mirror
/
s3-credentials
kopia lustrzana https://github.com/simonw/s3-credentials
1
0
Forkuj 0
Kod Zgłoszenia Packages Projekty Wydania Wiki Aktywność
s3-credentials/docs/policy-documents.md

301 wiersze
5.6 KiB
Markdown
Czysty Bezpośredni odnośnik Zwykły widok Historia

Fixed a bunch of Sphinx warnings, refs #71
2022-08-12 17:59:32 +00:00
# Policy documents
Initial Sphinx config + multi page docs, refs #71
2022-08-12 17:44:46 +00:00
The IAM policies generated by this tool for a bucket called `my-s3-bucket` would look like this:
Fixed a bunch of Sphinx warnings, refs #71
2022-08-12 17:59:32 +00:00
## read-write (default)
Initial Sphinx config + multi page docs, refs #71
2022-08-12 17:44:46 +00:00
<!-- [[[cog
import cog, json
from s3_credentials import cli
from click.testing import CliRunner
runner = CliRunner()
result = runner.invoke(cli.cli, ["policy", "my-s3-bucket"])
cog.out(
"```\n{}\n```".format(json.dumps(json.loads(result.output), indent=2))
)
]]] -->
```
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": [
"arn:aws:s3:::my-s3-bucket"
]
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:GetObjectAcl",
"s3:GetObjectLegalHold",
"s3:GetObjectRetention",
"s3:GetObjectTagging"
],
"Resource": [
"arn:aws:s3:::my-s3-bucket/*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::my-s3-bucket/*"
]
}
]
}
```
<!-- [[[end]]] -->
Fixed a bunch of Sphinx warnings, refs #71
2022-08-12 17:59:32 +00:00
## `--read-only`
Initial Sphinx config + multi page docs, refs #71
2022-08-12 17:44:46 +00:00
<!-- [[[cog
result = runner.invoke(cli.cli, ["policy", "my-s3-bucket", "--read-only"])
cog.out(
"```\n{}\n```".format(json.dumps(json.loads(result.output), indent=2))
)
]]] -->
```
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": [
"arn:aws:s3:::my-s3-bucket"
]
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:GetObjectAcl",
"s3:GetObjectLegalHold",
"s3:GetObjectRetention",
"s3:GetObjectTagging"
],
"Resource": [
"arn:aws:s3:::my-s3-bucket/*"
]
}
]
}
```
<!-- [[[end]]] -->
Fixed a bunch of Sphinx warnings, refs #71
2022-08-12 17:59:32 +00:00
## `--write-only`
Initial Sphinx config + multi page docs, refs #71
2022-08-12 17:44:46 +00:00
<!-- [[[cog
result = runner.invoke(cli.cli, ["policy", "my-s3-bucket", "--write-only"])
cog.out(
"```\n{}\n```".format(json.dumps(json.loads(result.output), indent=2))
)
]]] -->
```
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::my-s3-bucket/*"
]
}
]
}
```
<!-- [[[end]]] -->
Fixed a bunch of Sphinx warnings, refs #71
2022-08-12 17:59:32 +00:00
## `--prefix my-prefix/`
Initial Sphinx config + multi page docs, refs #71
2022-08-12 17:44:46 +00:00
<!-- [[[cog
result = runner.invoke(cli.cli, ["policy", "my-s3-bucket", "--prefix", "my-prefix/"])
cog.out(
"```\n{}\n```".format(json.dumps(json.loads(result.output), indent=2))
)
]]] -->
```
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation"
],
"Resource": [
"arn:aws:s3:::my-s3-bucket"
]
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::my-s3-bucket"
],
"Condition": {
"StringLike": {
"s3:prefix": [
"my-prefix/*"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:GetObjectAcl",
"s3:GetObjectLegalHold",
"s3:GetObjectRetention",
"s3:GetObjectTagging"
],
"Resource": [
"arn:aws:s3:::my-s3-bucket/my-prefix/*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::my-s3-bucket/my-prefix/*"
]
}
]
}
```
<!-- [[[end]]] -->
Fixed a bunch of Sphinx warnings, refs #71
2022-08-12 17:59:32 +00:00
## `--prefix my-prefix/ --read-only`
Initial Sphinx config + multi page docs, refs #71
2022-08-12 17:44:46 +00:00
<!-- [[[cog
result = runner.invoke(cli.cli, ["policy", "my-s3-bucket", "--prefix", "my-prefix/", "--read-only"])
cog.out(
"```\n{}\n```".format(json.dumps(json.loads(result.output), indent=2))
)
]]] -->
```
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation"
],
"Resource": [
"arn:aws:s3:::my-s3-bucket"
]
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::my-s3-bucket"
],
"Condition": {
"StringLike": {
"s3:prefix": [
"my-prefix/*"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:GetObjectAcl",
"s3:GetObjectLegalHold",
"s3:GetObjectRetention",
"s3:GetObjectTagging"
],
"Resource": [
"arn:aws:s3:::my-s3-bucket/my-prefix/*"
]
}
]
}
```
<!-- [[[end]]] -->
Fixed a bunch of Sphinx warnings, refs #71
2022-08-12 17:59:32 +00:00
## `--prefix my-prefix/ --write-only`
Initial Sphinx config + multi page docs, refs #71
2022-08-12 17:44:46 +00:00
<!-- [[[cog
result = runner.invoke(cli.cli, ["policy", "my-s3-bucket", "--prefix", "my-prefix/", "--write-only"])
cog.out(
"```\n{}\n```".format(json.dumps(json.loads(result.output), indent=2))
)
]]] -->
```
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::my-s3-bucket/my-prefix/*"
]
}
]
}
```
<!-- [[[end]]] -->
Renamed usage to create, added some internal referenc links - refs #71
2022-08-12 17:55:06 +00:00
(public_bucket_policy)=
Fixed a bunch of Sphinx warnings, refs #71
2022-08-12 17:59:32 +00:00
## public bucket policy
Initial Sphinx config + multi page docs, refs #71
2022-08-12 17:44:46 +00:00
Buckets created using the `--public` option will have the following bucket policy attached to them:
<!-- [[[cog
result = runner.invoke(cli.cli, ["policy", "my-s3-bucket", "--public-bucket"])
cog.out(
"```\n{}\n```".format(json.dumps(json.loads(result.output), indent=2))
)
]]] -->
```
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowAllGetObject",
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::my-s3-bucket/*"
]
}
]
}
```
<!-- [[[end]]] -->