Login/Register
What policy would enable Lightsail to upload to a restricted S3 bucket?
Asked Answered
Solved amazon-web-servicesamazon-s3amazon-lightsail
L

1

5

Since Lightsail instances are hosted from a dedicated AWS account different from the user's account, what would be a good S3 bucket policy to restrict bucket/object actions for a specific Lightsail instance? Specifically, I would like to grant only s3:PutObject and s3:ListBucket actions to the instance.

Or, is there another, better solution for granting access than the bucket policy?

Lidless answered 12/5, 2018 at 2:4 Comment(0)
A
7

Since Lightsail is managed outside, you can create a IAM User (Not IAM Role) and attach IAM Policy to it in the AWS account where the private S3 bucket resides.

Then use the AWS IAM User's programmatic access cresentials from you Lightsail instance to access S3.

Abydos answered 12/5, 2018 at 2:57 Comment(6)
Thanks. I'd rather not need a dedicated user. I've tried assume-role, but that failed.Lidless
Do you plan to have an authentication mechanism like Login through Cognito?Abydos
@Lidless you can't assume a role without have some kind of credentials to use when calling AssumeRole.Suisse
@Michael-sqlbot I've set up a role for ec2 and lambda access to the bucket for future development. When I tried to assume it from the Lightsail instance, I got an AccessDenied error. So, I just may not have it configured properly.Lidless
@Lidless you can't assume a role without credentials, so unless you used an IAM user's credentials to call AssumeRole, access denied would be expected. With instance roles on actual EC2 instances, the EC2 infrastructure uses its own credentials to call AssumeRole on your behalf and expose the initial instance role temporary credentials to the instance, which can then be used to access services or assume other roles... but Lightsail doesn't appear to be able to do this without static IAM user credentials.Suisse
@Abydos Cognito is not in the picture, yet. Maybe down the road. I'll go ahead and mark this as accepted. Thanks!Lidless

© 2022 - 2024 — McMap. All rights reserved.