aws-bootstrap.rb

require 'aws'
require 'json'

# Set the following environment variables:
#
#   PROJECT_NAME=""
#   AWS_ACCESS_KEY_ID=""
#   AWS_SECRET_ACCESS_KEY=""
#
# If so desired:
#   AWS_REGION='us-west-2'
#
# For PROJECT_NAME="example" creates example-staging and example-production buckets 
# as well as example-staging and example-production users, each having RW access to
# their like named bucket.
#
# Credentials are generated and printed to stdout.
#

project = ENV['PROJECT_NAME'] || 'example'

puts "Bootstrapping AWS for #{project}"

environments = ['staging', 'production', 'tom', 'ara'].map { |env| "#{project}-#{env}" }

s3 = AWS::S3.new

new_buckets = environments - s3.buckets.map { |b| b.name }

new_buckets.each do |name|
  puts "Creating bucket: #{name}"
  s3.buckets.create(name)
end

iam = AWS::IAM.new

users = environments - iam.users.map { |u| u.name }

users.each do |name|
  puts "Creating user: #{name}"
  iam.users.create(name)
end

environments.each do |env|
  user = iam.users[env]

  # NOTE: OO policies can be created via AWS::IAM::Policy
  policy = {
    "Version" => "2012-10-17",
    "Statement" => [{
      "Effect" => "Allow",
      "Action" => "s3:*",
      "Resource" => [
        "arn:aws:s3:::#{env}",
        "arn:aws:s3:::#{env}/*"
      ]
    }]
  }
  puts "Assigning read/write policy for #{env} bucket to #{env} user"
  user.policies['ReadWriteBuckets'] = policy

  if user.access_keys.first
    puts "#{env} already has credentials"
  else
    key = user.access_keys.create
    puts "#{env} credentials:"
    puts %{AWS_ACCESS_KEY_ID="#{key.credentials[:access_key_id]}"}
    puts %{AWS_SECRET_ACCESS_KEY="#{key.credentials[:secret_access_key]}"}
  end
end

Users can't list out buckets with this policy. It might be worth it to add:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:ListAllMyBuckets",
      "Resource": "*"
    }
  ]
}