1. Home
  2. admin
  3. storage
  4. editing
  5. aws s3 managed credentials

Roles

These are the roles that are needed:

  • Admin
  • Read storage
  • Write storage

Links

Use iconik-managed credentials for AWS S3

iconik supports cross-account access to S3 buckets using credentials managed by iconik. This allows you to set up a storage in iconik without worrying about credentials or key rotation.

To configure this, select Use iconik-managed credentials when adding or editing a storage. This will make iconik use its own short-lived credentials to assume the role arn:aws:iam::283217727627:role/IconikS3AccessRole when accessing your storage. This role is the same for all customers, so to prevent other customers from accessing your storage it is important that you also include a condition to make sure iconik is accessing the storage via your System Domain. This prevents the Confused Deputy Problem.

The System Domain ID for your domain can be obtained via the System Settings.

The following Bucket Policy can be used to give iconik full access to an S3 bucket in your account. For more information on how to configure a more granular policy please see the examples in Adding S3 Storage

{
    "Version": "2012-10-17",
    "Id": "IconikStoragePolicy",
    "Statement": [
        {
            "Sid": "Statement1",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::283217727627:role/IconikS3AccessRole"
            },
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::BUCKETNAME",
                "arn:aws:s3:::BUCKETNAME/*"
            ],
            "Condition": {
                "StringEquals": {
                    "aws:PrincipalTag/IconikSystemDomainId": "1297c8b6-3563-11e7-adf1-6c4008b85488"
                }
            }
        }
    ]
}

Server-side encryption with CMK

iconik supports server-side encryption with either S3 managed keys (SSE-S3), AWS Key Management Service keys (SSE-KMS) or Dual-layer server-side encryption with AWS Key Management Service keys (DSSE-KMS). If you use SSE-KMS or DSSE-KMS then you will have to grant access to the Customer Managed Key (CMK) to the role iconik assumes in order to access the storage. This is required so the S3 service can access AWS KMS and decrypt the objects in the bucket.

To grant access to the CMK, you can apply the following key policy:

{
    "Version": "2012-10-17",
    "Id": "IconikCMKPolicy",
    "Statement": [
        {
            "Sid": "IconikCMKAccess",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::283217727627:role/IconikS3AccessRole"
            },
            "Action": [
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:ReEncrypt*",
                "kms:GenerateDataKey*",
                "kms:DescribeKey"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "aws:PrincipalTag/IconikSystemDomainId": "1297c8b6-3563-11e7-adf1-6c4008b85488"
                }
            }
        }

The role used is the same for all customers, so to prevent other customers from accessing your storage it is important that you also include a condition to make sure iconik is accessing the storage via your System Domain. This prevents the Confused Deputy Problem.

The System Domain ID for your domain can be obtained via the System Settings.

Learn more.