So we've got a user who needs access to a particular S3 bucket, and also to our redshift instance. Creating policies via IAM is a PITA.
The easiest method is to use the AWS policy generator here.
Sadly, this doesn't quite work, as if you custom build a policy for example to access just a redshift instance, you must also grant a whole host of other (seemingly) unrelated permissions.
I wanted this particular user to be able to restore a snapshot and create a snapshot. I thought, it required only this:
"redshift:RestoreFromClusterSnapshot",
"redshift:CreateClusterSnapshot",
On a particular resource, But nope, you actually need all of this:
{Now to give a user access to an S3 bucket, you will need the below, which gives access to the test bucket.
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"redshift:*",
"ec2:DescribeAccountAttributes",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeVpcs",
"ec2:DescribeInternetGateways",
"sns:Get*",
"sns:List*",
"cloudwatch:Describe*",
"cloudwatch:Get*",
"cloudwatch:List*",
"cloudwatch:PutMetricAlarm",
"cloudwatch:EnableAlarmActions",
"cloudwatch:DisableAlarmActions"
],
"Sid": "Stmtxxxxx",
"Resource": [
"*"
],
"Effect": "Allow"
}
]
}
{
"Version": "2008-10-17",
"Id": "Policyxxxxx",
"Statement": [
{
"Sid": "Stmtxxxx",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::99999:user/user1"
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::Redshift_dev"
},
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::99999:user/user2"
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::Redshift_dev"
}
]
}
This gives users1 and user2 access to only the bucket called 'redshift_dev', and you apply these permissions on the bucket itself via Properties -> Permissions tabs.
I have also found this JSON Lint very handy for checking the policies I write.
No comments:
Post a Comment