This provides a new site with a unique IAM access key/secret that allows read/write access to a single S3 bucket, e.g. to allow a Django site to upload media files. This assumes the bucket itself has already been created.
Note: I originally created this gist as a note-to-self so conventions shown here are particular to my setup; YMMV.
- Log in to the AWS Console and head to the IAM section
- Click Users to access the IAM user list
- Click Add User
- Enter username in the format of
sitename-s3
(replacingsitename
) - Under Access Type tick Programmatic access; click Next
- Under Permissions click Attach existing policies directly
- Above the policy object list, click Create Policy
- In the policy popup, next to Create Your Own Policy click Select
- Under Policy Name enter
s3__bucketname
(replacingbucketname
) - Under Description enter something like "RW access to bucketname S3 bucket"
- Under Policy Document enter the following, substituting the bucket name:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "arn:aws:s3:::*"
},
{
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::BUCKETNAME",
"arn:aws:s3:::BUCKETNAME/*"
],
"Effect": "Allow"
}
]
}
- Validate the policy then click Create
- Back in the policy list in the previous tab, click Refresh then tick the new policy; scroll down and click Next
- Review and click Create User
- Copy the access key and secret into your config, and you're done