Technologies IAM Permissions - uci-soe/checkout-api GitHub Wiki

I honestly hate these. They are never easy, they are never simple, and they always appear to be wrong on first go around. Their stupidity has been mitigated somewhat with the online web interface's wizards, but even that can be annoyingly imperfect.

There are Groups, Users, Roles, and Policies, but I view it that there are two main object types you need to know about: Rolls and Users. They are the actor objects and the others are just collective ways of organizing permissions.

Policies

Policies are a JSON of rules that allow or deny, but mostly allow as deny is the default, access or actions for a service and an object in AWS. This is the smallest of the building blocks. If you want to allow access to a an S3 bucket, in an account, and allow only read and upload, but not delete or update to a subset of files in only one bucket, Policies will do that.

Policies may be applied to the other three objects: Users, Groups, and Roles.

Groups

Groups can take a policy or multiple policies. These are best for dictating what some set of users or roles can do. I recommend using these to keep permissions for a person. The person may shift jobs or you may want multiple people with the same permissions, those people may shift in and out too.

Users

Users are people. People may log in or have non-web-console access via their API Key. People can be assigned a policy, but it's better to assign them one or multiple Groups and assign all policies to those Groups.

Users are people who can access objects and do things.

Roles

Roles are for machines -- not necessarily individual machines. A Role is like a user that doesn't have a person. It is for machines who act to do things, access objects, take actions, etc. People usually do those things, but you may assign EC2/Lambda/etc to do so instead. Same as users, I would recommend assigning roles to groups and giving the groups policies.

Try this

Create a Policy

Make a policy with full control over all S3 Buckets

  1. Open the web interface
  2. Goto IAM
  3. Create a Policy called "S3 All Access"
  4. Use the wizard to give the policy all access/rights to all S3 Buckets.

Create a Group

Give a group those permissions

  1. Create a Group called "S3 Manager"
  2. Attach the "S3 All Access" Policy to the new group.

Create a User

Assign a user the permissions/group so that a user may programmatically (via CLI or Application) access your S3 Buckets

  1. Make a new user and deny it web-console access and password
  2. Save the Access Key ID and Secret Key for later. You will never see the Secret again, so don't lose it.
  3. Attach the Group "S3 Manager". You could Choose to attach the "S3 All Access" Policy directly to the User if you prefer.

Create a Role

Assign a role the permissions/group so that an EC2 or Lambda can manage the s3 if you wish

  1. Make a new role
  2. Attach the Group "S3 Manager". You could Choose to attach the "S3 All Access" Policy directly to the User if you prefer.

Use the User

Now that you have a user (and a role) lets put that to use by doing the Try this in the S3 Bucket Page