S3 Buckets¶
S3 is amazon’s storage solution and implements a blob store for your data.
It is designed such that you have buckets in particular regions and store your
data as key to blob. These buckets can be created under the buckets
section
of your configuration.
---
buckets:
project-artifacts:
acl: private
location: ap-southeast-2
require_mfa_to_delete: true
tags:
application: Artifacts
allow_permission:
- resource: {s3: __self__ }
action: ["s3:Get*", "s3:List*"]
principal:
- iam: role
account: [stg, prod]
users:
- ci/project1-deployer
- ci/project2-deployer
This will create a bucket called project-artifacts
in the ap-southeast-2
region a private
canned acl; an application
tag equal to Artifacts
and the following bucket policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::991147164:role/ci/project1-deployer",
"arn:aws:iam::382093840:role/ci/project1-deployer",
"arn:aws:iam::991147164:role/ci/project2-deployer",
"arn:aws:iam::382093940:role/ci/project2-deployer",
]
},
"Action": [
"s3:List*",
"s3:Get*"
],
"Resource": [
"arn:aws:s3:::project-artifacts",
"arn:aws:s3:::project-artifacts/*"
]
},
{
"Sid": "",
"Effect": "Allow",
'Resource': [
'arn:aws:s3:::project-artifacts',
'arn:aws:s3:::project-artifacts/*'
],
'Action': 's3:DeleteBucket'
'Condition': {'Bool': {'aws:MultiFactorAuthPresent': True}},
}
]
}
Note that the require_mfa_to_delete
option is a shortcut for that last
policy so that you require an mfa device to delete the bucket and anything in it.
Available Keys¶
You can use the following keys when defining a bucket:
- acl
- The access control list associated with the bucket.
- location
- The region to place the bucket in.
- require_mfa_to_delete:
- Whether to include a permission to only allow deletion if an mfa device is used
- tags
- A dictionary of {Key:Value} tags to attach to the bucket
- website
- Configuration associated with treating this bucket as a website
- lifecycle
- Configuration around retention and transition policies
- permission, allow_permission, deny_permission
- Used to specify statements for the bucket policy
Statements¶
See the Statements section for more information of what can go into the bucket policy.
Logging Configuration¶
We can specify access logs for the bucket to be placed in another s3 bucket with
the logging
key:
buckets:
amazing_bucket:
location: ap-southeast-2
logging:
prefix: amazing_bucket/
destination: my_bucket_logs
This will make access logs go into s3://my_bucket_logs/amazing_bucket
.
See http://docs.aws.amazon.com/AmazonS3/latest/UG/ManagingBucketLogging.html for more information.
Website Configuration¶
You can also specify website configuration for the bucket with the website
key:
buckets:
my_public_website.com:
location: ap-southeast-2
website:
redirect_all_requests_to: "www.my_public_website.com"
www.my_public_website.com:
location: ap-southeast-2
website:
index_document: index.html
error_document: error.html
This will create two buckets, both with a website configuration. The first bucket
my_public_website.com
will have a website configuration equal to:
{ "IndexDocument": None
, "ErrorDocument": None
, "RedirectAllRequestsTo":
{ "HostName": "www.my_public_website.com"
}
, "RoutingRules": None
}
And the second bucket www.my_public_website.com
will have this website config:
{ "IndexDocument": { "Suffix": "index.html" }
, "ErrorDocument": { "Key": "error.html" }
, "RedirectAllRequestsTo": None
, "RoutingRules": None
}
Note that RoutingRules
can be specified as RoutingRules
and will be put
into the policy as is.
For more information on what these configurations mean, see http://docs.aws.amazon.com/AmazonS3/latest/dev/HowDoIWebsiteConfiguration.html
Lifecycle Configuration¶
S3 buckets have a concept of a lifecycle configuration. This allows Amazon to automatically delete objects in your bucket based on particular conditions that you can set.
buckets:
my_amazing_bucket:
location: ap-southeast-2
lifecycle:
- expiration:
id: Delete objects after 30 days
days: 30
Above is a config that will automatically delete objects in your bucket 30 days after it was created in the first place.
