If you want to connect another AWS service to Idealstack - how you do it depends on what type of service it is:

  • Some AWS services use Network-based security for access control.  Examples of these are RDS, EFS, EC2, Elasticache. For these types of services you would connect them to Idealstack using VPC Peering, as described in our doc: Connecting shared resources in another VPC to Idealstack

  • Many other AWS services use IAM for access control.  Examples of these are S3, DynamoDB, SQS and more. One way to connect to these systems is to create an IAM user and set the API credentials in your app - but there’s a more secure way to do it - use an IAM policy associated with the site
     

You can authorize a single site on your Idealstack stack to access these resources without needing to worry about passwords or the possibility of other sites ‘hacking’ this access using IAM Policies.  Setting the policy in Idealstack associates it with the ‘service role’ of the site, which only that site can access.

Use an IAM policy to grant access to an AWS service to an Idealstack site

For this example we are going to grant an idealstack site the ability to upload to an S3 bucket - the process is similar for other AWS services

  1. Create and configure the service you want to connect to

  2. Create an IAM policy granting access to this service
    https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create.html

  3. In Idealstack edit the site you would like to grant this access to

  4. Near the bottom of the page click to open up Advanced Settings

  5. Paste in the ARN of the policy

    1. To find the ARN of a policy - in the IAM Policy list click on the policy and paste the ARN from the summary section:

 

Using the IAM policy in your code

 

If you are connecting to the AWS service using the AWS PHP SDK, you use the linked policy by not passing any credentials when setting up the AWS client object, eg

 

 

        <?php
        //Create a S3Client
        $s3Client = new S3Client([

        // OMIT THIS:
        //    'credentials' => [
        //                 'key' => $key,
        //                 'secret' => $secret,   
        //   ],

            'region' => 'us-west-2',
            'version' => '2006-03-01'
        ]);
        ?>