Reputation: 561
Condition in a bucket policy to only allow specific service
im looking for a bucket policy where I have a specific principal ID for a complete account 'arn:aws:iam::000000000000:root' which is allowed to write to a my bucket.
I now want to implement a condition which will only give firehose as a service the abillity to write to my bucket.
My current ideas were:
{
"Sid": "AllowWriteViaFirehose",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::000000000000:root"
},
"Action": "s3:Put*",
"Resource": "arn:aws:s3:::my-bucket/*",
"Condition": {
#*#
}
}
Whereas #*# should be the specific condition. I already tried some things like :
{"IpAddress": {"aws:SourceIp": "firehose.amazonaws.com"}} I thought the requests would come from a firehose endpoint of AWS. But it seems not :-/
"Condition": {"StringLike": {"aws:PrincipalArn": "*Firehose*"}} i thought this would work since the role which firehose uses to write files should contain a session name with something like 'firehose' in it. But it didn't work.
Any idea how to get this working?
Thanks Ben
Upvotes: 0
Views: 1284
Answers (2)
Reputation: 269816
This answer is for the situation where the destination S3 bucket is in a different account.
From AWS Developer Forums: Kinesis Firehose cross account write to S3, the method is:
- Create cross account roles in Account B and enable trust relationships for Account A to assume Account B's Role.
- Enable Bucket policy in Account B to allow Account A to write records into Account B.
- Map Account B's S3 bucket to Firehose, had to create the firehose to point to a temporary bucket and then use AWS CLI commands to update the S3 bucket in account A.
CLI Command:
aws firehose update-destination --delivery-stream-name MyDeliveryStreamName --current-delivery-stream-version-id 1 --destination-id destinationId-000000000001 --extended-s3-destination-update file://MyFileName.json
MyFileName.json looks like the one below:
{
"BucketARN": "arn:aws:s3:::MyBucketname",
"Prefix": ""
}
Upvotes: 0
Reputation: 269816
Do not create a bucket policy.
Instead, assign the desired permission to an IAM Role and assign the role to your Kinesis Firehose.
See: Controlling Access with Amazon Kinesis Data Firehose - Amazon Kinesis Data Firehose
Upvotes: 1
Related Questions
- Amazon S3 bucket policy allow access to ONLY specific http
- AWS S3 bucket policy with condition
- S3 bucket access restriction with bucket policy
- AWS Bucket Policy - limit access to a bucket with bucket policy
- S3 bucket policy to deny all except a particular AWS service role and IAM role
- S3 Bucket Policy to Allow access to specific users and restrict all
- Exclude one Amazon S3 object from a Bucket Policy
- How to define Specific Bucket Only Allow S3 Full Access Policy to that bucket only?
- Grant access to only one bucket in S3
- Amazon S3 bucket policy for public restrictions only