Create a Pulumi program for S3 backend access

Question

Pulumi · Accepted Answer

Certainly, to create programmatic access to resources stored in an S3 bucket, two main resources are required in your AWS setup:

1. **AWS S3 Bucket** - A bucket is a logical unit of storage in Amazon Web Services (AWS) object storage service, Simple Storage Solution (S3). Buckets hold objects which consist of data and its descriptive metadata.

2. **AWS IAM User** - This is an entity that you create in AWS to represent the person or application that uses it to interact with AWS. The IAM user has credentials and permissions attached to it that determine what the user can and can't do in AWS.

3. **AWS IAM Access Key** - AWS IAM access keys are primarily used for programmatic access to AWS services like adding and retrieving content in S3 buckets. They consist of an access key ID and a secret access key.

Here is a program that accomplishes this:

```python
import pulumi
import pulumi_aws as aws

# Create an AWS S3 bucket
bucket = aws.s3.Bucket("my-bucket")

# Create an AWS IAM User
s3_user = aws.iam.User("S3User")

# Allow programmatic access to the AWS S3 bucket:
s3_policy = aws.iam.Policy("S3FullAccessPolicy",
    description = "S3 full access policy",
    policy = bucket.arn.apply(lambda bucket_arn: 
      f'''{{
        "Version": "2012-10-17",
        "Statement": [
          {{"Effect": "Allow","Action": ["s3:*"],"Resource": ["{bucket_arn}/*","{bucket_arn}"]}}
        ]}}
      ''')
    )

# Attach the policy to the user
policy_attachment = aws.iam.PolicyAttachment("s3FullAccess",
    policy_arn = s3_policy.arn,
    users = [s3_user.name]
)

# Create an IAM Access Key for the user
s3_access_key = aws.iam.AccessKey("S3AccessKey", user = s3_user.name)

# Export the IAM User's access key and secret key
pulumi.export("accessKeyId", s3_access_key.id)
pulumi.export("secretAccessKey", s3_access_key.secret)
```

Remember to keep the `secretAccessKey` confidential! You may consider to manage the access keys via AWS SecretsManager.

In this Python code, we are creating an AWS S3 bucket, an IAM user and granting the user full access to the S3 bucket via a policy. We also generate an access key pair that can be used for programmatic access (_i.e._, access from your code) to AWS services. The program exports the access key ID and secret at the end so you have the values handy—you'll need them for your code.

*Keep your secret access key confidential to protect your AWS resources!*