Hi,
Does anyone know how to set the policies in AWS bucket so that when pairing with cunoFS it only allows that one specific bucket to be seen and paired? Are there any JSON examples?
Thank you,
Glen
Hi Glen, sorry for the slow response - we had an issue with receiving notifications from Discourse that should now be fixed.
For posterity, here’s an example JSON IAM Policy which, when attached to an IAM user/group, will cause cuno creds to only pair with those buckets that are specified and any publicly available buckets in the S3 account.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::YOUR_BUCKET_NAME",
"arn:aws:s3:::YOUR_BUCKET_NAME/*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets"
],
"Resource": "*"
}
]
}
The policy still needs to allow listing buckets (ListAllMyBuckets), in order for cuno creds to discover it and do the initial pairing. This permission may be removed later from the AWS IAM Policy. You can also omit the ListAllMyBuckets permissions, but in that case you will see an “Access Denied” failures during cuno creds import (though the import will succeed), and you will need to then pair your bucket manually, e.g.
$ cuno creds import limited_credentials.txt
AccessDenied: Access Denied
status code: 403, request id: DZVSADRCEXAMPLE, host id: TcIbXNx5Iwn5PHU1AUkZI8G3Eohw14snyD1XExample/ywVN/ILvrxDCQDyxv6vLGY=[Error] AccessDenied: Access Denied
status code: 403, request id: DZVSADRCEXAMPLE, host id: TcIbXNx5Iwn5PHU1AUkZI8G3Eohw14snyD1XExample/ywVN/ILvrxDCQDyxv6vLGY=
$ cuno creds pair s3://YOUR_BUCKET_NAME limited_credentials.s3c
- Verifying access to YOUR_BUCKET_NAME using limited_credentials.s3c
We hope this helps.