允许第三方应用程序写入您的 aws 存储桶

Question

I have a bit of a problem, to which Iam not sure I know the answer to. I have a bucket named staging and I would like to give access to a third party dev (which is building the webapp) to allow file uploads into this bucket.

What is the correct way to go about doing this? Surely, not giving away my aws secrets?

Would be great if someone can point me in the right direction for this.

Answer 1

You can achieve it using Resource Based Policies in Staging S3 bucket.

1. Add a Resource Based Policy to Staging bucket that allow access to Dev account's IAM User/Role.

    { "Version": "2012-10-17", "Statement": [{ "Sid": "VisualEditor0", "Effect": "Allow", "Principal": { "AWS": "<ARN of IAM User/Role from Dev Account>" }, "Action": [ "s3:GetObject", "s3:PutObject" ] "Resource": "arn:aws:s3:::staging-bucket/*" }] }

2. Next, add an IAM Policy in Dev account, that allow access to S3 bucket in Staging account.

    { "Version": "2012-10-17", "Statement": [{ "Sid": "VisualEditor1", "Effect": "Allow", "Action": [ "s3:GetObject", "s3:PutObject" ] "Resource": "arn:aws:s3:::staging-bucket/*" }] }

References

• How can I provide cross-account access to objects that are in Amazon S3 buckets?

• How to access S3 bucket from another AWS account

Answer 2

if you are talking about a third party app is uploading content; one option is You can expose an API via apigateway to upload content to the bucket. Remember to remove public access from the bucket permission.