Comments (6)
simonw
commented on August 19, 2024
I'm tempted to support three variants of this here:
# From a file
s3-credentials create mybucket --policy policy.json
# From stdin
cat policy.json | s3-credentials create mybucket --policy -
# Pass in the literal policy as a string
s3-credentials create mybucket --policy '{
"Version": "2012-10-17"
...
}'
It's a little weird to have an option which can tell the difference between a file name and a literal string of JSON, but it's not hard to implement - check if the passed string starts with a { and is valid JSON - and I think I like it better than supporting two options of --policy filename and --policy-string policy-string.
from s3-credentials.
simonw
commented on August 19, 2024
I can use click.open_file() in the implementation to handle -: https://github.com/pallets/click/blob/2996d3c11972ad1d71339481f2119495185e7d8d/src/click/utils.py#L335-L342
from s3-credentials.
simonw
commented on August 19, 2024
Tested my work in progress like this:
% s3-credentials create static.niche-museums.com \
--username custom-policy \
--policy /tmp/custom-policy.json
Attached policy s3.read-write.static.niche-museums.com to user custom-policy
Created access key for user: custom-policy
{
"UserName": "custom-policy",
"AccessKeyId": "AKIAWXFXAIOZE56QRRHG",
"Status": "Active",
"SecretAccessKey": "...",
"CreateDate": "2021-11-03 18:29:17+00:00"
}
% s3-credentials list-user-policies custom-policy
User: custom-policy
PolicyName: s3.read-write.static.niche-museums.com
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ListObjectsInBucketIsMyCustomSid",
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::static.niche-museums.com"
]
},
{
"Sid": "AllObjectActions",
"Effect": "Allow",
"Action": "s3:*Object",
"Resource": [
"arn:aws:s3:::static.niche-museums.com/*"
]
}
]
}
Where /tmp/custom-policy.json contained this:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ListObjectsInBucketIsMyCustomSid",
"Effect": "Allow",
"Action": ["s3:ListBucket"],
"Resource": ["arn:aws:s3:::$!BUCKET_NAME!$"]
},
{
"Sid": "AllObjectActions",
"Effect": "Allow",
"Action": "s3:*Object",
"Resource": ["arn:aws:s3:::$!BUCKET_NAME!$/*"]
}
]
}from s3-credentials.
simonw
commented on August 19, 2024
Here's what happens if you feed it valid JSON that does not form a valid policy document:
% s3-credentials create static.niche-museums.com \
--username custom-policy \
--policy '{}'
Created user: custom-policy with permissions boundary: arn:aws:iam::aws:policy/AmazonS3FullAccess
Traceback (most recent call last):
File "/Users/simon/.local/share/virtualenvs/s3-credentials-J8M1ChYK/bin/s3-credentials", line 33, in <module>
sys.exit(load_entry_point('s3-credentials', 'console_scripts', 's3-credentials')())
File "/Users/simon/.local/share/virtualenvs/s3-credentials-J8M1ChYK/lib/python3.10/site-packages/click/core.py", line 1128, in __call__
return self.main(*args, **kwargs)
File "/Users/simon/.local/share/virtualenvs/s3-credentials-J8M1ChYK/lib/python3.10/site-packages/click/core.py", line 1053, in main
rv = self.invoke(ctx)
File "/Users/simon/.local/share/virtualenvs/s3-credentials-J8M1ChYK/lib/python3.10/site-packages/click/core.py", line 1659, in invoke
return _process_result(sub_ctx.command.invoke(sub_ctx))
File "/Users/simon/.local/share/virtualenvs/s3-credentials-J8M1ChYK/lib/python3.10/site-packages/click/core.py", line 1395, in invoke
return ctx.invoke(self.callback, **ctx.params)
File "/Users/simon/.local/share/virtualenvs/s3-credentials-J8M1ChYK/lib/python3.10/site-packages/click/core.py", line 754, in invoke
return __callback(*args, **kwargs)
File "/Users/simon/Dropbox/Development/s3-credentials/s3_credentials/cli.py", line 190, in create
iam.put_user_policy(
File "/Users/simon/.local/share/virtualenvs/s3-credentials-J8M1ChYK/lib/python3.10/site-packages/botocore/client.py", line 388, in _api_call
return self._make_api_call(operation_name, kwargs)
File "/Users/simon/.local/share/virtualenvs/s3-credentials-J8M1ChYK/lib/python3.10/site-packages/botocore/client.py", line 708, in _make_api_call
raise error_class(parsed_response, operation_name)
botocore.errorfactory.MalformedPolicyDocumentException: An error occurred (MalformedPolicyDocument) when calling the PutUserPolicy operation: Syntax errors in policy.
I'm not going to bother catching that, I think the erro message is clear enough as it stands.
from s3-credentials.
simonw
commented on August 19, 2024
Documentation: https://github.com/simonw/s3-credentials/blob/34d0350d286877aa13446e06313cd0f7bd47d78a/README.md#using-a-custom-policy
from s3-credentials.
simonw
commented on August 19, 2024
Realized I missed something here: the username and policy name generated still has read-write as part of it even when using a custom policy.
from s3-credentials.
Related Issues (20)
- Way to make an existing bucket public or private HOT 1
- Convert README into documentation website HOT 3
- Make it easier to add extra policy statements HOT 10
- Provide a `--profile` option to allow AWS profile selection HOT 3
- Using --policy should imply --user-permissions-boundary=none HOT 2
- s3-credentials.AmazonS3FullAccess has MaxSessionDuration 3600, should be 12 hours HOT 5
- KeyError if listing bucket with no items returned
- s3-credentials list-buckets --details should show region and website URL, if configured HOT 2
- `s3-credentials get-objects` command HOT 7
- `get-objects/put-objects` `--skip` and `--skip-hash` options HOT 1
- Add the options to add tags to the created resources HOT 3
- `set-public-policy` command HOT 5
- Add s3:PutObjectAcl to write policies HOT 3
- `s3-credentials delete-objects` command HOT 11
- Mysterious test failure in `test_put_objects` HOT 4
- debug-bucket command HOT 3
- Command to make a bucket public HOT 4
- `s3-credentials create name-of-bucket --create-bucket --public` fails with error HOT 4
- `s3-credentials list-bucket --urls` option HOT 1
- CI failures, including ImportError: cannot import name 'mock_s3' from 'moto' HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from s3-credentials.