Uly.me

cloud engineer

role

GCP Role Policy Binding

How to display the policy binding.

gcloud compute instances get-iam-policy SERVER --project=PROJECT_ID --zone=ZONE

Result

# There is no binding policy
etag: ACAB
 
# There is a binding policy
bindings:
- members:
  - serviceAccount:SERVICEACCOUNT
  role: organizations/xxxxxxxxxxxx/roles/ROLE
etag: xxxxxxxxxxx=
version: 1

Add a role binding policy

gcloud compute instances add-iam-policy-binding SERVER \
--project=PROJECT_ID \
--zone=ZONE \
--member=serviceAccount:SERVICEACCOUNT \
--role="organizations/xxxxxxxxxxxx/roles/ROLE"

Remove a role binding policy

gcloud compute instances remove-iam-policy-binding SERVER \
--project=PROJECT_ID \
--zone=ZONE \
--member=serviceAccount:SERVICEACCOUNT \
--role="organizations/xxxxxxxxxxxx/roles/ROLE"

S3 Browser IAM Assume Role

S3 Browser is a free Windows client for accessing AWS S3 buckets. You can access S3 buckets with an interface similar to File Manager. A typical setup requires that you use access and secret keys to connect to the S3 browser. However, if the server is in the cloud, it’s better that use a machine profile with an assume role. The assume role gets temporary credentials until they expire. They are automatically rotated by AWS behind the scenes for you. This is much safer process than storing key credentials in the cloud. The good news is, S3 Browser support IAM assume roles. Here’s the setup instructions to get your S3 Browser configured using IAM assume role. Here’s IAM role explained.

AWS S3 Replication Policy

Here’s the policy for S3 replication between regions.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "s3:Get*",
                "s3:ListBucket"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::source-bucket-name",
                "arn:aws:s3:::source-bucket-name/*"
            ]
        },
        {
            "Action": [
                "s3:ReplicateObject",
                "s3:ReplicateDelete",
                "s3:ReplicateTags",
                "s3:GetObjectVersionTagging"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:s3:::destination-bucket-name/*"
        }
    ]
}

GCP Add IAM Role to Service Account

Here’s how to add an IAM role to a GCP Service Account.

gcloud projects add-iam-policy-binding your-project-id \
--member serviceAccount:service-account-name@your-project-id.iam.gserviceaccount.com \
--role roles/storage.objectAdmin

AWS Glacier Setup via S3

You can setup AWS Glacier via S3 bucket replication. Create a S3 bucket and slap this bucket policy.

{
    "Version": "2012-10-17",
    "Id": "S3PolicyId1",
    "Statement": [
        {
            "Sid": "IPAllow",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::your-bucket-storage-name/*",
            "Condition": {
                "IpAddress": {
                    "aws:SourceIp": "10.0.0.0/8"
                }
            }
        },
        {
            "Sid": "DenyIncorrectEncryptionHeader",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::your-bucket-storage-name/*",
            "Condition": {
                "StringNotEquals": {
                    "s3:x-amz-server-side-encryption": "AES256"
                }
            }
        },
        {
            "Sid": "DenyUnEncryptedObjectUploads",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::your-bucket-name/*",
            "Condition": {
                "Null": {
                    "s3:x-amz-server-side-encryption": "true"
                }
            }
        }
    ]
}

Add this policy to your IAM user or role.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::your-bucket-name/*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:List*",
                "s3:Get*"
            ],
            "Resource": "arn:aws:s3:::*"
        }
    ]
}

Finally, add a lifecycle policy to move your files from Standard to Glacier storage type.