Quick Tip - IAM S3 Policy for DeployBot

Published Oct 1, 2015 (8 years ago)
Danger icon
The last modifications of this post were around 8 years ago, some information may be outdated!

For one of the projects I’m working on, we’re using DeployBot to handle deploying our code from our bitbucket repository to an AWS S3 bucket. For security reasons, we want to keep the IAM policy a restrictive as possible, so that it can only add/remove files in that bucket. However, DeployBot needs to be able to connect to S3 and get a list of buckets to provide a list for you to choose from in the deployment wizard. After a little bit of tweaking, this is the IAM policy that worked for me.

Quick Tip

You can build this using the “Inline Policy” feature in AWS IAM. If you had a S3 bucket named “bucket-of-fish”, your policy would look like this:

{ "Version": "2012-10-17", "Statement": \[ { "Effect": "Allow", "Action": \[ "s3:ListAllMyBuckets", "s3:GetBucketLocation" ], "Resource": \[ "arn:aws:s3:::\*" ] }, { "Effect": "Allow", "Action": \[ "s3:\*" ], "Resource": \[ "arn:aws:s3:::bucket-of-fish" ] }, { "Effect": "Allow", "Action": \[ "s3:\*" ], "Resource": \[ "arn:aws:s3:::bucket-of-fish/\*" ] } ] }

From what I’ve read, you need to have actions at the root and at the sub-levels of your bucket, which is why we have those two resource entries. The top level one is for simple login / bucket list retrieval.