In part two of this series we have dealt with amazon’s Identity and Access Management and have set up a technical account that will be used by your WordPress blog in order to connect with your cloud space. Now we are going to put it into a ‘group’, associate a set of permissions to it and finally create a ‘bucket’ that will eat up our data. Fasten your seat belt!
At the end of part two we were admiring our newly created user. Once we’re in Identity and Access Management, click „Groups“, followed by a click on „Create New Group“. Basically you enter a group name, associate permissions and you’re done. Let’s see an example. I’ve created two groups for a total of three accounts. There is one „admin“ account and two blog accounts (each for a separate blog). The first one resides in the „Admin“ group, while the blog accounts have their „Blogs“ group.
IAM: Groups: Blogs
After creating a group you populate it with one or more users. The next step deals with their access rights. This can be tricky, because you don’t want to allow them more than they actually need to do their work. Fortunately, Amazon has made it rather easy for us to choose the correct permissions. Hit „Attach (Another) Policy“ and select one of the policy templates that suits your needs:
IAM: Set Permissions
For a group with „admin“ users choose the „Administrator Access“ template. For the „Blogs“ group you need „IAM Read Only Access“, „CloudFront Full Access“, and „Amazon S3 Full Access“. In the end you will have three policies listed under „Permissions“ for the „Blogs“ group. This is certainly not the answer to everything, because these actions are still far-reaching. After tinkering a bit my policies look like these:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 |
<strong>IAM:</strong> { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iam:List*", "iam:Get*" ], "Resource": "*" } ] } <strong>CloudFront:</strong> { "Version": "2012-10-17", "Statement": [ { "Sid": "Stmt1419630014000", "Effect": "Allow", "Action": [ "cloudfront:*" ], "Resource": [ "*" ] } ] } <strong>S3:</strong> { "Version": "2012-10-17", "Statement": [ { "Sid": "Stmt1419630478000", "Effect": "Allow", "Action": [ "s3:*" ], "Resource": [ "*" ] } ] } |
These permissions are available on the Groups -> Blogs page; in the “Permissions” section click on ‘Manage Policy’. It’s easier to display policies this way than to show screenshots.
When you switch back to the „Users“ settings you can see that the new groups have been associated to the appropriate user(s). You might add individual user policies here, but I wouldn’t recommend that; better modify permissions on the group level.
At Users -> Security Credentials you can find other interesting options. If you ever want to renew the access keys (that’s the stuff WordPress uses for authorizing at AWS, remember) or if you want to use a 2/Multi-factor authentication device (like a security token or Google’s authenticator app on your smartphone), then you can set up these things here.
IAM: Security Credentials
Now we finally have accounts in groups with fitting permissions. You may enter access and secret key into WordPress -> Performance -> CDN -> Configuration:
WP: CDN Access Key
Bucket Creation
The next part deals with the bucket creation. What’s a bucket? Think of it as a container for storing your data in Amazon S3. You can create several of them, each one for different purposes. Amazon allows you to specify the bucket’s geographical region (means: data centre) which will speed up things if this data centre is nearby. Enter the AWS console, click on S3, then the „Create Bucket“ button, and choose a name and a region fitting your needs. The bucket will be created instantly. That’s data the sink of your CDN.
Create a bucket
When you click on the loupe icon next to the name of your bucket, various properties emerge. There is a nasty issue that might urge you to add some info in the „Permissions“ section, but let’s do that later. If you click on the bucket’s name, S3 tells you that the bucket is empty at this time. The plan is to copy all static content from your blog to S3, and with the creation of this bucket we have fulfilled another important step. Now we have to connect this bucket to CloudFront: this is done with ‚distributions‘ which specify the delivery method for your content into that S3 bucket.
So enter the AWS console, click on CloudFront, and then hit the „Create Distribution“ button in the CloudFront Distributions screen. Here you have to decide if you want a „Web“ or an „RTMP“ distribution. For a normal website like ours, choose the first one and click „Get Started“.
Oh my! Another bunch of options. Let’s take one after another. In the next part.
