我正在使用 S3 存储后端设置 GitLab,并希望使用 KMS 加密存储桶。我想避免广泛授予权限。我正在使用 terraform 来配置这些资源。
我该如何为此制定一个好的政策?
答案1
此策略假设您的存储桶位于一组aws_s3_bucket名为 的资源中gitlab_buckets,而您用于加密这些存储桶的密钥位于 中aws_kms_key.gitlab_buckets。如果满足这些要求,则此策略应可行。
data "aws_iam_policy_document" "gitlab_s3" {
statement {
sid = "3"
actions = [
"kms:Decrypt",
"kms:Encrypt",
"kms:GenerateDataKey",
"kms:ReEncryptTo",
"kms:DescribeKey",
"kms:ReEncryptFrom"
]
resources = [
aws_kms_key.gitlab_buckets.arn
]
}
statement {
sid = "1"
actions = [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject",
"s3:PutObjectACL"
]
resources = [
for bucket in aws_s3_bucket.gitlab_buckets:
"${bucket.arn}/*"
]
}
statement {
sid = "2"
actions = [
"s3:ListBucket",
"s3:AbortMultipartUpload",
"s3:ListMultipartUploadParts",
"s3:ListBucketMultipartUploads"
]
resources = [
for bucket in aws_s3_bucket.gitlab_buckets:
bucket.arn
]
}
}