s3-credentials icon indicating copy to clipboard operation
s3-credentials copied to clipboard
verified publisher icon simonw

Support one or more `--key` options to create credentials restricted to a specific key

Open simonw opened this issue 4 years ago • 2 comments

The new --prefix option from #12 lets you set a wildcard prefix for key access - but it strikes me that it would also be useful to be able to limit access to one or more specific keys. For example, if you want to create a token that can be used to upload data to a pre-assigned UUID filename.

Related:

  • #56

simonw avatar Jan 18 '22 05:01 simonw

I need to test this, but I think that the policy for --read-only --key foo/bar.txt would be this:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:PutObject"
      ],
      "Resource": [
        "arn:aws:s3:::my-s3-bucket/foo/bar.txt"
      ]
    }
  ]
}

Can filenames contain a *? If so, how would you specify the resource for such a file when "arn:aws:s3:::my-s3-bucket/foo/bar*.txt" is presumably treated as a wildcard?

simonw avatar Jan 18 '22 05:01 simonw

Twitter conversation about the *.png edge-case: https://twitter.com/simonw/status/1483841770094227463

I confirmed there that the ARN for a file called *.png maintains the *:

image

Suggestion from https://twitter.com/smithsam/status/1483844461310451718

What happens if you use %2A to describe the * ?

simonw avatar Jan 19 '22 16:01 simonw