- Newest
- Most votes
- Most comments
Option 1: Using Cloudfront to make the objects in your bucket publicly accessible
Is it ok for the files you are importing to be publicly accessible? If so, you don't need to worry about using IAM access keys. Instead, you can use Cloudfront to create an HTTP frontend for the objects in your S3 bucket, which you can then access via a normal web browser (or provide a list of URLs to shopify to import). All of the objects in your bucket will be accessible at a url like https://d1v23457bee.cloudfront.net/object-name.jpg
.
To set that up:
- go to https://us-east-1.console.aws.amazon.com/cloudfront/v4/home
- Click 'Create Distribution'
- For the 'Origin Domain', click the dropdown and select your S3 bucket
- For 'Origin Access Control', choose "Origin access control settings (recommended)", then click "Create Control Setting"
- Click 'Enable Security Protections'
- Leave all other settings as default, then click 'Create Distribution'
The distribution will be created (it might take a few minutes). At the top of the screen you will see a yellow bar with a 'Copy Policy' button. Click that to copy an S3 Bucket Policy to your clipboard.
Also, make a note of your cloudfront domain - it will be something like https://d1v23457bee.cloudfront.net/
- Now navigate to your s3 bucket at https://s3.console.aws.amazon.com/s3/home.
- Click on your bucket name, then the 'Permissions' tab.
- In the 'Bucket Policy' section, click 'Edit' then paste in your policy.
- Click 'Save Changes'.
Now all objects in your bucket are accessible via your Cloudfront domain.
Option 2: Giving access to your S3 bucket via an IAM User
IAM users in AWS are entities that you can grant permissions to. One of the ways you can authenticate as a user is by using an access key and secret key comibination (sort of like a user/pass). This is generally not recommned because its not good practice to create long-lived credentials - temporary credentials are preferred.
However, some software integrations expect an IAM access key for their integration. In that case, there's two things you need do:
- Create an access key and secret key for your IAM user.
This part should be pretty easy, you have got most of the way already.
- Navigate to https://us-east-1.console.aws.amazon.com/iamv2/home
- Click on the user you would like to generate keys for
- Click 'Security Credentials'
- Select 'Third Party Service', then click 'Next.
- Add any notes to the description tag if you'd like, then click 'Next'
- Make a note of the Access key and Secret Access Key on the next page. Note that the secret access key will never be shown again, so you need to save it somewhere.
- Click 'Done' - then you can use those keys in your application.
- Add permissions to the user to access your bucket.
- Click on your user again, but this time click 'Add Permissions', then 'Create Inline Policy'
- In the policy builder, search for 's3', then click on it
- Open the 'Read' section of the permissions, and select 'GetObject'. Open the 'List' section, and select 'ListBucket'
- Under resources, for 'bucket' enter the name of your bucket in the top text box. Then click 'Add ARNs'.
- Under resource, for 'object', enter the name of your bucket in the top text box, then click 'Any object name'
- Click 'Next', then give the policy a name, then click 'Create Policy'.
Now, systems using your secret key and access key will be able to access objects in your bucket. Good luck!
Running into a snag.... telling me i need to update my S3 bucket policy?
Hey - I got a little farther!! I am at the point where, in your instructions, you give this direction: Navigate to https://us-east-1.console.aws.amazon.com/iamv2/home Click on the user you would like to generate keys for Click 'Security Credentials' Select 'Third Party Service', then click 'Next. I don't see a "third party service" option?..
Attaching what i see on my screen at the point where i should see the third party access... I cut out the spaces/text between the service names to make the attachment a little smaller. Additional support would be greatly appreciated :)! I don't see a "third party" option
I don't think the image will show up in this comment area so i posted in the answer section so you could see it. Will i get in trouble for doing that?
Hey - I got a little farther!! I am at the point where, in your instructions, you give this direction: Navigate to https://us-east-1.console.aws.amazon.com/iamv2/home Click on the user you would like to generate keys for Click 'Security Credentials' Select 'Third Party Service', then click 'Next. I don't see a "third party service" option?..
Attaching what i see on my screen at the point where i should see the third party access... I cut out the spaces/text between the service names to make the attachment a little smaller. Additional support would be greatly appreciated :)! I don't see a "third party" option
for some reason my image isn't showing up.... maybe you can use this in your browser? https://www.dropbox.com/t/fwvLG8ptmLEp1jkJ
Relevant content
- asked 4 months ago
- asked 6 months ago
- asked 13 days ago
- asked 2 years ago
- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
Hi - can't add an image here so i sent it in a new message...
this never showed up: The distribution will be created (it might take a few minutes). At the top of the screen you will see a yellow bar with a 'Copy Policy' button. Click that to copy an S3 Bucket Policy to your clipboard. Also, make a note of your cloudfront domain - it will be something like https://d1v23457bee.cloudfront.net/