问题
I am deploying a server program in an ec2 instance which needs to be able to create pre-signed urls for s3. So far I've had my AWS credentials in environment variables for testing, but I would like to switch to the IAM Role strategy now. However, I am unsure as to which policies the role should have access too. My initial guess is to have AmazonS3FullAccess, but the description says "Provides full access to all buckets via the AWS Management Console" but the ec2 instance will be using the c++ sdk, not the management console. Or is the policy not important, just that it has a policy so it gets credentials somehow?
回答1:
You're confusing policies and roles.
a policy grants permissions to a user or to a role or to a group.
the difference between a user and a role is subtle, but basically a role is something that's assumed by other services in AWS, like an EC2 instance, while a user is generally just an identity you've created for use in AWS.
The policy description for full access may make mention to the management console, but it grants full access to all buckets whether through the console, the api or an sdk, they're all really the same thing under the hood.
You should not use the fullaccess policy. You could use it as a base to build your real policy, but IAM should always use the least privilege principal, where you only give the permissions that are absolutely required, in this case the role only needs read and possibly list permissions on the specific bucket in question if generating urls for reading, or put permissions if allowing uploads.
回答2:
For development purposes, you can attach the AmazonS3FullAccess policy to the role you create. Once you attach the IAM role to your EC2 instance, you don't need to export the credentials.
However, once your development work is complete, revisit the policy to make it more restrictive. You can either create a new managed policy (the AmazonS3FullAccess is managed by AWS and you can't update the permissions in that) or create a new inline policy with the specific permissions your application needs.
来源:https://stackoverflow.com/questions/47162055/aws-which-iam-role-for-s3-presigned-url