search

willschulz / bad-influence

Video discussion experiments to counter pathological influence in political discussions
0 stars 0 forks source link

Work out how to add other users to access the S3 bucket #32

Open JamesPHoughton opened 9 months ago

JamesPHoughton commented 9 months ago

https://repost.aws/knowledge-center/cross-account-access-s3

JamesPHoughton commented 9 months ago

Step 1:

Created a policy in the "owner account" to allow access only to read the correct bucket. "access-bad-influence-bucket"

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "s3:ListAllMyBuckets"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::*"
            ]
        },
        {
            "Action": [
                "s3:ListBucket",
                "s3:GetBucketLocation"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:s3:::deliberation-lab-recordings-bad-influence"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject"
            ],
            "Resource": "arn:aws:s3:::deliberation-lab-recordings-bad-influence/*"
        }
    ]
}

Step 2:

Create a role (read-bad-influence-bucket) that can assume the policy we created, and assign principals for that role to the "collaborator" account. . Add a trust relationship that allows the collaborator account

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:I am::<collaborator AWS Account #>:root"
            },
            "Action": "sts:AssumeRole",
            "Condition": {}
        }
    ]
}

Note: can probably make the principal account IDs a list Note: at some point also restrict within the account using a role in the account that is locked down?

Step 3:

On the "collaborator" account, created a policy that can access the read-bad-influence-bucket role from the "owner" account. (lets call it "accessData").

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "sts:AssumeRole",
            "Resource": "arn:aws:iam::<owner AWS account #>:role/read-bad-influence-bucket"
        }
    ]
}

Step 4:

Attached the new collaborator policy ("accessData") to the role we wanted to give access (from the collaborator side). As this was just to view them, it was the administrator role. If we wanted to set up a lambda function to access the videos, we would create a role for that lambda and attach this policy.

References:

What we want is called "AWS cross-account roles" https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html In this case, principal probably means the consuming account?

The "External ID" for a federated user is a bit unusual.

When you have federated accounts, the MFA happens at the pennkey account, not at the Amazon level.

JamesPHoughton commented 9 months ago

Add multiple accounts who can assume the role: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#Principal_specifying