terraform, s3 bucket policy
Solution 1
I like using IAM roles. If using kubernetes, for example, you could have an IAM role assigned to your pod.
Basic example below showing how to give read permissions to S3 buckets. Values hardcoded for simplicity, but best to use suitable variables.
resource "aws_iam_role_policy" "my-s3-read-policy" {
name = "inline-policy-name-that-will-show-on-aws"
role = "some-existing-iam-role-name"
policy = data.aws_iam_policy_document.s3_read_permissions.json
}
data "aws_iam_policy_document" "s3_read_permissions" {
statement {
effect = "Allow"
actions = [
"s3:GetObject",
"s3:GetObjectAcl",
"s3:ListBucket",
]
resources = ["arn:aws:s3:::my-bucket-1",
"arn:aws:s3:::my-bucket-1/*",
"arn:aws:s3:::my-bucket-2",
"arn:aws:s3:::mybucket-2/*",
]
}
}
You could do a targeted plan
as follows:
terraform plan -target=aws_iam_role_policy.my-s3-read-policy
Which would output:
An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
+ create
Terraform will perform the following actions:
# aws_iam_role_policy.my-s3-read-policy will be created
+ resource "aws_iam_role_policy" "my-s3-read-policy" {
+ id = (known after apply)
+ name = "inline-policy-name-that-will-show-on-aws"
+ policy = jsonencode(
{
+ Statement = [
+ {
+ Action = [
+ "s3:ListBucket",
+ "s3:GetObjectAcl",
+ "s3:GetObject",
]
+ Effect = "Allow"
+ Resource = [
+ "arn:aws:s3:::mybucket-2/*",
+ "arn:aws:s3:::my-bucket-2",
+ "arn:aws:s3:::my-bucket-1/*",
+ "arn:aws:s3:::my-bucket-1",
]
+ Sid = ""
},
]
+ Version = "2012-10-17"
}
)
+ role = "some-existing-iam-role-name"
}
Plan: 1 to add, 0 to change, 0 to destroy.
Solution 2
I agree with @ydeatskcoR's opinion on your idea. But if you insist to do it via bucket policy, you can copy the module out to your repo directly, and adjust the resource aws_s3_bucket_policy
for your environment.
resource "aws_s3_bucket_policy" "bucket_policy" {
bucket = "${aws_s3_bucket.bucket.id}"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "${aws_iam_user.user.arn}"
},
"Action": [ "s3:*" ],
"Resource": [
"${aws_s3_bucket.bucket.arn}",
"${aws_s3_bucket.bucket.arn}/*"
]
}
]
}
EOF
}
Related videos on Youtube
George Livanoss
Updated on June 04, 2022Comments
-
George Livanoss almost 2 years
i'm using this module https://github.com/turnerlabs/terraform-s3-user to create some s3 buckets and relative iam users.
this works fine:
module "my_bucket" { source = "github.com/turnerlabs/terraform-s3-user?ref=v2.1" bucket_name = "my-bucket" tag_team = "developers" tag_contact-email = "xxxxx" tag_application = "xxxxx" tag_environment = "prod" tag_customer = "xxxxx" }
now i want to fix the default policy of the s3 bucket created by this module.
terrafom show
show me this:module.my_bucket.aws_s3_bucket_policy.bucket_policy: id = my-bucket bucket = my-bucket policy = { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::____________:user/srv_my-bucket" }, "Action": [ "s3:*" ], "Resource": [ "arn:aws:s3:::my-bucket", "arn:aws:s3:::my-bucket/*" ] } ] }
how i should modify my .tf to have another policy?
-
ydaetskcoR almost 5 yearsWhy are you using that module? It looks pretty useless for anyone other than the original user's intention and is pointless to open source. The bucket policy is a bad idea too. Instead the user/role should have the ability to access a completely private bucket via IAM permissions rather than this outdated and confusing way of approaching it.
-
George Livanoss almost 5 yearsit's easier to me to use that module instead of creating manually buckets, users, iam. i need a modified bucket policy to have all objects public: it's a directory of images. the iam user needs only to upload.
-