Making an access key limited to specific calls on specific buckets
Normally the Tigris Dashboard allows you to do everything you need to make access keys have the minimum scope possible. However sometimes you need more. Tigris allows you to attach IAM policies to access keys. This blueprint will show you how to make up complicated policies for your buckets, such as this:
- Read, List, and Write files to bucket
generated-images - Read and List files in bucket
model-storage
Create a new access key in the Tigris Dashboard. Don't assign any permissions to it. Copy the access key ID and secret access keys into either your notes or a password manager, you will not be able to see them again.
Copy this to policy.json:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ListObjectsInBucket",
"Effect": "Allow",
"Action": ["s3:ListBucket"],
"Resource": ["arn:aws:s3:::model-storage", "arn:aws:s3:::public-images"]
},
{
"Sid": "AllowFetchingObjects",
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": [
"arn:aws:s3:::model-storage/*",
"arn:aws:s3:::model-storage",
"arn:aws:s3:::public-images/*",
"arn:aws:s3:::public-images"
]
},
{
"Sid": "AllowPuttingImagesIntoPublicBucket",
"Effect": "Allow",
"Action": "s3:PutObject*",
"Resource": ["arn:aws:s3:::public-images/*"]
}
]
}
Open policy.json in your text editor and change the names of the buckets if
you need to.
Then export this variable to make IAM changes in Tigris:
AWS_ENDPOINT_URL_IAM=https://fly.iam.storage.tigris.dev
Create an IAM policy based on the document you edited:
aws iam create-policy --policy-name sdxl-runner --policy-document file://./policy.json
Copy down the ARN in the output, it should look something like this:
arn:aws:iam::flyio_hunter2hunter2hunter2:policy/sdxl-runner
Attach it to the token you just created:
aws iam attach-user-policy \
--policy-arn arn:aws:iam::flyio_hunter2hunter2:policy/sdxl-runner \
--user-name tid_some_access_key_id