use a bucket policy to grant permissions to access the bucket (#1734)

renetapopova · web-flow · commit 736735f530e1 · 2024-08-14T09:18:05.000+01:00
diff --git a/modules/ROOT/partials/aws-s3-credentials.adoc b/modules/ROOT/partials/aws-s3-credentials.adoc
@@ -1,7 +1,6 @@
-. Ensure that the AWS CLI is installed and configured with the necessary credentials.
-.. Install the AWS CLI by following the instructions in the AWS official documentation -- link:https://docs.aws.amazon.com/cli/latest/userguide/install-cliv2.html[Install the AWS CLI version 2].
-.. Use `aws configure` command to set your `aws_access_key_id` and `aws_secret_access_key` from AWS.
-.. Create an S3 bucket and a directory to store the backup files using the AWS CLI:
+
+. Install the AWS CLI by following the instructions in the AWS official documentation -- link:https://docs.aws.amazon.com/cli/latest/userguide/install-cliv2.html[Install the AWS CLI version 2].
+. Create an S3 bucket and a directory to store the backup files using the AWS CLI:
 +
 [source,shell]
 ----
@@ -10,7 +9,7 @@ aws s3api put-object --bucket myBucket --key myDirectory/
 ----
 +
 For more information on how to create a bucket and use the AWS CLI, see the AWS official documentation -- link:https://docs.aws.amazon.com/cli/latest/userguide/cli-services-s3-commands.html#using-s3-commands-prereqs[Use Amazon S3 with the AWS CLI] and link:https://docs.aws.amazon.com/cli/latest/userguide/cli-services-s3.html[Use high-level (s3) commands with the AWS CLI].
-.. Verify that the `~/.aws/config` is correct by running the following command:
+. Verify that the `~/.aws/config` file is correct by running the following command:
 +
 [source,shell]
 ----
@@ -21,9 +20,12 @@ The output should look like this:
 [result,shell]
 ----
 [default]
-region=eu-north-1
+region=us-east-1
 ----
-.. Verify that the `~/.aws/credentials` is correct:
+. Configure the access to your AWS S3 bucket by setting the `aws_access_key_id` and `aws_secret_access_key` in the `~/.aws/credentials` file and, if needed, using a bucket policy.
+For example:
+
+.. Use `aws configure set aws_access_key_id aws_secret_access_key` command to set your IAM credentials from AWS and verify that the `~/.aws/credentials` is correct:
 +
 [source,shell]
 ----
@@ -36,4 +38,32 @@ The output should look like this:
 [default]
 aws_access_key_id=this.is.secret
 aws_secret_access_key=this.is.super.secret
+----
+
+.. Additionally, you can use a resource-based policy to grant access permissions to your S3 bucket and the objects in it.
+Create a policy document with the following content and attach it to the bucket.
+Note that both resource entries are important to be able to download and upload files.
++
+[source, json]
+----
+{
+    "Version": "2012-10-17",
+    "Id": "Neo4jBackupAggregatePolicy",
+    "Statement": [
+        {
+            "Sid": "Neo4jBackupAggregateStatement",
+            "Effect": "Allow",
+            "Action": [
+                "s3:ListBucket",
+                "s3:GetObject",
+                "s3:PutObject",
+                "s3:DeleteObject"
+            ],
+            "Resource": [
+                "arn:aws:s3:::myBucket/*",
+                "arn:aws:s3:::myBucket"
+            ]
+        }
+    ]
+}
 ----
