From b43f532d67fa44238131f7af6fef9ff298067967 Mon Sep 17 00:00:00 2001 From: Julien Sindt <57000579+jsindt@users.noreply.github.com> Date: Thu, 22 May 2025 11:39:40 +0100 Subject: [PATCH 1/2] Update tutorial.md Updated: - instructions for allowed bucket names - Moved information on command to create bucket policy to make it more evident - Updated Public Access bucket policy document to make it work --- docs/services/s3/tutorial.md | 58 +++++++++++++++++++----------------- 1 file changed, 30 insertions(+), 28 deletions(-) diff --git a/docs/services/s3/tutorial.md b/docs/services/s3/tutorial.md index 20298e1bc..ff44d5094 100644 --- a/docs/services/s3/tutorial.md +++ b/docs/services/s3/tutorial.md @@ -48,7 +48,7 @@ List the buckets in your account: aws s3 ls ``` -Create a bucket: +Create a bucket (note: the name must be between 3-63 characters, and must contain only lower case letters, numbers, hyphens '-', or full stops '.': ```bash aws s3api create-bucket --bucket @@ -213,6 +213,16 @@ s3.meta.client.meta.events.unregister('before-parameter-build.s3', validate_buck ## Access policies +### Set policy using AWS CLI + +Grant permissions stored in an IAM policy file: + +```bash +aws s3api put-bucket-policy --bucket --policy "$(cat bucket-policy.json)" +``` + +### Example bucket permission policies + Buckets owned by an EIDF project are placed in a tenancy in the EIDF S3 Service. The project code is a prefix on the bucket name, separated by a colon (`:`), for example `eidfXX1:somebucket`. Note that some S3 client libraries do not accept bucket names in this format. @@ -274,36 +284,28 @@ Give public read access to a bucket (listing and downloading files): ```json { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Principal": "*", - "Action": ["s3:ListBucket"], - "Resource": [ - f"arn:aws:s3::eidfXX1:somebucket" - ] - }, - { - "Effect": "Allow", - "Principal": "*", - "Action": ["s3:GetObject"], - "Resource": [ - f"arn:aws:s3::eidfXX1:somebucket/*" - ] - } - ] + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": "*", + "Action": ["s3:ListBucket"], + "Resource": [ + "arn:aws:s3::eidfXX1:somebucket" + ] + }, + { + "Effect": "Allow", + "Principal": "*", + "Action": ["s3:GetObject"], + "Resource": [ + "arn:aws:s3::eidfXX1:somebucket/*" + ] + } + ] } ``` -### Set policy using AWS CLI - -Grant permissions stored in an IAM policy file: - -```bash -aws put-bucket-policy --bucket --policy "$(cat bucket-policy.json)" -``` - ### Set policy using Python `boto3` Grant permissions to another account: In this example we grant `ListBucket` and `GetObject` permissions to account `account1` in project `eidfXX1` and `account2` in project `eidfXX2`. From 087e8251a77d2f4d1606c975c3dbc4bf447e8ce7 Mon Sep 17 00:00:00 2001 From: Julien Sindt <57000579+jsindt@users.noreply.github.com> Date: Wed, 28 May 2025 13:11:33 +0100 Subject: [PATCH 2/2] Update tutorial.md Adding missing parenthesis --- docs/services/s3/tutorial.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/services/s3/tutorial.md b/docs/services/s3/tutorial.md index ff44d5094..fe29e6114 100644 --- a/docs/services/s3/tutorial.md +++ b/docs/services/s3/tutorial.md @@ -48,7 +48,7 @@ List the buckets in your account: aws s3 ls ``` -Create a bucket (note: the name must be between 3-63 characters, and must contain only lower case letters, numbers, hyphens '-', or full stops '.': +Create a bucket (note: the name must be between 3-63 characters, and must contain only lower case letters, numbers, hyphens '-', or full stops '.'): ```bash aws s3api create-bucket --bucket