Using IAM for user authentication
- by mdavis6890
I've read lots and lots of posts that touch on what I think should be a very common use case - but without finding exactly what I want, or a simple reason why it can't be done.
I have some files on S3. I want to be able to grant certain users access to certain files, via a front end that I build.
So far, I've made it work this way:
I built the front end in Django, using it's built-in Users and Groups
I have a model for Buckets, in which I mirror my S3 buckets.
I have a m2m relationship from groups to buckets representing the S3 permissions.
The user logs in and authenticates against Django's users.
I grab from Django the list of buckets that the user is allowed to see
I use boto to grab a list of links to files from those buckets and display to user.
This works, but isn't ideal, and also just doesn't feel right. I've got to keep a mirror of the buckets, and I also have to maintain my own list of user/passwords and permissions, when AWS already has all that built in.
What I really want is to simply create the users in IAM and use group permissions in IAM to control access to the S3 buckets. No duplication of data or function. My app would request a UN/PW from the user and use that to connect to IAM/S3 to pull the list of buckets and files, then display links to the user. Simple.
How can I, or why can't I?
Am I looking at this the wrong way?
What's the "right" way to address this (I assume) very common use case?
