Make it easier to add extra policy statements

[simonw]

The current --policy option lets you set a custom policy, but leaves it to you to define one.

I find myself wanting to mix in the following to the policy that I use, for s3-ocr:

https://docs.aws.amazon.com/textract/latest/dg/security_iam_id-based-policy-examples.html#security_iam_async-actions

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "textract:StartDocumentTextDetection",
                "textract:StartDocumentAnalysis",
                "textract:GetDocumentTextDetection",
                "textract:GetDocumentAnalysis"
            ],
            "Resource": "*"
        }
    ]
}

Would be nice if there was a neat way to do this.

[simonw]

One option would be to support multiple --statement options, each of which can be either a chunk of JSON or some kind of shortcut that indicates one of a number of pre-baked patterns.

Could support --statement textract:all or --statement textract:async as shortcuts.

[simonw]

I need a better feeling for what other kinds of shortcuts might be useful.

[simonw]

https://aws.amazon.com/blogs/security/back-to-school-understanding-the-iam-policy-grammar/ says:

There are five core types of elements that you can use in your policy. Some are required and some are optional. Let's walk through them.

1. Effect (Required) -- specifies whether the statement will explicitly allow ("Allow") or deny ("Deny") access. These are the only two values that are valid in this element.
2. Action* (Required) -- describes the type of access that should be allowed or denied.
3. Resource* (Required) -- specifies the object or objects that the statement covers.
4. Principal* (Optional) -- specifies the user, account, service, or other entity that is allowed or denied access to a resource. Principals can only be used for resource-based policies. For policies within IAM, the policy is attached to the Principal it applies to.
5. Condition (Optional) -- lets you specify conditions for when a policy is in effect.

So Effect, Action and Resource are required.

[simonw]

I'm tempted to say that --statement action:name-of-action is a shortcut for adding a Effect: Allow, Action: Action, Resource: * statement.

[simonw]

I have a full list (I think) of potential actions here: https://iam-definitions.vercel.app/iam/privileges

[simonw]

Alternative design: --allow-action 'textract:*' which would add this:

[
    {
        "Effect": "Allow",
        "Action": ["textract:*"],
        "Resource": "*"
    }
]

But given that, what would the shortcut be if you didn't want to use "Resource": "*"?

Maybe --allow-action-on-resource <action> <resource> could be supported too?

[simonw]

I'm just going to implement --statement <json> which takes the full block of JSON and --allow-action <action> which adds an allow block on resource * for that specified action.

If you pass --allow-action multiple times they will all be bundled in the same statement.

I'm not going to implement shortcut templates, because I don't have a good idea for what they should be - and textract:* is a good enough solution for the moment.

[simonw]

Updated documentation:

• https://github.com/simonw/s3-credentials/blob/54f810acfc16e52323c7229ef950ede85df47f3b/README.md#using-a-custom-policy
• https://github.com/simonw/s3-credentials/blob/54f810acfc16e52323c7229ef950ede85df47f3b/README.md#policy
• https://github.com/simonw/s3-credentials/blob/54f810acfc16e52323c7229ef950ede85df47f3b/help.md#s3-credentials-create---help
• https://github.com/simonw/s3-credentials/blob/54f810acfc16e52323c7229ef950ede85df47f3b/help.md#s3-credentials-policy---help

[simonw]

I decided to just implement --statement for the moment, and not to implement that --allow-action idea.

[simonw]

I tested this like so and it worked:

s3-credentials create simonw-ocr-demo-bucket --statement '{
  "Effect": "Allow",
  "Action": "textract:*",
  "Resource": "*"
}' -c > ocr.json

Then tested like so:

s3-credentials put-object simonw-ocr-demo-bucket github-octoverse-2020-community-report.pdf ~/Downloads/2020-reports/github-octoverse-2020-community-report.pdf -a ocr.json
s3-ocr start simonw-ocr-demo-bucket -a ocr.json --all
s3-ocr status simonw-ocr-demo-bucket -a ocr.json
s3-ocr index simonw-ocr-demo-bucket /tmp/github-index.db -a ocr.json
datasette /tmp/github-index.db -p 8525