Permalink
Browse files

Improve instructions for IAM set up checklist

Be more explicit in the steps for setting up the IAM portion.
  • Loading branch information...
jordanallain
jordanallain committed Oct 26, 2017
1 parent 1a4cb13 commit ac24f49287fbf531e1d1ea47737d6e9b552af341
Showing with 34 additions and 65 deletions.
  1. +34 −65 README.md
@@ -51,55 +51,32 @@ Identities are how we grant access to AWS APIs.


In the [IAM](https://console.aws.amazon.com/iam) tab: In the [IAM](https://console.aws.amazon.com/iam) tab:


*Getting to the IAM tab:*

![image](https://git.generalassemb.ly/storage/user/5688/files/96f5ca72-52c3-11e7-8d1f-03c42a2df2b4)

![image](https://git.generalassemb.ly/storage/user/5688/files/98790210-52c3-11e7-8fe3-3e56ff1253b2)

*Identity and Access Management (IAM)*
![image](https://git.generalassemb.ly/storage/user/5688/files/9dc1e764-52c3-11e7-84b5-c743f27294e0)


1. Select `Users` in the left sidebar. 1. Select `Users` in the left sidebar.
![image](https://git.generalassemb.ly/storage/user/5688/files/9ee48afc-52c3-11e7-9f5c-fa9d9148317b)


1. Click `Add User` near the top of the page. 1. Click `Add User` near the top of the page.

1. Enter `wdi-upload` into the `User name` text box.
1. Enter `wdi-upload` into the text box.
![image](https://git.generalassemb.ly/storage/user/5688/files/a1a3a6ec-52c3-11e7-81bb-81f3c59556d7)

1. Under access type, check `Programmatic Access` 1. Under access type, check `Programmatic Access`
![image](https://git.generalassemb.ly/storage/user/5688/files/a3047660-52c3-11e7-9698-fcd3201739bb) 1. Click Next

1. Highlight Add User to Group if it isn't already highlighted.
1. Click Next: Permissions 1. Click Next

1. Highlight Add User to Group
![image](https://git.generalassemb.ly/storage/user/5688/files/a4738e78-52c3-11e7-838e-908804d66370)

1. Click Next: Review
![image](https://git.generalassemb.ly/storage/user/5688/files/a5f1e902-52c3-11e7-9ce2-c574affeeadd)

1. Click create User 1. Click create User
_Then_ _Then_
![image](https://git.generalassemb.ly/storage/user/5688/files/a6d9e0c2-52c3-11e7-81f6-39468e735eeb) 1. Click `Close`.

1. Click on your newly created user: `wdi-upload`.
1. Click on your newly created user. 1. Click on the security credentials tab.
- Make sure `wdi-upload` is checked. 1. Look for the `Access Keys` section
- Click directly on `wdi-upload` 1. Click the small `x` to the right of your existing access key to delete it.
![image](https://git.generalassemb.ly/storage/user/5688/files/a9c3165a-52c3-11e7-8d89-262fca9e927c) 1. Confirm the deletion of the access key.
9. Click on the security credentials tab.
10. Click the small `x` to the right of your existing access key to delete it.
1. Click `Create access key` 1. Click `Create access key`
1. When you recieve a `Success` response, click `download .csv file` and save the CSV to your `wdi` folder. (this is 1. When complete, click `download .csv file` and move the CSV file to this repository. (this is
the only time you'll be able to see your access key, but you can generate a new one anytime the only time you'll be able to see your access key, but you can generate a new one anytime
and are encouraged to rotate them frequently) and are encouraged to rotate them frequently)
1. Click `Close` 1. Click `Close`
1. Copy the `User ARN` _(Amazon Resource Name)_ at the top of the page and save it in [arn.txt](arn.txt). 1. You should still be in the page for the `wdi-upload` user. If not you can select `Users` on the left sidebar and click on `wdi-upload` again to be on that user's page again.
1. Copy the `User ARN` _(Amazon Resource Name)_ at the top of the page and save it in the [arn.txt](arn.txt) in this repo. The ARN should start with `arn` and end with `wdi-upload`.


We'll need the User ARN to grant access to an S3 bucket we'll use for uploads. We'll need the User ARN to grant access to an S3 bucket we'll use for uploads.
We'll also need an `Access Key` _(Access Key Id and Secret Access Key)_ for this We'll also need an `Access Key` _(Access Key Id and Secret Access Key)_ for this IAM User to upload files via the S3 API.
IAM User to upload files via the S3 API.
The Access Key is contained in credentials.csv. The Access Key is contained in credentials.csv.


**Note well:** credentials.csv contains `secrets`! **Note well:** credentials.csv contains `secrets`!
@@ -113,47 +90,41 @@ S3 stores files you upload in `buckets`. A bucket is a top-level namespace
for your files. for your files.


