I'm setting up GitLab with S3 storage backend and would like to use KMS to encrypt the buckets. I'd like to avoid giving out permissions broadly. I'm using terraform to provision these resources.
How can I write a good policy for this?
This policy assumes you have your buckets in a set of aws_s3_bucket
resources named gitlab_buckets
and the key you are encrypting those buckets with is in aws_kms_key.gitlab_buckets
. If those requirements are in place, this should drop in and go.
data "aws_iam_policy_document" "gitlab_s3" {
statement {
sid = "3"
actions = [
"kms:Decrypt",
"kms:Encrypt",
"kms:GenerateDataKey",
"kms:ReEncryptTo",
"kms:DescribeKey",
"kms:ReEncryptFrom"
]
resources = [
aws_kms_key.gitlab_buckets.arn
]
}
statement {
sid = "1"
actions = [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject",
"s3:PutObjectACL"
]
resources = [
for bucket in aws_s3_bucket.gitlab_buckets:
"${bucket.arn}/*"
]
}
statement {
sid = "2"
actions = [
"s3:ListBucket",
"s3:AbortMultipartUpload",
"s3:ListMultipartUploadParts",
"s3:ListBucketMultipartUploads"
]
resources = [
for bucket in aws_s3_bucket.gitlab_buckets:
bucket.arn
]
}
}