The following setup creates an IAM role and an IAM policy; the setup then attaches the IAM policy to the newly created IAM role. XMode will assume this IAM role, policed by the policy to limit XMode’s access, in order to transfer data into the specified S3 location.
{ "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::366810793500:user/xmode-data-transfer"}, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "sts:ExternalId": "{replace with input company name, without spaces or special characters except for the following: "=,.@:/-_}" } } } }
aws iam create-role --role-name Test-UserAccess-Role --assume-role-policy-document '{ "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::366810793500:user/xmode-data-transfer"}, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "sts:ExternalId": "{replace with input company name}" } } } } '
aws iam create-policy --policy-name my-policy --policy-document '{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:PutObject", "s3:PutObjectAcl" ], "Resource": [ "arn:aws:s3:::bucket-name", "arn:aws:s3:::bucket-name/*" ], "Condition": { "StringEquals": { "s3:x-amz-acl": [ "bucket-owner-full-control" ] } } }, { "Effect": "Allow", "Action": [ "s3:DeleteObject", "s3:GetObject", "s3:GetObjectAcl", "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::bucket-name", "arn:aws:s3:::bucket-name/*" ] }, { "Effect": "Deny", "NotAction": "s3:*", "NotResource": [ "arn:aws:s3:::bucket-name", "arn:aws:s3:::bucket-name/*" ] } ] } '
aws iam attach-role-policy --role-name Test-UserAccess-Role --policy-arn arn:aws:iam::123456789012:role/my-policy