Document minimal IAM permissions

MayaraCloud / apt-transport-s3

S3 transport for APT

GNU General Public License v2.0

134 stars 73 forks source link

Document minimal IAM permissions #61

Open otto-liljalaakso-nt opened 2 years ago

otto-liljalaakso-nt commented 2 years ago

I have a use case that I intend to solve by creating a dedicated IAM user, who will only interact with apt repos in S3 using apt-transport-s3. I would like to give that IAM user minimal permission needed for the job. However, it is not easy for me to understand what they sould be. Is it possible to document the minimal requirements in README? Preferably separately for read and read/write, if such separation makes sense here.

dballenger commented 1 year ago

Not sure if you still needed help, but I saw this still sitting here, I'm using something like this:

{
    "Statement": [
        {
            "Action": "s3:GetObject",
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::$bucket/pool/*",
                "arn:aws:s3:::$bucket/dists/*"
            ],
            "Sid": "S3AptReadOnly"
        }
    ],
    "Version": "2012-10-17"
}

I'm not sure you can get more minimal than this. For write you'd probably only need to add "s3:PutObject" but I don't have a specific policy to look at for that.

otto-liljalaakso-nt commented 1 year ago

Thank you for the policy. I do not use this library at the moment, but hopefully this will help others who do.