terraform, s3 bucket policy

amazon-s3 terraform

13,474

Solution 1

I like using IAM roles. If using kubernetes, for example, you could have an IAM role assigned to your pod.

Basic example below showing how to give read permissions to S3 buckets. Values hardcoded for simplicity, but best to use suitable variables.

resource "aws_iam_role_policy" "my-s3-read-policy" {
  name   = "inline-policy-name-that-will-show-on-aws"
  role   = "some-existing-iam-role-name"
  policy = data.aws_iam_policy_document.s3_read_permissions.json
}


data "aws_iam_policy_document" "s3_read_permissions" {
  statement {
    effect = "Allow"

    actions = [
      "s3:GetObject",
      "s3:GetObjectAcl",
      "s3:ListBucket",
    ]

    resources = ["arn:aws:s3:::my-bucket-1",
                  "arn:aws:s3:::my-bucket-1/*",
                  "arn:aws:s3:::my-bucket-2",
                  "arn:aws:s3:::mybucket-2/*",
    ]
  }
}

You could do a targeted plan as follows:

terraform plan -target=aws_iam_role_policy.my-s3-read-policy

Which would output:

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # aws_iam_role_policy.my-s3-read-policy will be created
  + resource "aws_iam_role_policy" "my-s3-read-policy" {
      + id     = (known after apply)
      + name   = "inline-policy-name-that-will-show-on-aws"
      + policy = jsonencode(
            {
              + Statement = [
                  + {
                      + Action   = [
                          + "s3:ListBucket",
                          + "s3:GetObjectAcl",
                          + "s3:GetObject",
                        ]
                      + Effect   = "Allow"
                      + Resource = [
                          + "arn:aws:s3:::mybucket-2/*",
                          + "arn:aws:s3:::my-bucket-2",
                          + "arn:aws:s3:::my-bucket-1/*",
                          + "arn:aws:s3:::my-bucket-1",
                        ]
                      + Sid      = ""
                    },
                ]
              + Version   = "2012-10-17"
            }
        )
      + role   = "some-existing-iam-role-name"
    }

Plan: 1 to add, 0 to change, 0 to destroy.

Solution 2

I agree with @ydeatskcoR's opinion on your idea. But if you insist to do it via bucket policy, you can copy the module out to your repo directly, and adjust the resource aws_s3_bucket_policy for your environment.

resource "aws_s3_bucket_policy" "bucket_policy" {
  bucket = "${aws_s3_bucket.bucket.id}"

  policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "${aws_iam_user.user.arn}"
      },
      "Action": [ "s3:*" ],
      "Resource": [
        "${aws_s3_bucket.bucket.arn}",
        "${aws_s3_bucket.bucket.arn}/*"
      ]
    }
  ]
}
EOF
}

13,474

George Livanoss

Updated on June 04, 2022

Comments

George Livanoss almost 2 years
i'm using this module https://github.com/turnerlabs/terraform-s3-user to create some s3 buckets and relative iam users.

this works fine:
```
module "my_bucket" {
  source = "github.com/turnerlabs/terraform-s3-user?ref=v2.1"

  bucket_name = "my-bucket"

  tag_team          = "developers"
  tag_contact-email = "xxxxx"
  tag_application   = "xxxxx"
  tag_environment   = "prod"
  tag_customer      = "xxxxx"
}
```
now i want to fix the default policy of the s3 bucket created by this module.

terrafom show show me this:
```
module.my_bucket.aws_s3_bucket_policy.bucket_policy:
  id = my-bucket
  bucket = my-bucket
  policy = {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::____________:user/srv_my-bucket"
      },
      "Action": [ "s3:*" ],
      "Resource": [
        "arn:aws:s3:::my-bucket",
        "arn:aws:s3:::my-bucket/*"
      ]
    }
  ]
}
```
how i should modify my .tf to have another policy?
- ydaetskcoR almost 5 years
  
  Why are you using that module? It looks pretty useless for anyone other than the original user's intention and is pointless to open source. The bucket policy is a bad idea too. Instead the user/role should have the ability to access a completely private bucket via IAM permissions rather than this outdated and confusing way of approaching it.
- George Livanoss almost 5 years
  
  it's easier to me to use that module instead of creating manually buckets, users, iam. i need a modified bucket policy to have all objects public: it's a directory of images. the iam user needs only to upload.