kopia lustrzana https://github.com/simonw/s3-credentials
301 wiersze
5.6 KiB
Markdown
301 wiersze
5.6 KiB
Markdown
# Policy documents
|
|
|
|
The IAM policies generated by this tool for a bucket called `my-s3-bucket` would look like this:
|
|
|
|
## read-write (default)
|
|
|
|
<!-- [[[cog
|
|
import cog, json
|
|
from s3_credentials import cli
|
|
from click.testing import CliRunner
|
|
runner = CliRunner()
|
|
result = runner.invoke(cli.cli, ["policy", "my-s3-bucket"])
|
|
cog.out(
|
|
"```\n{}\n```".format(json.dumps(json.loads(result.output), indent=2))
|
|
)
|
|
]]] -->
|
|
```
|
|
{
|
|
"Version": "2012-10-17",
|
|
"Statement": [
|
|
{
|
|
"Effect": "Allow",
|
|
"Action": [
|
|
"s3:ListBucket",
|
|
"s3:GetBucketLocation"
|
|
],
|
|
"Resource": [
|
|
"arn:aws:s3:::my-s3-bucket"
|
|
]
|
|
},
|
|
{
|
|
"Effect": "Allow",
|
|
"Action": [
|
|
"s3:GetObject",
|
|
"s3:GetObjectAcl",
|
|
"s3:GetObjectLegalHold",
|
|
"s3:GetObjectRetention",
|
|
"s3:GetObjectTagging"
|
|
],
|
|
"Resource": [
|
|
"arn:aws:s3:::my-s3-bucket/*"
|
|
]
|
|
},
|
|
{
|
|
"Effect": "Allow",
|
|
"Action": [
|
|
"s3:PutObject",
|
|
"s3:DeleteObject"
|
|
],
|
|
"Resource": [
|
|
"arn:aws:s3:::my-s3-bucket/*"
|
|
]
|
|
}
|
|
]
|
|
}
|
|
```
|
|
<!-- [[[end]]] -->
|
|
|
|
## `--read-only`
|
|
|
|
<!-- [[[cog
|
|
result = runner.invoke(cli.cli, ["policy", "my-s3-bucket", "--read-only"])
|
|
cog.out(
|
|
"```\n{}\n```".format(json.dumps(json.loads(result.output), indent=2))
|
|
)
|
|
]]] -->
|
|
```
|
|
{
|
|
"Version": "2012-10-17",
|
|
"Statement": [
|
|
{
|
|
"Effect": "Allow",
|
|
"Action": [
|
|
"s3:ListBucket",
|
|
"s3:GetBucketLocation"
|
|
],
|
|
"Resource": [
|
|
"arn:aws:s3:::my-s3-bucket"
|
|
]
|
|
},
|
|
{
|
|
"Effect": "Allow",
|
|
"Action": [
|
|
"s3:GetObject",
|
|
"s3:GetObjectAcl",
|
|
"s3:GetObjectLegalHold",
|
|
"s3:GetObjectRetention",
|
|
"s3:GetObjectTagging"
|
|
],
|
|
"Resource": [
|
|
"arn:aws:s3:::my-s3-bucket/*"
|
|
]
|
|
}
|
|
]
|
|
}
|
|
```
|
|
<!-- [[[end]]] -->
|
|
|
|
## `--write-only`
|
|
|
|
<!-- [[[cog
|
|
result = runner.invoke(cli.cli, ["policy", "my-s3-bucket", "--write-only"])
|
|
cog.out(
|
|
"```\n{}\n```".format(json.dumps(json.loads(result.output), indent=2))
|
|
)
|
|
]]] -->
|
|
```
|
|
{
|
|
"Version": "2012-10-17",
|
|
"Statement": [
|
|
{
|
|
"Effect": "Allow",
|
|
"Action": [
|
|
"s3:PutObject"
|
|
],
|
|
"Resource": [
|
|
"arn:aws:s3:::my-s3-bucket/*"
|
|
]
|
|
}
|
|
]
|
|
}
|
|
```
|
|
<!-- [[[end]]] -->
|
|
|
|
## `--prefix my-prefix/`
|
|
|
|
<!-- [[[cog
|
|
result = runner.invoke(cli.cli, ["policy", "my-s3-bucket", "--prefix", "my-prefix/"])
|
|
cog.out(
|
|
"```\n{}\n```".format(json.dumps(json.loads(result.output), indent=2))
|
|
)
|
|
]]] -->
|
|
```
|
|
{
|
|
"Version": "2012-10-17",
|
|
"Statement": [
|
|
{
|
|
"Effect": "Allow",
|
|
"Action": [
|
|
"s3:GetBucketLocation"
|
|
],
|
|
"Resource": [
|
|
"arn:aws:s3:::my-s3-bucket"
|
|
]
