S3 backup permissions

gchiu · May 24, 2017, 3:07am

I note that S3 backup can be enabled.

I’m not entirely sure about the S3 permissions but is there a way to only allow one admin (me) to view and set the two keys required for this? Or do all admins have the rights to access the S3 keys?

jomaxro · May 24, 2017, 3:12am

All admins have access to everything. If you cannot trust your admin(s) with S3 keys, don’t make them admins. Moderators do not have access to site settings, and therefore are a good alternative if you need users to have control over content on the forums, but not settings.

gchiu · May 24, 2017, 8:32pm

Well I was hoping that there would be a way to display encrypted S3 keys such as used with Travis-ci and ones GitHub .travis.yml repository file. The decryption key could be stored in the file system. It just creates an extra layer of security.

gchiu · May 26, 2017, 8:12pm

Do the backup logs contain the S3 keys? If not , then I might look at encrypting them.

Falco · May 26, 2017, 8:24pm

Backups contain the database, and the site settings are all on the database.

pacharanero · March 22, 2018, 9:24pm

If you are concerned about the level of S3 access you are giving away by putting S3 keys in plaintext in Discourse backups, you could create a user which is specifically for backup of that discourse instance and has access to nothing else on AWS. (I got most of this policy from various blogs but I can’t remember where exactly so unfortunately I can’t give credit)

create an S3 bucket in the S3 panel and give it any name - you’ll need this name later
create an AWS user in the IAM panel
choose any user name you like, ideally something that will remind you what that user can access and why
choose Access type - programmatic access
Don’t add the user to any groups
When setting permissions, select ‘Attach existing policies directly’ and then click the button ‘Create policy’
in the JSON editor, paste this policy, replacing NAME_OF_YOUR_S3_BUCKET with the actual name of your S3 backup bucket.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "s3:ListAllMyBuckets",
            "Resource": "arn:aws:s3:::*"
        },
        {
            "Effect": "Allow",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::NAME_OF_YOUR_S3_BUCKET",
                "arn:aws:s3:::NAME_OF_YOUR_S3_BUCKET/*"
            ]
        }
    ]
}

review and save the policy, you also are asked to name the policy, which means you can use it for other single-access s3 setups if you need to.
get the AWS credentials/keys for that user and put them in Discourse, along with the name of the S3 bucket
you should now be able to perform a backup to your specified bucket, but that user can’t do anything else on AWS.

Topic		Replies	Views
Do I need a second aws S3 bucket for backup? Installation backups , s3	10	1298	January 9, 2024
S3 Backup ... suspect access issue Support	4	1824	October 16, 2018
Disclosure of S3 secret access key Feature	23	5496	November 27, 2018
IAM and bucket policy for S3 access Hosting	8	2855	May 11, 2018
S3 image upload access denied while backups upload working fine Installation s3	22	2572	March 23, 2020

S3 backup permissions

Related Topics