- Jamf Nation Community
- Products
- Jamf Pro
- Re: Cloud Distribution Point using S3 - IAM restri...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Cloud Distribution Point using S3 - IAM restrictions
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-04-2014 06:34 AM
Hello all,
Curious if anyone has successfully set up the cloud distribution point in S3 with account permissions that restrict the account to a single bucket as opposed to giving the jss account blanket access to all S3 buckets. Does the distro point use resources other than S3 (I dont think it does). Also curious if someone can point me in the direction of some documentation about cloud distribution points in S3, I'm new and can't seem to find anything more than a blurb (maybe a page) on setup.
8 REPLIES 8
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 07-01-2014 07:52 PM
It seems as though the cloud distribution point also uses AWS's CloudFront CDN (sweet). I would still like to be able to reduce the exposure that this account has to our AWS instance. Has anyone done this successfully?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 07-22-2014 11:39 AM
I'm seeing similar behavior - the distribution point setup seems to want to create a bucket (?? - I was hoping to set up a pre-created one with appropriate permissions for the IAM user).
Did you find out what permissions the IAM user needs? Also, what is the bucket name that gets created?
(Guess the safest option would be to create a secondary AWS account for casper's S3 plots - I really don't feel comfortable giving anything CreateBucket/DeleteBucket permissions on an account with existing S3 buckets)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 07-25-2014 01:18 PM
Anyone have ANY information on this? I have permission to create buckets and it's still failing.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 07-25-2014 04:24 PM
OK, I finally got it! In addition to the S3 permissions (I granted all perms on buckets named jamf*, see the attached policy docs), you also need CloudFront permissions. I'm not sure I'm super pleased by how wide the access is, and I'll experiment some more, but in the meantime here's what let me add an AWS master file distribution point:
(This is currently what we use to tighten down access during cloud distribution point creation; when the S3 bucket has been created, we substitute the "arn:aws:s3:::jamf" for ```
[ "arn:aws:s3:::jamf<concrete hex string>", "arn:aws:s3:::jamf<concrete hex string>/" ]
```)
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1406324790001",
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::jamf*"
]
},
{
"Sid": "Stmt1406330427000",
"Effect": "Allow",
"Action": [
"cloudfront:CreateCloudFrontOriginAccessIdentity",
"cloudfront:CreateDistribution",
"cloudfront:CreateInvalidation",
"cloudfront:CreateStreamingDistribution",
"cloudfront:GetCloudFrontOriginAccessIdentity",
"cloudfront:GetCloudFrontOriginAccessIdentityConfig",
"cloudfront:GetDistribution",
"cloudfront:GetDistributionConfig",
"cloudfront:GetInvalidation",
"cloudfront:GetStreamingDistribution",
"cloudfront:GetStreamingDistributionConfig",
"cloudfront:ListCloudFrontOriginAccessIdentities",
"cloudfront:ListDistributions",
"cloudfront:ListInvalidations",
"cloudfront:ListStreamingDistributions",
"cloudfront:UpdateCloudFrontOriginAccessIdentity",
"cloudfront:UpdateDistribution",
"cloudfront:UpdateStreamingDistribution"
],
"Resource": [
"*"
]
}
]
}
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-21-2014 01:54 PM
Good call on the CloudFront!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-02-2015 02:45 PM
hi, i am just trying this for the first time today, and was pointed to this thread by my AM.
I pretty much give all the rights(e3 and cloudfront) under the IAM console to a user i called "casper", even cut and paste the above code into a custom policy, still no luck.
keep on getting the "Unable to create distribution for this bucket" error after i enter my key.
in amazon's console, i can see a folder / bucket called jamfxxxxxxx being created every time i click "save" on JSS, but the error message is still there...
any ideas?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-27-2017 07:38 AM
We too are seeing the issue @dyyuan is. What is unexpected to me is there is no logging in the JSS log. Do we need to enable verbose logging?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-27-2017 11:03 AM
For anyone else in the future:
Found another thread mentioning a defect when using a Java newer than 8u45. Installed that version of the JDK and all was well.
