Setting Up an AWS IAM User
If you are using Amazon S3 Storage, there are two methods that can be used to grant access to your images:
1. Create Pre-signed URLs that can be used to access your strorage directly (see the Amazon S3 documentation for details). Once you are know how to generate pre-signed URLs, this method is the most straightforward and requires no additional set-up.
2. Create an IAM User to grant programmatic access to your images. Firstly, you must create an IAM (Identity Access Management) User via the AWS dashboard (or CLI) and copy the access keys in to the :webroot:`Storage section of your Pixelshift Dashboard <Dashboard/Storage#iam-user>`. Then you grant access to this IAM user by attaching a Policy which gives it permission to read from and write to your buckets.
The process of creating and an IAM User is described in detail below.
Creating a New IAM User
An IAM User can be easily created via the AWS Console (Services/IAM/Users), as shown in this section. It is also possible to set up an IAM User via the AWS CLI, but this is not covered here - please refer to the official documentation for details.
- Sign in to your AWS Management Console.
- Navigate to Security, Identity & Compliance -> IAM -> Users.
- Click Add User.
- Enter a User name - e.g. 'iam_pixelshift'.
- Select 'Programmatic access' as the Access type.
- Click Next.
- Continue past the 'Set permissions for <username>' screen without selecting anything (permissions will be set shortly).
- On the 'Review' screen, ignore the permssions warning and click Create User.
- You should now see the 'Success' page showing your new IAM User, along with their Access Key Id and Secret Access Key.
- Copy and paste these new IAM keys in to your :webroot:`dashboard here <DashBoard/Storage#iam-user>` or store them somewhere safe for later. Important: This is the only time you can view both keys (though you can re-generate the secret if you need to).
- After you have copied your keys, you can click Close.
Granting Access with an Inline Policy
Once you have created an IAM User, you must attach an Inline Policy to it that grants access to your Storage Bucket(s). You can choose to either grant access to individual Buckets or all of them (though this isn't recommended).
- First use your :webroot:`Pixelshift Dashboard <DashBoard/Storage#permissions>` to create a policy. Select the type of access and provide Bucket names if necessary.
- Sign in to your AWS Management Console and navigate to Security, Identity & Compliance -> IAM -> Users.
- Select the IAM User you want to attach the policy to.
- On the 'Permissions' tab, select Add inline policy (bottom right)
- On the 'Create policy' screen, select the JSON tab.
- Copy the entire policy created in Step 1 into the editor.
- Click Review Policy
- Provide a name (e.g. pixelshift_access)
- Click Create Policy to finish.