Thanks to the Amazon Web Services IAM service, which allows identity and access management, we can create an external user (with an access key and a URL of its own) and permit it to access a single S3 bucket.

An IAM allows more efficient user management through group creation.
For this example, we will be creating a single user directly.

Creating a bucket on S3

Connect to the AWS console, access the S3 section and create a new bucket.
Take note of the name and, for latency reasons, remember the region where you create the bucket.

On the AWS console, access to IAM.
Before creating the user, it’s a good idea to create an “alias” access to the AWS console. It’ll be the URL through the user you’ll create will connect later.

Write down the alias URL.

Now we can create the user.
Inside the IAM, click on the “Users” section, “Create a new user”, and then write the name and click the credential generation option.

We won’t be needing the credentials for this guide, but you must keep them for future needs.

From IAM, we create an access password for our user, selecting user, “security credentials”.

Now write down the password that, along with the username and the previous URL, make the information the new user will need to log in.

Defining permissions

Amazon Web Services allows us to define at a group and/or user level, granting it through JSON code. Also, AWS had ready-made templates and examples that can serve as a basis.

For this example, select the user and access “Permissions”, “Attach User Policy” and then “Select”.

 

Give the permission policy a name and add the code you will find below:

 

Substitute NOMBREBUCKET by the name of the bucket you have created.


{
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:ListBucketMultipartUploads"
],
"Resource": "arn:aws:s3:::NOMBREBUCKET",
"Condition": {}
},
{
"Effect": "Allow",
"Action": [
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:GetObject",
"s3:GetObjectAcl",
"s3:GetObjectVersion",
"s3:GetObjectVersionAcl",
"s3:PutObject",
"s3:PutObjectAcl",
"s3:PutObjectAclVersion"
],
"Resource": "arn:aws:s3:::NOMBREBUCKET/*",
"Condition": {}
},
{
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "*",
"Condition": {}
}
]
}

The given permissions include read, write and file deletion (objects) on the bucket. If you just want to grant read permissions, delete the lines in blue.

Now you just must save the new policy and send the connection data and the URL to the user.

About the author

Tomàs Manzanares is Sales Consultant at CAPSiDE, certified consultant by SAP, Blogger/Founder/Media Producer at MossegaLaPoma.cat and trainer on the Community Management and Digital Communication postgraduate course at the UPC School of Professional & Executive Development.

CREDITS: this guide was originally published in Catalan at Cloud4Pro

TAGS: aws, bucket, how-to, S3, sysadmin

speech-bubble-13-icon Created with Sketch.
Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

*
*