티스토리 뷰

AWS

awscli make s3 & role & policy

fendys 2021. 9. 1. 12:37
반응형

1. 버켓 생성  

aws s3 mb s3://db.fendys.prod --region ap-northeast-2 --profile fendys
aws s3 mb s3://syslog.fendys.prod --region ap-northeast-2 --profile fendys

 

2. policy 생성

aws iam create-policy --policy-name common_fendys_s3_policy --policy-document file://common_fendys_s3_policy.json --description "ticket-1234" --tags Key=ticket,Value=ticket-1234 --profile fendys

 

##### common_fendys_s3_policy.json #####

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "aaa",
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::db.fendys.prod",
                "arn:aws:s3:::db.fendys.prod/*",
                "arn:aws:s3:::syslog.fendys.prod/",
                "arn:aws:s3:::syslog.fendys.prod/*"
            ]
        },
        {
            "Sid": "aab",
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:GetObjectVersionTagging",
                "s3:GetObjectAcl",
                "s3:GetObjectVersionAcl",
                "s3:GetObjectRetention",
                "s3:GetObjectLegalHold",
                "s3:GetObjectVersionForReplication",
                "s3:GetObjectVersionTorrent",
                "s3:GetObjectTagging",
                "s3:GetObjectTorrent",
                "s3:GetObjectVersion",
                "s3:PutObject",
                "s3:PutObjectTagging",
                "s3:PutObjectLegalHold",
                "s3:PutObjectVersionTagging",
                "s3:PutObjectRetention"
            ],
            "Resource": [
                "arn:aws:s3:::db.fendys.prod",
                "arn:aws:s3:::db.fendys.prod/*",
                "arn:aws:s3:::syslog.fendys.prod/",
                "arn:aws:s3:::syslog.fendys.prod/*"
            ]
        },
        {
            "Sid": "aac",
            "Effect": "Allow",
            "Action": [
                "s3:GetAccessPoint",
                "s3:GetAccountPublicAccessBlock",
                "s3:ListAllMyBuckets",
                "s3:ListAccessPoints",
                "s3:ListJobs",
                "s3:HeadBucket"
            ],
            "Resource": "*"
        }
    ]
}

 

3. role 생성

aws iam create-role --role-name common_fendys_role --assume-role-policy-document file://common_fendys_role.json --description "ticket-1234" --tags Key=ticket,Value=ticket-1234 --profile fendys

 

### common_fendys_role.json

{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Principal": {"Service": "ec2.amazonaws.com"},
    "Action": "sts:AssumeRole"
  }
}




4. attech role & policy

aws iam attach-role-policy --policy-arn arn:aws:iam::123456789012:policy/common_fendys_s3_policy --role-name common_fendys_role --profile dev



반응형

'AWS' 카테고리의 다른 글

awscli IAM user & attach policy & make key & allow web console  (0) 2021.09.01
awscli efs & policy  (0) 2021.09.01
awscli s3 cloudfront  (0) 2021.09.01
aws sso config 및 login  (0) 2021.09.01
AWS S3 Command  (0) 2021.08.21