Note that we can shorten this configuration to the following:
buckets:
my_amazing_bucket:
location: ap-southeast-2
lifecycle:
expiration: 30
Here we’ve defined only one lifecycle rule and hence don’t have to put it in a list.
Available keys¶
As with all config, the lowercase variant of the option is formatted in some way whereas the uppercase variant is not
- id, ID
- A description of the rule. If one is not specified, aws_syncr will generate one for you based on the other options you provide
- enabled, Status
- Setting enabled to True will set “Status” to “Enabled”, and setting it to False will set “Status” to “Disabled”
- prefix, Prefix
- The prefix of the objects in the bucket to apply this rule to. It defaults to an empty string which means all the objects.
- transition, Transition
This creates a rule that will transition your objects into a different type of storage.
- days, Days
- The number of days after creation that the objects are moved
- Date
- A specific date that the objects are moved. Note there is no lowercase variant of this option.
- storageclass, StorageClass
- The type of storage to put the objects into. This is either GLACIER or STANDARD_IA
Note that you can’t specify days and date at the same time.
- expiration, Expiration
This creates a rule that will delete objects after particular conditions.
- days, Days
- The number of days after creation to delete the objects
- Date
- A specific date to delete the objects. Note there is no lowercase variant of this option.
- expired_object_delete_marker, ExpiredObjectDeleteMarker
- Indicates whether Amazon S3 will remove a delete marker with no noncurrent versions. If set to true, the delete marker will be expired; if set to false the policy takes no action
Note that you can only specify one of these three options at a time.
- abort_incomplete_multipart_upload, AbortIncompleteMultipartUpload
- The number of days after a multipart upload is created that it is aborted.
- NoncurrentVersionTransition
Container for the transition rule that describes when noncurrent objects transition to the STANDARD_IA or GLACIER storage class.
If your bucket is versioning-enabled (or versioning is suspended), you can set this action to request that Amazon S3 transition noncurrent object versions to the STANDARD_IA or GLACIER storage class at a specific period in the object’s lifetime.
- NoncurrentVersionExpiration
- Specifies when noncurrent object versions expire. Upon expiration, Amazon S3 permanently deletes the noncurrent object versions. You set this lifecycle configuration action on a bucket that has versioning enabled (or suspended) to request that Amazon S3 delete noncurrent object versions at a specific period in the object’s lifetime.
For more information see http://boto3.readthedocs.org/en/latest/reference/services/s3.html#S3.Client.put_bucket_lifecycle
Access Control Lists (ACLs)¶
S3 buckets are special in that they have their own ACL system that lets you grant permission to particular entities.
Note
These are separate to bucket policies!
There are two ways of specifying these acls, either manually or by specifying a canned ACL.
Using the canned ACL is the easiest way and likely the only way you need to consider.
Simply add acl
to your bucket configuration as one of private
, public-read
, public-read-write
, aws-exec-read
, authenticated-read
or log-delivery-write
. To understand what each of
these mean, see http://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html#canned-acl
buckets:
my_bucket:
acl: authenticated-read
location: ap-southeast-2
The manual way¶
If the canned acls are not what you want, you can manually specify the grants!
buckets:
my_bucket:
acl:
grants:
- grantee: __owner__
permission: READ
- grantee:
display_name: za_team
id: 6aa5a366c34c1cbe25dc49211496e913e0351eb0e8c37aa3477e40942ec6b97c
type: CanonicalUser
permission: WRITE
- grantee:
uri: "http://acs.amazonaws.com/groups/global/AllUsers"
type: Group
permission: READ
This example shows the three ways of specifying grantee. Either you use the string
__owner__
which will correspond to the current owner of the bucket.
Alternatively you may specify the display_name
and id
for the grantee,
with type
of CanonicalUser
.
Or you may specify uri
and type
as Group
.
Owner is a strange concept in Amazon land that requires root access to get. See http://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html#specifying-grantee for more details.
The permission is one of READ
, WRITE
, READ_ACP
, WRITE_ACP
and
FULL_CONTROL
. See http://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html#permissions
for more information.
Note
You may not specify the owner of the bucket. This is a deliberate design decision to reduce the possibility of making a change that cannot be reversed. This may be changed in the future if the need arises and is asked for.