Using aws iam-user with s3-bucket
TypeScriptIn this guide, we will create a simple AWS infrastructure using Pulumi, consisting of an S3 bucket and an IAM user with permissions to access the bucket. This setup is common when you want to store data in S3 and control access to it at the user level.
Below is the Pulumi program written in TypeScript that accomplishes this:
-
IAM User: We'll create an AWS Identity and Access Management (IAM) user. IAM users are entities that you create in AWS to represent the person or service that interacts with AWS services and resources.
-
S3 Bucket: We'll create an S3 bucket. Amazon S3 is an object storage service that offers industry-leading scalability, data availability, security, and performance.
-
Bucket Policy: We'll attach a bucket policy to our S3 bucket granting the IAM user permissions to access this bucket.
Please follow the steps below to understand and implement the program.
Before you begin, make sure you have Pulumi installed and configured for use with AWS.
Explaining the Pulumi Program
Here is what the program looks like:
import * as pulumi from "@pulumi/pulumi"; import * as aws from "@pulumi/aws"; // Create an AWS IAM user const iamUser = new aws.iam.User("myAppUser", {}); // Create an Amazon S3 bucket const bucket = new aws.s3.Bucket("myBucket", {}); // Create a policy for the bucket that allows the user to manage objects const bucketPolicy = new aws.s3.BucketPolicy("myBucketPolicy", { bucket: bucket.bucket, // reference to the bucket created above policy: pulumi.all([bucket.bucket, iamUser.name]).apply(([bucketName, userName]) => JSON.stringify({ Version: "2012-10-17", Statement: [ { Action: ["s3:GetObject", "s3:PutObject"], Resource: `arn:aws:s3:::${bucketName}/*`, Effect: "Allow", Principal: { AWS: pulumi.interpolate`arn:aws:iam::${aws.config.accountId}:user/${userName}` } } ], })), }); // Export the names and the bucket URL export const bucketName = bucket.bucket; export const userName = iamUser.name; export const bucketEndpoint = pulumi.interpolate`s3://${bucket.bucket}`;
What's going on in this program?
- We start by importing the necessary Pulumi libraries for general Pulumi functions and AWS resources.
- We define an IAM user without any specific properties; Pulumi will assign a default name unless you specify one.
- Next, we create an S3 bucket.
- We then create an S3 bucket policy. This policy allows the IAM user we created to perform
GetObject
andPutObject
actions on the objects within the bucket. - Finally, we export the bucket name and URL, as well as the IAM user's name, which could be useful for CI/CD or further automation outside of Pulumi.
Please note, in a real-world scenario, you may need to specify additional arguments and properties according to your particular use case. For example, you may wish to configure:
- The path and tagging for the IAM user.
- The bucket visibility and access policies more granularly.
- Any server-side encryption on the S3 bucket.
This program assumes that the appropriate AWS credentials and permissions are already set up in your Pulumi environment and that the required Pulumi and AWS SDK packages are installed.
-