Git Product home page Git Product logo

Comments (6)

simonw avatar simonw commented on August 19, 2024

I'm going to add this to the existing s3-credentials create command as a --duration option, which can be 5 for 5 seconds or 10m for ten minutes - so there is an optional suffix which, if omitted, is assumed to be seconds.

from s3-credentials.

simonw avatar simonw commented on August 19, 2024 
def ensure_s3_role_exists(iam, sts):
    role_name = "s3-credentials.AmazonS3FullAccess"
    account_id = sts.get_caller_identity()["Account"]
    try:
        role = iam.get_role(RoleName=role_name)
        return role["Role"]["Arn"]
    except iam.exceptions.NoSuchEntityException:
        create_role_response = iam.create_role(
            Description="Role used by the s3-credentials tool to create time-limited credentials that are restricted to specific buckets",
            RoleName=role_name,
            AssumeRolePolicyDocument=json.dumps(
                {
                    "Version": "2012-10-17",
                    "Statement": [
                        {
                            "Effect": "Allow",
                            "Principal": {
                                "AWS": "arn:aws:iam::{}:root".format(account_id)
                            },
                            "Action": "sts:AssumeRole",
                            "Condition": {},
                        }
                    ],
                }
            ),
        )
        # Attach AmazonS3FullAccess to it - note that even though we use full access
        # on the role itself any time we call sts.assume_role() we attach an additional
        # policy to ensure reduced access for the temporary credentials
        iam.attach_role_policy(
            RoleName="s3-credentials.AmazonS3FullAccess",
            PolicyArn="arn:aws:iam::aws:policy/AmazonS3FullAccess",
        )
        return create_role_response["Role"]["Arn"]

from s3-credentials.

simonw avatar simonw commented on August 19, 2024

I'm going to change how policies work a little bit.

The existing code attaches one policy per bucket to the created user:

s3-credentials/s3_credentials/cli.py

Lines 211 to 232 in 6e56b1b

# Add inline policies to the user so they can access the buckets
for bucket in buckets:
policy_name = "s3.{permission}.{bucket}".format(
permission="custom" if policy else permission,
bucket=bucket,
)
if policy:
policy_dict = json.loads(policy.replace("$!BUCKET_NAME!$", bucket))
else:
if permission == "read-write":
policy_dict = policies.read_write(bucket)
elif permission == "read-only":
policy_dict = policies.read_only(bucket)
elif permission == "write-only":
policy_dict = policies.write_only(bucket)
else:
assert False, "Unknown permission: {}".format(permission)
iam.put_user_policy(
PolicyDocument=json.dumps(policy_dict),
PolicyName=policy_name,
UserName=username,
)

With sts.assume_role() I only get to pass through a single policy document - so instead of generating a policy per bucket I'm going to generate "allow" blocks for each bucket and assemble those into a single policy.

This will likely change the way policies.py works.

from s3-credentials.

simonw avatar simonw commented on August 19, 2024

As such, further work on this issue is blocked on the redesigned policies from #15.

from s3-credentials.

simonw avatar simonw commented on August 19, 2024

Tested my prototype with a 15 minute duration, when I tried to make a call more than fifteen minutes later I got:

botocore.exceptions.ClientError: An error occurred (ExpiredToken) when calling the ListObjectsV2 operation: The provided token has expired.

from s3-credentials.

simonw avatar simonw commented on August 19, 2024

Documentation: https://github.com/simonw/s3-credentials/blob/56cede90ccced7cacf6f859e6a04fce2f21f52e9/README.md#usage

from s3-credentials.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.