mirror
/
s3-credentials
kopia lustrzana https://github.com/simonw/s3-credentials
1
0
Forkuj 0
Kod Zgłoszenia Packages Projekty Wydania Wiki Aktywność

s3-credentials policy --public-bucket option, closes #44

pull/45/head
Simon Willison 2021-12-06 19:25:36 -08:00
rodzic 2a8fae5b22
commit a2a642d616
3 zmienionych plików z 61 dodań i 1 usunięć
Pokaż statystyki Ściągnij plik aktualizacji Ściągnij plik porównania Expand all files Collapse all files

31
README.md
Wyświetl plik

@ -171,6 +171,7 @@ You can use the `s3-credentials policy` command to generate the JSON policy docu
- `--read-only` - generate a read-only policy - `--read-only` - generate a read-only policy
- `--write-only` - generate a write-only policy - `--write-only` - generate a write-only policy
- `--public-bucket` - generate a bucket policy for a public bucket
With none of these options it defaults to a read-write policy. With none of these options it defaults to a read-write policy.
``` ```
@ -546,6 +547,36 @@ cog.out(
``` ```
<!-- [[[end]]] --> <!-- [[[end]]] -->
### public bucket policy
Buckets created using the `--public` option will have the following bucket policy attached to them:
<!-- [[[cog
result = runner.invoke(cli.cli, ["policy", "my-s3-bucket", "--public-bucket"])
cog.out(
"```\n{}\n```".format(json.dumps(json.loads(result.output), indent=2))
)
]]] -->
```
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowAllGetObject",
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::my-s3-bucket/*"
]
}
]
}
```
<!-- [[[end]]] -->
## Development ## Development
To contribute to this tool, first checkout the code. Then create a new virtual environment: To contribute to this tool, first checkout the code. Then create a new virtual environment:

16
s3_credentials/cli.py
Wyświetl plik

@ -123,7 +123,21 @@ class DurationParam(click.ParamType):
) )
@click.option("--read-only", help="Only allow reading from the bucket", is_flag=True) @click.option("--read-only", help="Only allow reading from the bucket", is_flag=True)
@click.option("--write-only", help="Only allow writing to the bucket", is_flag=True) @click.option("--write-only", help="Only allow writing to the bucket", is_flag=True)
def policy(buckets, read_only, write_only): @click.option(
"--public-bucket",
help="Bucket policy for allowing public access",
is_flag=True,
)
def policy(buckets, read_only, write_only, public_bucket):
if public_bucket:
if len(buckets) != 1:
raise click.ClickException(
"--public-bucket-policy can only be generated for a single bucket"
)
click.echo(
json.dumps(policies.bucket_policy_allow_all_get(buckets[0]), indent=4)
)
return
permission = "read-write" permission = "read-write"
if read_only: if read_only:
permission = "read-only" permission = "read-only"

15
s3_credentials/policies.py
Wyświetl plik

@ -56,3 +56,18 @@ def write_only_statements(bucket):
def wrap_policy(statements): def wrap_policy(statements):
return {"Version": "2012-10-17", "Statement": statements} return {"Version": "2012-10-17", "Statement": statements}
def bucket_policy_allow_all_get(bucket):
return {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowAllGetObject",
"Effect": "Allow",
"Principal": "*",
"Action": ["s3:GetObject"],
"Resource": ["arn:aws:s3:::{}/*".format(bucket)],
}
],
}