V2 data or can populate it when needed. Contributions are welcome.
- docker:mysql:connect
- docker:mysql:export-db
- docker:mysql:import-db
- docker:mysql:upload-to-aws
- docker:mysql:generate-metadata
- docker:mysql:reconstruct-db
- docker:mysql:test-metadata
- magento:setup
- magento:reinstall
- magento:test-module-install
- magento:test-templates
- magento:test-dockerfiles
- MacOS and Docker Desktop support
- Bash aliases
- Install Symfony with Dockerizer
- Running-apps-with-existing-Docker-compositions
- Limitations
- Building MySQL images with DB: how it works
- Configure AWS Lambda
- Gitlab pipeline to build images
- Managing AWS S3 access
- Using AWS credentials with Dockerizer
- Access management cheat-sheet
- FAQ