If you are concerned about the level of S3 access you are giving away by putting S3 keys in plaintext in Discourse backups, you could create a user which is specifically for backup of that discourse instance and has access to nothing else on AWS. (I got most of this policy from various blogs but I can’t remember where exactly so unfortunately I can’t give credit)
- create an S3 bucket in the S3 panel and give it any name - you’ll need this name later
- create an AWS user in the IAM panel
- choose any user name you like, ideally something that will remind you what that user can access and why
- choose Access type - programmatic access
- Don’t add the user to any groups
- When setting permissions, select ‘Attach existing policies directly’ and then click the button ‘Create policy’
- in the JSON editor, paste this policy, replacing
NAME_OF_YOUR_S3_BUCKET
with the actual name of your S3 backup bucket.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::NAME_OF_YOUR_S3_BUCKET",
"arn:aws:s3:::NAME_OF_YOUR_S3_BUCKET/*"
]
}
]
}
- review and save the policy, you also are asked to name the policy, which means you can use it for other single-access s3 setups if you need to.
- get the AWS credentials/keys for that user and put them in Discourse, along with the name of the S3 bucket
- you should now be able to perform a backup to your specified bucket, but that user can’t do anything else on AWS.