From fd2e917ceb125b194854199edf8b280641e4ff05 Mon Sep 17 00:00:00 2001 From: Wan Liuyang Date: Tue, 6 Feb 2018 15:14:37 +0800 Subject: [PATCH 1/3] Use AWS IAM roles - Remove usage of AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY - Add instructions to set up IAM role --- docs/deployment-with-docker.rst | 7 +++++++ .../config/settings/production.py | 2 -- {{cookiecutter.project_slug}}/env.example | 2 -- 3 files changed, 7 insertions(+), 4 deletions(-) diff --git a/docs/deployment-with-docker.rst b/docs/deployment-with-docker.rst index fb383c3c..2ded1286 100644 --- a/docs/deployment-with-docker.rst +++ b/docs/deployment-with-docker.rst @@ -42,6 +42,13 @@ You will probably also need to setup the Mail backend, for example by adding a ` .. _sentry.io: https://sentry.io/welcome .. _Mailgun: https://mailgun.com +Create AWS IAM Role for EC2 instance +------------------------------------ +As a security best practice, we don't store `AWS_ACCESS_KEY_ID` AND `AWS_SECRET_ACCESS_KEY` on the server. In stead, in order to authorize Django to access your S3 bucket, you need to create an `IAM role`_ and `attach`_ it to the existing EC2 instance or create a new EC2 instance with that role. This role should assume a minimum permission of `AmazonS3FullAccess`. + +.. _IAM role: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html +.. _attach: https://aws.amazon.com/blogs/security/easily-replace-or-attach-an-iam-role-to-an-existing-ec2-instance-by-using-the-ec2-console/ + HTTPS is on by default ---------------------- diff --git a/{{cookiecutter.project_slug}}/config/settings/production.py b/{{cookiecutter.project_slug}}/config/settings/production.py index 33542fbf..fc4eb76e 100644 --- a/{{cookiecutter.project_slug}}/config/settings/production.py +++ b/{{cookiecutter.project_slug}}/config/settings/production.py @@ -94,8 +94,6 @@ INSTALLED_APPS += ['gunicorn', ] # See: http://django-storages.readthedocs.io/en/latest/index.html INSTALLED_APPS += ['storages', ] -AWS_ACCESS_KEY_ID = env('DJANGO_AWS_ACCESS_KEY_ID') -AWS_SECRET_ACCESS_KEY = env('DJANGO_AWS_SECRET_ACCESS_KEY') AWS_STORAGE_BUCKET_NAME = env('DJANGO_AWS_STORAGE_BUCKET_NAME') AWS_AUTO_CREATE_BUCKET = True AWS_QUERYSTRING_AUTH = False diff --git a/{{cookiecutter.project_slug}}/env.example b/{{cookiecutter.project_slug}}/env.example index 420ab4a5..c83b3a83 100644 --- a/{{cookiecutter.project_slug}}/env.example +++ b/{{cookiecutter.project_slug}}/env.example @@ -15,8 +15,6 @@ DJANGO_SECRET_KEY=CHANGEME!!! DJANGO_ALLOWED_HOSTS=.{{ cookiecutter.domain_name }} # AWS Settings -DJANGO_AWS_ACCESS_KEY_ID= -DJANGO_AWS_SECRET_ACCESS_KEY= DJANGO_AWS_STORAGE_BUCKET_NAME= # Used with email From 7aabfa0c36eab591e63654bc8b502db5c1e2542a Mon Sep 17 00:00:00 2001 From: Wan Liuyang Date: Tue, 6 Feb 2018 15:52:34 +0800 Subject: [PATCH 2/3] Fix typo and revert AWS environment variable --- docs/deployment-with-docker.rst | 2 +- {{cookiecutter.project_slug}}/config/settings/production.py | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/docs/deployment-with-docker.rst b/docs/deployment-with-docker.rst index 2ded1286..eeba285a 100644 --- a/docs/deployment-with-docker.rst +++ b/docs/deployment-with-docker.rst @@ -44,7 +44,7 @@ You will probably also need to setup the Mail backend, for example by adding a ` Create AWS IAM Role for EC2 instance ------------------------------------ -As a security best practice, we don't store `AWS_ACCESS_KEY_ID` AND `AWS_SECRET_ACCESS_KEY` on the server. In stead, in order to authorize Django to access your S3 bucket, you need to create an `IAM role`_ and `attach`_ it to the existing EC2 instance