How do I write a bucket policy with different permissions for different access keys?
I want to do the following:
- CI running on GitHub can only upload to a specific bucket.
- I have full control for s3cmd.
- Everyone gets public read rights.
This is the base, proof of concept plan. Long term I want to set up a bunch of other services, all of which should have their particular permissions for particular buckets.
My thought was to create different access keys. I use one, GitHub uses the other, and each key gets their particular permissions.
I looked at the bucket policy page, and followed the instructions to get the canonical user ID. But both access keys give me the same user UUID, which means I can't tell between them in the policy.
Since I have no control over GitHub's infrastructure, I don't want to make an IP based rule, but one based on which access key is used.
So how can I do this?
This has been raised previously on this community site.
I believe the suggested answer was to set up a “sub user” for each of your separate required keys, and generate an Object Storage access key while logged in under that account. That will then give you a different UUID to allocate permissions to.
I did search, but didn't find it.
Yes, that solution occurred to me, but I was hoping there was some more elegant way of doing it, like writing a policy that matched the actual access key used. No reason why the policy's syntax couldn't be extended to support something like:
That would just be a lot more comfortable to work with, plus improve the overall security. I'm willing to bet that most people just go ahead and let various services have full access to their stuff, because the documentation doesn't say anything about this.