Set up AWS user and policy for Yarkon Admin Console

For the Yarkon Admin Console instance to be able to access S3 and other AWS services, it has to be authenticated and authorized. The proper way to handle these for shared service is to assign a User to the task. This user will have the Policy defining the permissions granted to it attached to it. These permissions should allow the server to perform the set of actions needed.

Create a User

Use the IAM service to create the user.

Note about naming conventions – you can use whichever naming convention you already defined for your organization; in this example we use the naming convention we follow, but it is not a requirement.

From the left side sidebar, choose Users, then do Create New User. For the user name, we use yarkons3-console-user. Make sure to set the Access Type to Programmatic Access, then click the Permissions button.

Attach the Policies to the User

The user creation wizard will move to the Permissions step.

What we want to accomplish in this step, is to allow the console user access to AWS S3, and some additional permissions required for user management.

User Management Policy

Highlight the option Attach existing policies directly and click the Create Policy button. Then select the option Create Your Own Policy using the button. Fill in the name and description for the policy. In this example, we use the name yarkons3-console-policy.

Use the following template to create the policy; make sure to put your account number in the designated locations, and to use the same name you chose for the role as the resource.

Click the “Create Policy” button when you are done.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "sts:GetSessionToken"
            ],
            "Resource": "arn:aws:iam::<account-number>:*"
        }
    ]
}

replace the placeholder in the policy with your AWS account number. If you do not have it, from any AWS Console screen, click on the drop down with your AWS username at the top right, and choose the “My Account” option. Your account number is displayed under Account Settings, the field is called Account Id.

Now that the policy is created, go back to the Create User process, and choose the new policy from the list, after making sure to hit the Refresh button. Do it using the checkbox next to the policy’s name.

S3 Access – basic

For simplicity, in this section we will assign the console user full AWS S3 permissions. This will, in turn, delegate the same permissions to the end users. While this is often the desired results, in case you want to limit the access of your end users to AWS S3 (for instance, maybe you want to disallow them creating new buckets), you will have to define your own policy and attach it here instead.

To get to the S3 policy, use the search box and type s3 there. Then choose the policy AmazonS3FullAccess from the list. Note that the selection of the user defined policy yarkons3-console-policy is still selected.

Make sure the screen is similar to the image below, then click the Next: Review button. Again, compare to the image below and if all looks okay, click the Create User button to complete the procedure. When the Complete from is displayed, make sure to copy the Access key ID and the Secret access key, or download the CSV with the data. You will need it later and this is the only time the Secret access key will be available.

Click the Close button. The User is now complete and ready to be used by a Yarkon Admin Console subscription.

The complete policy would be:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::*"
        }
    ]
}

S3 access – advanced

If you want to define a more granular permission set, and are comfortable editing policies using the AWS IAM Console, follow this example. In this section, we want to create a user access policy, allowing all users to read and write from the bucket yarkons3-sample-shared, and only read documents from the bucket yarkons3-sample-company-rules.

The following is the policy as defined by its rules:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::*"
        }
    ]
}