Use iconik-managed credentials for AWS S3
iconik supports cross-account access to S3 buckets using credentials managed by iconik. This allows you to set up a storage in iconik without worrying about credentials or key rotation.
To configure this, select Use iconik-managed credentials
when adding or editing a storage.
This will make iconik use its own short-lived credentials to assume the role arn:aws:iam::283217727627:role/IconikS3AccessRole
when accessing your storage.
This role is the same for all customers, so to prevent other customers from accessing your storage it is important that you also include a condition to make sure iconik is accessing the storage via your System Domain.
This prevents the Confused Deputy Problem.
The System Domain ID for your domain can be obtained via the System Settings.
The following Bucket Policy can be used to give iconik full access to an S3 bucket in your account. For more information on how to configure a more granular policy please see the examples in Adding S3 Storage
{
"Version": "2012-10-17",
"Id": "IconikStoragePolicy",
"Statement": [
{
"Sid": "Statement1",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::283217727627:role/IconikS3AccessRole"
},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::BUCKETNAME",
"arn:aws:s3:::BUCKETNAME/*"
],
"Condition": {
"StringEquals": {
"aws:PrincipalTag/IconikSystemDomainId": "1297c8b6-3563-11e7-adf1-6c4008b85488"
}
}
}
]
}