We'd love to hear from you! Provide  feedback  to earn a badge today. Take our quick survey
You're almost there! Please answer a few more questions for access to the Applications content. Complete registration
Interested in joining? Complete your registration by providing Areas of Interest here. Register

Best practice for securing instances access to private storage buckets

Accepted answer
11
Views
4
Comments

There are at least two different ways that something (such as cloud-init) running on an instance can download something from a private bucket. Pros' and cons' of each are...? Best practices?

Opt 1. Create an account for the thing and use curl (or wget) to POST to the bucket API with a key, control what the account can access using regular policies.

  • doesn't work with MFA
  • key rotation should be performed
  • difficult to integrate with federation
  • ?

Opt2. Create a pre-approved access URL for the bucket and GET from that URL.

  • crazy long URLs that need updating when pre-approval expires
  • expires date (auditors seem to love them)

Howdy, Stranger!

Log In

To view full details, sign in.

Register

Don't have an account? Click here to get started!