Fork me on GitHub
#aws
<
2021-05-22
>
Joe10:05:23

Is there is an idiot proof end-to-end guide to setting up an S3 bucket and accessing it with Clojure? I've set up the bucket, set up an IAM policy / user to access it, but am not having any luck.

Joe10:05:23

IAM policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ListObjectsInBucket",
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::snip"
            ]
        },
        {
            "Sid": "AllObjectActions",
            "Effect": "Allow",
            "Action": "s3:*Object",
            "Resource": [
                "arn:aws:s3:::snip/*"
            ]
        }
    ]
}

Joe10:05:52

Clojure code - this hangs on the list buckets op

(comment
  (def config (edn/read-string (slurp "resources/.secrets.edn")))
  (def s3 (aws/client {:api :s3
                       :credentials-provider (creds/default-credentials-provider (:s3 config))}))

  (aws/validate-requests s3 true)

  (aws/invoke s3 {:op :ListBuckets}))

Joe10:05:53

The AWS docs are very sprawling, so I can't tell if it's the S3 side of things I'm messing up or the Clojure side (or both)

Joe10:05:31

In particular I'm unclear on whether the IAM policy itself is sufficient, or whether I need to change the permissions on the Bucket itself also

nbardiuk10:05:06

Try aws cli https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3/ls.html Use it to test if policy setup is sufficient to do what you want. When you figure out policies you can reproduce aws cli commands in clojure

Joe10:05:12

Thanks, I will give that a go

valtteri10:05:49

I’m not sure if you can use wildcards like this "Action": "s3:*Object"

valtteri10:05:26

I recommend trying with s3:* or by listing all the relevant operation names

jumar10:05:48

This is the policy we use for dev buckets and it works

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "s3:ListAllMyBuckets",
            "Resource": "arn:aws:s3:::*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:GetBucketLocation"
            ],
            "Resource": "arn:aws:s3:::dev-${aws:username}"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:PutObjectAcl",
                "s3:GetObject",
                "s3:GetObjectAcl",
                "s3:DeleteObject"
            ],
            "Resource": "arn:aws:s3:::dev-${aws:username}/*"
        }
    ]
}

Joe11:05:22

Thanks, I got it figured - the cli wasn't able to ls because the IAM wasn't set up to allow it facepalm Also I wasn't setting the environment variables (the region). Once i corrected those it worked!

👍 6
3