or create a new EC2 instance with that role. This role should assume a minimum permission of `AmazonS3FullAccess`. +As a security best practice, we don't store `AWS_ACCESS_KEY_ID` AND `AWS_SECRET_ACCESS_KEY` on the server. Instead, in order to authorize Django to access your S3 bucket, you need to create an `IAM role`_ and `attach`_ it to the existing EC2 instance or create a new EC2 instance with that role. This role should assume a minimum permission of `AmazonS3FullAccess`. .. _IAM role: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html .. _attach: https://aws.amazon.com/blogs/security/easily-replace-or-attach-an-iam-role-to-an-existing-ec2-instance-by-using-the-ec2-console/ diff --git a/{{cookiecutter.project_slug}}/config/settings/production.py b/{{cookiecutter.project_slug}}/config/settings/production.py index fc4eb76e..33542fbf 100644 --- a/{{cookiecutter.project_slug}}/config/settings/production.py +++ b/{{cookiecutter.project_slug}}/config/settings/production.py @@ -94,6 +94,8 @@ INSTALLED_APPS += ['gunicorn', ] # See: http://django-storages.readthedocs.io/en/latest/index.html INSTALLED_APPS += ['storages', ] +AWS_ACCESS_KEY_ID = env('DJANGO_AWS_ACCESS_KEY_ID') +AWS_SECRET_ACCESS_KEY = env('DJANGO_AWS_SECRET_ACCESS_KEY') AWS_STORAGE_BUCKET_NAME = env('DJANGO_AWS_STORAGE_BUCKET_NAME') AWS_AUTO_CREATE_BUCKET = True AWS_QUERYSTRING_AUTH = False From 5f068dd972532f906dd4cfdbcf346a02f87a0056 Mon Sep 17 00:00:00 2001 From: Wan Liuyang Date: Wed, 28 Feb 2018 11:33:39 +0800 Subject: [PATCH 3/3] Revert environment variables and update docs --- docs/deployment-with-docker.rst | 4 ++-- {{cookiecutter.project_slug}}/env.example | 2 ++ 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/docs/deployment-with-docker.rst b/docs/deployment-with-docker.rst index eeba285a..25ff7cb9 100644 --- a/docs/deployment-with-docker.rst +++ b/docs/deployment-with-docker.rst @@ -42,9 +42,9 @@ You will probably also need to setup the Mail backend, for example by adding a ` .. _sentry.io: https://sentry.io/welcome .. _Mailgun: https://mailgun.com -Create AWS IAM Role for EC2 instance +Optional: Use AWS IAM Role for EC2 instance ------------------------------------ -As a security best practice, we don't store `AWS_ACCESS_KEY_ID` AND `AWS_SECRET_ACCESS_KEY` on the server. Instead, in order to authorize Django to access your S3 bucket, you need to create an `IAM role`_ and `attach`_ it to the existing EC2 instance or create a new EC2 instance with that role. This role should assume a minimum permission of `AmazonS3FullAccess`. +If you are deploying to AWS, you can use the IAM role to substitute AWS credentials, after which it's safe to remove the `AWS_ACCESS_KEY_ID` AND `AWS_SECRET_ACCESS_KEY` from the `.env`. To do it, create an `IAM role`_ and `attach`_ it to the existing EC2 instance or create a new EC2 instance with that role. The role should assume a minimum permission of `AmazonS3FullAccess`. .. _IAM role: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html .. _attach: https://aws.amazon.com/blogs/security/easily-replace-or-attach-an-iam-role-to-an-existing-ec2-instance-by-using-the-ec2-console/ diff --git a/{{cookiecutter.project_slug}}/env.example b/{{cookiecutter.project_slug}}/env.example index 757c4ef0..1d28cb59 100644 --- a/{{cookiecutter.project_slug}}/env.example +++ b/{{cookiecutter.project_slug}}/env.example @@ -15,6 +15,8 @@ DJANGO_SECRET_KEY=!!!SET DJANGO_SECRET_KEY!!! DJANGO_ALLOWED_HOSTS=.{{ cookiecutter.domain_name }} # AWS Settings +DJANGO_AWS_ACCESS_KEY_ID= +DJANGO_AWS_SECRET_ACCESS_KEY= DJANGO_AWS_STORAGE_BUCKET_NAME= # Used with email