access key created from IAM doesn't work
Hi there,I created my credential from IAM to allow S3STAT accessing the bucket where we store our cloudfront log. However, the key didn't work. Any idea why?Hanjie Ji
Indeed. IAM doesn't have a setting for "Allow this account to modify logging", which means that there's no way to create an IAM account with just the permissions needed for S3stat to do its thing.It's annoying, and we've discussed it with Amazon's AWS team, so hopefully in the future they'll expand IAM to the point where we can give you a template to create new accounts that limit your exposure. In the meantime, you'll need to create a new full-privilege set off credentials for S3stat and hope we keep our end of the bargain.Sorry to deliver bad news. As you can tell, we're not particularly happy about this either. I'll keep you posted.
Jason Kester
Friday, January 13, 2012
Hello,Any news about the IAM support? I created a IAM user that has the logging privileges, GetBucketLogging, and PutBucketLogging. The key is still rejected by S3STAT. We won't provide the full access to a third party since IAM exists. Besides, the bucket that interests us, has the logging enabled. It writes its logs into another bucket. S3STAT doesn't *need* to manage that as we're managing it ourselves. S3STAT needs at most to read the logs from the target bucket (possible via IAM), parse them via Webalizer, push them back to S3 (possible via IAM). Am I missing some essential steps from the workflow?Regards, Ștefan Rusu
Ștefan Rusu
Thursday, September 20, 2012
Here's a link to an IAM policy that we've tested:http://www.s3stat.com/Downloads/iam.txtThat has everything that S3stat needs.
Jason Kester
Thursday, October 18, 2012
[ reply to this topic ]
[ return to topic list ]
|