Well, now the application is dockerized it’s time to push it out. I’m extending first major task is adding the S3 policies. Major because I haven’t don it yet. I’m sure there will be a lot of small adds here. Like most AWS services I’m sure there are two layers I’m going to need to add permissions for. First level is general service access while the second is specific resource access. Based on the AWS blog the general access policy should looke like the following. Docs for the operations. In this particular case the application should be able to upload data, not create new buckets.

    {
      "Effect": "Allow",
      "Action": [
        "s3:ListAllMyBuckets",
        "s3:GetBucketLocation"
      ],
      "Resource": "*"
    }

Next up, within our target bucket the application should only be able to push new resources. Since this project is a quick one I might punt, might not. Let’s see if it’s well documented! From the looks of it we can probably get away with the following snippet for IAM role access since it’s a write only case:

            {
              "Effect": "Allow",
              "Action": [
                "s3:PubObject*"
              ],
              "Resource": "${aws_s3_bucket.private.arn}"
            }

In theory this would work. Unfortunately I’ve been unable to prove this as I need to inject variables via Terraform.