• Avatar
  • I hand out artisanal, handcrafted DHCP messages to clients for my day job.
  • I share code on GitHub.
  • I tweet as fredjean.
  • I have a PGP public key that you can use to send me private messages or to verify that I did indeed author one.
  • The opinions expressed here and elsewhere do not reflect the opinions of my current and/or past employers.
  • You can reach out to me.

S3_Sync with AWS IAM Users and Policies

You can certainly use your AWS root account’s keys to sync content up to your S3 backed website. It will work just fine and it may be enough in cases where you are a really small organization. It does however cause issues when the credentials need to be shared though.

Another approach is to create a user that has the ability to manage your bucket and it’s content. This user would not have the ability to access any other AWS APIs or resources, limiting the impact of an exposed set of credentials.

The first step is to create the user in AWS. Login to AWS as an admin user and go to the IAM console. Click on the Users link. Click the “Create New Users” button.

You’ll be given the opportunity to enter multiple users. Enter a user name for your new user and make sure that the “Generate an access key for each user” checkbox is checked. Click on the “Create” button.

This will send you to a new screen. Make sure to download the security credentials.

You can attach a policy directly to a user, but it makes more sense to create a group. Click on the “Groups” link and then click on “Create new Group”. Click on the “Next Step” button.

Pick the “Custom Policy” link. This will make it easier to drop in the policies that grant access to your bucket. Click on the “Select” button. Provide a policy name. Next, copy the following policy in the Policy Document text field:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:*",
      "Resource": "arn:aws:s3:::fredjean.net"
    },
    {
      "Effect": "Allow",
      "Action": "s3:*",
      "Resource": "arn:aws:s3:::fredjean.net/*"
    }
  ]
}

Of course, replace fredjean.net with the name of your bucket. Click on the “Next Step” button.

Verify that the information listed on the Review page matches what you entered and click on the “Create Group” button. This should send you to the Groups page and you should see your new group.

Click on the group name. This will give you the group details page. Click on the “Add Users to Group” button. Select the user or users that need the permissions to manage your bucket. Click on the Add Users button.

Your user should now be all set to be able to manage the S3 bucket that hosts your content. Configure middleman-s3_sync with the credentials of your new user and attempt to sync. This can be done either via the .s3_sync configuration file or as an environment variable. The middleman-s3_sync README has extensive documentation on how to do this.

At this point, you should seriously consider deleting the access keys that you may have associated with your root account if you used them to publish content to a bucket.

Finally, you can create different users and add them to the group if multiple people or systems are allowed to publish your website. This may be helpful if you have a CI server publishing your blog for example.

 |  Comments  |  Aug 30, 2014