|
|
},
|
|
{
|
|
"Effect": "Allow",
|
|
"Action": [
|
|
"s3:ListBucket"
|
|
],
|
|
"Resource": [
|
|
"arn:aws:s3:::my-s3-bucket"
|
|
],
|
|
"Condition": {
|
|
"StringLike": {
|
|
"s3:prefix": [
|
|
"my-prefix/*"
|
|
]
|
|
}
|
|
}
|
|
},
|
|
{
|
|
"Effect": "Allow",
|
|
"Action": [
|
|
"s3:GetObject",
|
|
"s3:GetObjectAcl",
|
|
"s3:GetObjectLegalHold",
|
|
"s3:GetObjectRetention",
|
|
"s3:GetObjectTagging"
|
|
],
|
|
"Resource": [
|
|
"arn:aws:s3:::my-s3-bucket/my-prefix/*"
|
|
]
|
|
},
|
|
{
|
|
"Effect": "Allow",
|
|
"Action": [
|
|
"s3:PutObject",
|
|
"s3:DeleteObject"
|
|
],
|
|
"Resource": [
|
|
"arn:aws:s3:::my-s3-bucket/my-prefix/*"
|
|
]
|
|
}
|
|
]
|
|
}
|
|
```
|
|
<!-- [[[end]]] -->
|
|
|
|
## `--prefix my-prefix/ --read-only`
|
|
|
|
<!-- [[[cog
|
|
result = runner.invoke(cli.cli, ["policy", "my-s3-bucket", "--prefix", "my-prefix/", "--read-only"])
|
|
cog.out(
|
|
"```\n{}\n```".format(json.dumps(json.loads(result.output), indent=2))
|
|
)
|
|
]]] -->
|
|
```
|
|
{
|
|
"Version": "2012-10-17",
|
|
"Statement": [
|
|
{
|
|
"Effect": "Allow",
|
|
"Action": [
|
|
"s3:GetBucketLocation"
|
|
],
|
|
"Resource": [
|
|
"arn:aws:s3:::my-s3-bucket"
|
|
]
|
|
},
|
|
{
|
|
"Effect": "Allow",
|
|
"Action": [
|
|
"s3:ListBucket"
|
|
],
|
|
"Resource": [
|
|
"arn:aws:s3:::my-s3-bucket"
|
|
],
|
|
"Condition": {
|
|
"StringLike": {
|
|
"s3:prefix": [
|
|
"my-prefix/*"
|
|
]
|
|
}
|
|
}
|
|
},
|
|
{
|
|
"Effect": "Allow",
|
|
"Action": [
|
|
"s3:GetObject",
|
|
"s3:GetObjectAcl",
|
|
"s3:GetObjectLegalHold",
|
|
"s3:GetObjectRetention",
|
|
"s3:GetObjectTagging"
|
|
],
|
|
"Resource": [
|
|
"arn:aws:s3:::my-s3-bucket/my-prefix/*"
|
|
]
|
|
}
|
|
]
|
|
}
|
|
```
|
|
<!-- [[[end]]] -->
|
|
|
|
## `--prefix my-prefix/ --write-only`
|
|
|
|
<!-- [[[cog
|
|
result = runner.invoke(cli.cli, ["policy", "my-s3-bucket", "--prefix", "my-prefix/", "--write-only"])
|
|
cog.out(
|
|
"```\n{}\n```".format(json.dumps(json.loads(result.output), indent=2))
|
|
)
|
|
]]] -->
|
|
```
|
|
{
|
|
"Version": "2012-10-17",
|
|
"Statement": [
|
|
{
|
|
"Effect": "Allow",
|
|
"Action": [
|
|
"s3:PutObject"
|
|
],
|
|
"Resource": [
|
|
"arn:aws:s3:::my-s3-bucket/my-prefix/*"
|
|
]
|
|
}
|
|
]
|
|
}
|
|
```
|
|
<!-- [[[end]]] -->
|
|
|
|
(public_bucket_policy)=
|
|
|
|
## public bucket policy
|
|
|
|
Buckets created using the `--public` option will have the following bucket policy attached to them:
|
|
|
|
<!-- [[[cog
|
|
result = runner.invoke(cli.cli, ["policy", "my-s3-bucket", "--public-bucket"])
|
|
cog.out(
|
|
"```\n{}\n```".format(json.dumps(json.loads(result.output), indent=2))
|
|
)
|
|
]]] -->
|
|
```
|
|
{
|
|
"Version": "2012-10-17",
|
|
"Statement": [
|
|
{
|
|
"Sid": "AllowAllGetObject",
|
|
"Effect": "Allow",
|
|
"Principal": "*",
|
|
"Action": [
|
|
"s3:GetObject"
|
|
],
|
|
"Resource": [
|
|
"arn:aws:s3:::my-s3-bucket/*"
|
|
]
|
|
}
|
|
]
|
|
}
|
|
```
|
|
<!-- [[[end]]] --> |