In the [S3](https://console.aws.amazon.com/s3) tab: In the [S3](https://console.aws.amazon.com/s3) tab:
![image](https://git.generalassemb.ly/storage/user/5688/files/aafc6ab2-52c3-11e7-8351-04e5c253c092)
1. Click `Create Bucket`. 1. Click `Create Bucket`.
This opens the `Create a Bucket - Select a Bucket Name and Region` modal. This opens the `Create a Bucket - Select a Bucket Name and Region` modal.
1. Enter a name in the `Bucket Name` box. It must be unique among all S3 1. Enter a name in the `Bucket Name` box. It must be unique among all S3
buckets and in all lowercase characters. buckets and in all lowercase characters.
1. Select `US East (N. Virginia)` for the `Region`. 1. Select `US East (N. Virginia)` for the `Region`.
1. Click `Create`. 1. Click `Create`.
1. Highlight your bucket and select the `Permissions` tab. 1. Highlight your bucket and select the `Permissions` tab.
![image](https://git.generalassemb.ly/storage/user/5688/files/e3352baa-5433-11e7-8951-7bbf1e8b7f57)

1. Click `Bucket policy` near the bottom of the `Permissions` tab. 1. Click `Bucket policy` near the bottom of the `Permissions` tab.
![image](https://git.generalassemb.ly/storage/user/5688/files/ae45bf3e-52c3-11e7-9070-f4ca72d5c8ab)
1. At the bottom of the `Bucket Policy Editor` page, 1. At the bottom of the `Bucket Policy Editor` page,
click `Policy Generator`. This opens the AWS Policy Generator page. click `Policy Generator`. This opens the AWS Policy Generator page.
1. On the AWS Policy Generator page 1. On the AWS Policy Generator page
1. Step 1: Select Policy Type
1. For `Select Type of Policy` use `S3 Bucket Policy`. 1. Step 1: Select Policy Type
1. Step 2: Add Statement(s)
1. Select `Allow` for `Effect`. 1. For `Select Type of Policy` use `S3 Bucket Policy`.
1. Paste the User ARN into the `Principal` box.
1. Select `PutObject` and `PutObjectAcl` for `Actions`. 1. Step 2: Add Statement(s)
![image](https://git.generalassemb.ly/storage/user/5688/files/af19a6a0-52c3-11e7-944b-bda14c01b7ec)

1. Select `Allow` for `Effect`.
1. Enter `arn:aws:s3:::<bucket_name>/*` into the 1. Paste the User ARN into the `Principal` box.
1. Select `PutObject` and `PutObjectAcl` for `Actions`.
1. Enter `arn:aws:s3:::<bucket_name>/*` into the
`Amazon Resource Name (ARN)` box. `Amazon Resource Name (ARN)` box.
- Make sure you add `/*` at the end of your user ARN for this step. 1. Click the `Add Statement`.
![image](https://git.generalassemb.ly/storage/user/5688/files/b02fbb2e-52c3-11e7-9e77-a95f6fceb508)

1. Step 3: Generate Policy
1. Click the `Add Statement`.
![image](https://git.generalassemb.ly/storage/user/5688/files/b269d492-52c3-11e7-9a11-74afb54a90fc) 1. Click `Generate Policy`
1. Step 3: Generate Policy 1. Copy the JSON from the `Policy JSON Document` modal.
1. Click `Generate Policy`
1. Copy the JSON from the `Policy JSON Document` modal.
1. Return to the S3 tab. 1. Return to the S3 tab.
1. Paste the bucket policy into the `Bucket Policy Editor` field. 1. Paste the bucket policy into the `Bucket Policy Editor` field.
![image](https://git.generalassemb.ly/storage/user/5688/files/b35a2d3e-52c3-11e7-86ca-9b5d8221bc14)
1. Click `Save`. 1. Click `Save`.
2. Click on `Access Control List` 1. Click `Save` in the `Permissions` dropdown.
3. Click on your account
4. A modal will pop up.
1. Click `Save` in the modal.


You have now created and granted access to an S3 bucket. You have now created and granted access to an S3 bucket.


@@ -196,8 +167,6 @@ AWS provides many different mechanisms to grant and restrict access.
- [ ] Create a bucket policy. - [ ] Create a bucket policy.
- [ ] **DO NOT ALTER THE .gitignore FILE** - [ ] **DO NOT ALTER THE .gitignore FILE**


If there are any concerns with the process, there is a visual guide of all the steps [here](https://git.generalassemb.ly/ga-wdi-boston/aws-s3-setup-guide/issues/37)

## [License](LICENSE) ## [License](LICENSE)


1. All content is licensed under a CC­BY­NC­SA 4.0 license. 1. All content is licensed under a CC­BY­NC­SA 4.0 license.

0 comments on commit ac24f49

Please sign in to comment.