-
Working with presigned URLs - Amazon Simple Storage Service
August 12, 2023 at 10:53:10 AM GMT+2 - permalink -If you created a presigned URL by using a temporary token, then the URL expires when the token expires, even if you created the URL with a later expiration time. For more information about how the credentials you use affect the expiration time, see Who can create a presigned URL.
So you have to use regular IAM user instead of IAM role for service generating presigned urls..? :-/
-
https://docs.aws.amazon.com/AmazonS3/latest/userguide/using-presigned-url.html#who-presigned-url
-
![thumbnail]()
-
![thumbnail]()
-
![thumbnail]()
-
![thumbnail]()
-
![thumbnail]()
-
![thumbnail]()
-
How Do I Create a Lifecycle Policy for an S3 Bucket? - Amazon Simple Storage Service
September 22, 2017 at 10:14:20 AM GMT+2 - permalink -To apply this lifecycle rule to all objects in the bucket, choose Next.
That's why wildcard was not working :D
-
http://docs.aws.amazon.com/AmazonS3/latest/user-guide/create-lifecycle.html
-
Note: Count object in bucket/folder
July 12, 2017 at 10:12:14 AM GMT+2 - permalink -aws s3 ls s3://bucket/path/ --recursive --summarize | grep "Total Objects:"
-
https://links.infomee.fr/?rcG0hg
-
Amazon Glacier Direct Upload vs Glacier Upload via Amazon S3
June 27, 2017 at 11:01:12 AM GMT+2 - permalink -So you can put your data into glacier with 2 differents ways:
1) directly to glacier via API
2) Store them to s3 then with a management policy, it'll go to GlacierWarning : Huge cost when you download from glacier and when you delete before 3 months
-
https://www.cloudberrylab.com/blog/compare-amazon-glacier-direct-upload-and-glacier-upload-through-amazon-s3/
-
Note: s3 bucket size by api
June 13, 2017 at 11:55:28 AM GMT+2 * - permalink -aws s3api list-objects --bucket BUCKET_NAME --output json --query "[sum(Contents[].Size), length(Contents[])]"
Retourne la taille en bytes et le nombre d'objets
Avec un ficheir qui contient le nom des bucket :
for BUCKET_NAME in $(cat s3list); do echo -n "$BUCKET_NAME " ; region=$(aws s3api get-bucket-location --bucket $BUCKET_NAME|jq '.LocationConstraint' -r); aws s3api list-objects --region $region --bucket $BUCKET_NAME --output json --query "sum(Contents[].Size)"; done
-
https://links.infomee.fr/?pbKktw
-
Example 2: Bucket Owner Granting Cross-Account Bucket Permissions - Amazon Simple Storage Service
Donc pour autoriser un compte externe, on va créer une bucket policy sur notre bucket pour autoriser "arn:aws:iam::account_id:root" ou plus précis sur l'user arn:aws:iam::account_id:user/foobar ou le roleJune 12, 2017 at 8:48:42 AM GMT+2 * - permalink -
C'est le compte en face qui va décider qui a le droit de venir sur notre bucket avec des user policy standard (quand on est dans le contexte du compte en face, c'est comme si le bucket nous appartenait)
Exemple bucket policy à mettre sur le BUCKET de l'account A pour autoriser l'account xxx en RW
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Allow account_xx on aws account xxx RW",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::OTHER_ACCOUNT_ID:root"
},
"Action": ["s3:GetBucketLocation", "s3:ListBucket"],
"Resource": "arn:aws:s3:::BUCKET"
},
{
"Sid": "Allow account_xx on aws account xxx RW",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::OTHER_ACCOUNT_ID:root"
},
"Action": [
"s3:*"
],
"Resource": "arn:aws:s3:::BUCKET/*"
}
]
}
Pour Read only, remplacer action du deuxieme bloc par "Action": ["s3:Get*","s3:List*"],
-
http://docs.aws.amazon.com/AmazonS3/latest/dev/example-walkthroughs-managing-access-example2.html
-
![thumbnail]()
-
Note: s3 policy one bucket
ReadWrite :May 17, 2017 at 5:02:27 PM GMT+2 * - permalink -
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["s3:GetBucketLocation", "s3:ListBucket"],
"Resource": [
"arn:aws:s3:::LeBucket"
]
},
{
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::LeBucket/*"
]
}
]
}
Pour Read only, remplacer action du deuxieme bloc par "Action": ["s3:Get*","s3:List*"],
-
https://links.infomee.fr/?Vp7r6Q
-
Note: s3 enpoint
May 2, 2017 at 9:51:18 AM GMT+2 - permalink -If you enable s3 enpoint in your route table, it's kind of tricky to know if the endpoint is really working. Two things to validate:
1) traceroute tcp before and after (traceroute -T s3-us-west-1.amazonaws.com 443)
You will see more hope when endpoint not activated
2) try an s3 sync cross region with enpoint activated : it should failed since it's not supported (yet @ 2017-05-02)
-
https://links.infomee.fr/?1wF2Kg
-
![thumbnail]()
s3fs-fuse/s3fs-fuse: FUSE-based file system backed by Amazon S3
March 30, 2017 at 9:47:14 AM GMT+2 - permalink -I may have to use this one, but issue number is freaking me out
-
https://github.com/s3fs-fuse/s3fs-fuse
-
![thumbnail]()
IAM Policies and Bucket Policies and ACLs! Oh, My! (Controlling Access to S3 Resources) | AWS Security Blog
March 24, 2017 at 12:24:51 PM GMT+1 - permalink -Easy one?
Not even close
-
https://aws.amazon.com/blogs/security/iam-policies-and-bucket-policies-and-acls-oh-my-controlling-access-to-s3-resources/
-
![thumbnail]()
Writing IAM Policies: How to Grant Access to an Amazon S3 Bucket | AWS Security Blog
March 15, 2017 at 11:00:52 AM GMT+1 - permalink -Don't give s3 full access policy to your app user
Prefer to allow access only for specific bucketI wonder what's the best choice : create managed policy or simply use inline policy. I got a 1 to 1 relationship between my app-users and bucket so... inline policy looks good here
-
https://aws.amazon.com/blogs/security/writing-iam-policies-how-to-grant-access-to-an-amazon-s3-bucket/
