0
votes

I am working on implementing a functionality in my client application to programmatically or using CLI upload image file in S3 bucket by passing KMS keys only. This would be a generic functionality and available to all the users of the application .The client is sceptical about giving his IAM root or service account access and secret key details for programatic implementation in application .

Please suggest for industry standards and AWS principals for implementing such kind of upload functionalities.

1
You can always create users/user groups and assign them access to that specific S3 bucket and getting keys against themOsama Khalid
You should use AWS STS for that. docs.aws.amazon.com/STS/latest/APIReference/Welcome.html. With STS you can generate temporary creds and use that in the role. Ofcourse with granular access that the user would have only access to upload the object in S3error404
In any case there is no reason (and it is against the sec practices) to give out the root access. The client can always create an identity and role with the least necessary privileges. And then - as commented - the identity's access keys can be used to either presign url or access allowed resources directlygusto2

1 Answers

0
votes

You can't access with KMS keys. its not clear where you are going to run your application.

using presigned URL,

You can use AWS S3 presigned URLs - you can generate a pre-signed URL for an Amazon S3 object, it will give temporary access to get or modify a particular s3 object. this method is primarily suitable for a website application. https://docs.aws.amazon.com/AmazonS3/latest/dev/PresignedUrlUploadObject.html

using IAM Roles

if you are going to run the application in AWS using EC2, Lambda, ECS or etc, you can use IAM roles. Permissions can be attached to IAM roles without hardcoding credentials to the application. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html

hope this helps