Quick Tip – IAM S3 Policy for DeployBot

For one of the projects I’m working on, we’re using DeployBot to handle deploying our code from our bitbucket repository to an AWS S3 bucket. For security reasons, we want to keep the IAM policy a restrictive as possible, so that it can only add/remove files in that bucket. However, DeployBot needs to be able to connect to S3 and get a list of buckets to provide a list for you to choose from in the deployment wizard. After a little bit of tweaking, this is the IAM policy that worked for me.

Quick Tip

You can build this using the “Inline Policy” feature in AWS IAM. If you had a S3 bucket named “bucket-of-fish”, your policy would look like this:

{
   "Version": "2012-10-17",
   "Statement": [
      {
         "Effect": "Allow",
         "Action": [
            "s3:ListAllMyBuckets",
            "s3:GetBucketLocation"
         ],
         "Resource": [
            "arn:aws:s3:::*"
            ]
         },
         {
         "Effect": "Allow",
         "Action": [ 
            "s3:*" 
            ],
         "Resource": [
            "arn:aws:s3:::bucket-of-fish"
            ]
         },
         {
            "Effect": "Allow",
            "Action": [
               "s3:*"
            ],
            "Resource": [
               "arn:aws:s3:::bucket-of-fish/*"
               ]
         }
   ]
}

From what I’ve read, you need to have actions at the root and at the sub-levels of your bucket, which is why we have those two resource entries. The top level one is for simple login / bucket list retrieval.

Enjoy!

What are your 10 bits on the matter? I want to know!

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s