Creating a minimal AWS S3 Bucket Policy for deploying with Hugo via hugo deploy.

Featured image for sharing metadata for article

Similar to my post about automating deployments to AWS using the Architect Framework and GitLab CI, I've been looking at migrating the deployment for this site to a more granular role.

Although I could use something like IAM Access Analyser, I decided that I would try and hand-crank the policy, as a nice AWS refresher.

I've come up with the following S3 Bucket Policy, for the bucket www-jvt-me, so the role WwwJvtMeServiceRole can deploy:

{
	"Version": "2012-10-17",
	"Id": "Policy1611348323526",
	"Statement": [
		{
			"Sid": "PublicReadAccess",
			"Effect": "Allow",
			"Principal": "*",
			"Action": "s3:GetObject",
			"Resource": "arn:aws:s3:::www-jvt-me/*"
		},
		{
			"Sid": "ListBucket",
			"Effect": "Allow",
			"Principal": {
				"AWS": "arn:aws:iam::<redacted>:role/WwwJvtMeServiceRole"
			},
			"Action": "s3:ListBucket",
			"Resource": "arn:aws:s3:::www-jvt-me"
		},
		{
			"Sid": "ListBucketObjects",
			"Effect": "Allow",
			"Principal": {
				"AWS": "arn:aws:iam::<redacted>:role/WwwJvtMeServiceRole"
			},
			"Action": "s3:GetObject",
			"Resource": "arn:aws:s3:::www-jvt-me/*"
		},
		{
			"Sid": "ModifyObjectsInBucket",
			"Effect": "Allow",
			"Principal": {
				"AWS": "arn:aws:iam::<redacted>:role/WwwJvtMeServiceRole"
			},
			"Action": [
				"s3:GetObject",
				"s3:PutObject",
				"s3:DeleteObject"
			],
			"Resource": "arn:aws:s3:::www-jvt-me/*"
		}
	]
}

Notice that this requires both PutObject and DeleteObject, as we need to be able to add and delete files from the bucket.

This can be used by an IAM role that has no permissions policies configured, and could i.e. use OpenID Connect to allow assumption of the role, or be used by something like an EC2/Lambda role.

Written by Jamie Tanna's profile image Jamie Tanna on , and last updated on .

Content for this article is shared under the terms of the Creative Commons Attribution Non Commercial Share Alike 4.0 International, and code is shared under the Apache License 2.0.

#blogumentation #aws #hugo.

Also on:

This post was filed under articles.

Interactions with this post

Interactions with this post

Below you can find the interactions that this page has had using WebMention.

Have you written a response to this post? Let me know the URL:

Do you not have a website set up with WebMention capabilities? You can use Comment Parade.