Bucket (and file?) policies

[sckott]

At least I currently don't have permission to modify bucket ACLs, so can't test and make sure that aws_bucket_acl_modify works.

Perhaps with the new test AWS account i'll be able to test this.

[seankross]

My super hot take about this is that we should totally avoid bucket ACLs, which I believe is possible. I think they're a legacy feature that has been replaced by Policies.

[sckott]

I like that take. Makes sense, I can see there's a number of AWS docs pages that say ACLs are deprecated.

I googled around a bit and don't see it: What's the process for managing permissions for buckets then? We can do policies stuff for users, groups, roles, but not sure how it's done for buckets.

[sckott]

removed the 2 bucket acl fxns

[seankross]

I think this is where we should get really opinionated. It appears there are both IAM Policies that can govern bucket access, and Bucket Policies that apply to individual buckets: https://docs.aws.amazon.com/AmazonS3/latest/userguide/using-iam-policies.html. I think we should abstract these details away from end users, and enable the following functionality:

• A function to make a bucket publicly open on the internet for anyone to read from.
• Some functionality where you can get a public file's public URL.
• A function to allow a specific user/group/role to read from a bucket.
• A function to allow a specific user/group/role to read and write from a bucket.

It would be cool if for these use cases the end user didn't have to worry about policies, and sixtyfour could create, find, and assign the appropriate policies.

[sckott]

Sorry for the delay. Okay, so maybe the functions would look like:

• aws_bucket_as_public()
• aws_file_url(type = "private") or aws_file_url(type = "public")
• aws_group(name="users") %>% aws_bucket_allow_read()
• aws_group(name="users") %>% aws_bucket_allow_read_write()

Thoughts?

[sckott]

@seankross #21 may be the same as

Some functionality where you can get a public file's public URL

at least related