Creating a minimal AWS S3 Bucket Policy for deploying with Hugo via hugo deploy.
Similar to my post about automating deployments to AWS using the Architect Framework and GitLab CI, I've been looking at migrating the deployment for this site to a more granular role.
Although I could use something like IAM Access Analyser, I decided that I would try and hand-crank the policy, as a nice AWS refresher.
I've come up with the following S3 Bucket Policy, for the bucket www-jvt-me, so the role WwwJvtMeServiceRole can deploy:
{
"Version": "2012-10-17",
"Id": "Policy1611348323526",
"Statement": [
{
"Sid": "PublicReadAccess",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::www-jvt-me/*"
},
{
"Sid": "ListBucket",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<redacted>:role/WwwJvtMeServiceRole"
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::www-jvt-me"
},
{
"Sid": "ListBucketObjects",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<redacted>:role/WwwJvtMeServiceRole"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::www-jvt-me/*"
},
{
"Sid": "ModifyObjectsInBucket",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<redacted>:role/WwwJvtMeServiceRole"
},
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::www-jvt-me/*"
}
]
}
Notice that this requires both PutObject and DeleteObject, as we need to be able to add and delete files from the bucket.
This can be used by an IAM role that has no permissions policies configured, and could i.e. use OpenID Connect to allow assumption of the role, or be used by something like an EC2/Lambda role.
