Skip to content

Commit

Permalink
An example how to set up S3 buckets for Lookerbot
Browse files Browse the repository at this point in the history
partially fixes looker#31
  • Loading branch information
osigida committed Aug 15, 2017
1 parent 6b5552d commit 8a8015a
Show file tree
Hide file tree
Showing 3 changed files with 53 additions and 0 deletions.
1 change: 1 addition & 0 deletions .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -2,3 +2,4 @@ node_modules
.env
docker-compose.yml
npm-debug.log
.idea/
2 changes: 2 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -99,6 +99,8 @@ There are a couple environment variables that can be used to tweak behavior:

- `AWS_SECRET_ACCESS_KEY` (optional) – If you want to use Lookerbot to post visualization images, provide an Amazon S3 secret access key that can write to the provided bucket.

You can find an example how to configure access to S3 bucket [here](s3-bucket-access.md)

###### Microsoft Azure

- `AZURE_STORAGE_ACCOUNT` (optional) - If you want to use Microsoft Azure Storage to store visualization images posted by Lookerbot, provide the name of your Azure Storage account.
Expand Down
50 changes: 50 additions & 0 deletions s3-bucket-access.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
# AWS S3 Bucket access setup example

To keep AWS infrastructure safe and out of risk to leak any data through Lookerbot account
it is better to create dedicated AMI user, S3 Bucket and restrict access for the user only to the bucket.

Here is an example how to achieve that:

1. Create an S3 Bucket, f.ex. `lookerbot-s3-bucket`.<br />
It should stay private. No special configuration required.

2. Create an IAM policy, named f.ex `lookerbot-policy`, like
```
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::lookerbot-s3-bucket"
]
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:PutObjectAcl",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::lookerbot-s3-bucket/*"
]
}
]
}
```
The policy consists of 2 sections:
- first allows to list the bucket itself,
- seconds allows to put, get and delete objects in the bucket and to put objects ACL

More on ARN bucket names could be found on [AWS Docs](http://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-s3)

3. Create an IAM account, f.ex `lookerbot`. <br />
Enable `Programmatic access` only.

4. Go to the summary page for `lookerbot` user. <br />
On `Permissions` section add `lookerbot-policy` to it.

0 comments on commit 8a8015a

Please sign in to comment.