Closed Bug 865922 Opened 12 years ago Closed 12 years ago

Request for 'mozilla' IAM user with s3 read permissions on mozilla-identity-us-standard bucket

Categories

(Cloud Services :: Operations: Miscellaneous, task)

Product:
Cloud Services
Component:
Operations: Miscellaneous
Platform:
x86_64
Linux
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: gene, Unassigned)

Details

Please create a 'mozilla' IAM user with the following S3 permission Bucket : mozilla-identity-us-standard Permissions needed : List (also known as "READ") To share the API Key and Secret with me you're welcome to gpg it and drop it here or email http://pgp.mit.edu:11371/pks/lookup?op=vindex&search=0xF0A9E7DCD39E452E Thanks
Or an IAM role with the same permissions
As we're trying to minimize the need to distribute secret keys, I think an IAM role is probably a better choice.
IAM Role sounds good. Wes, can you create this for me?
Gene, do you have a name in mind for this role? We don't appear to have a naming convention for IAM roles yet, but to copy the only other role in prod I would name this one identity-readers. One thing to note is that if you end up using specialized host IAM roles (like I see in dev), each role will need to have these permissions since a host cannot (yet?) have multiple IAM roles.
Ah, didn't realize instances could have only one IAM role. Let's go with a generic role name of "Identity" then.
I have created this role.
Got it workin. This is what the final policy looks like : { "Statement": [ { "Sid": "Stmt1367003275645", "Action": [ "s3:ListBucket" ], "Effect": "Allow", "Resource": [ "arn:aws:s3:::mozilla-identity-us-standard" ] }, { "Sid": "Stmt1367003286196", "Action": [ "s3:GetObject" ], "Effect": "Allow", "Resource": [ "arn:aws:s3:::mozilla-identity-us-standard/*" ] } ] }
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.