README.md 1.3 KB
s3_bucket_writer_role
A role to enable read/write access to a specific S3 bucket via sts:AssumeRole.
It's primarily intended for cross-account scenarios. This is a little odd perhaps
compared to S3 bucket policies and things allowing for native cross-account
access via Principal in the bucket policy itself.
I went this way so that scripts running on EC2 nodes with instance roles would have the ablility to (when needed) use an AssumeRole in order to gain read-write access to a bucket that 99.99% of the time they don't need the read-write access.
inputs
| Argument | type | value / description |
|---|---|---|
| name | string | The name of the role we're making. It will be in the /service/ path in IAM |
| trusted_arns | list(string) | The ARNs that should be able to assume this role |
| kms_key_arns | list(string) | (optional) KMS keys that we need to access the bucket |
| description | string | Description tied to the role |
| bucket | string | The bucket that this policy should allow write access to |
| tags | map | (optional) Tags to be applied |
| standard_tags | map | (optional) Other tags to be applied from terragrunt |