Unfuddle asks for the 'access key id' and 'secret access key' in order that their scripts can write direct to your bucket. This is great, but armed with both those keys an attacker can easily access ALL of the buckets associated with that account. Our main account has potentially sensitive data in some of the buckets, so there is obviously no way we'd share the keys to that account with anyone.
Instead, what we can do is to create a completely new AWS account, and from the main account grant access to the new account ONLY to the bucket that'll contain the unfuddle backups. Note that you do not need a credit card number to do this, as the new account will not 'own' any of its own buckets. Also note that usage charges for the backup bucket will be applied to the main account.
Here's how: (note this tutorial requires Cyberduck, a free S3 and FTP client).
- Make a new email address such as email@example.com.
- Go to amazonaws.com, and sign up for a new account using the new email addres
- When you are logged in, choose 'account' from the main menu, then 'security credentials'
- In the passwords file, record the email you used, and the 'access key ID' and 'secret access key'.
- Log in to your main AWS account using Cyberduck.
- Create a new bucket, called, for instance myproject.example.com
- Right-click the new bucket, click Info and click the Permissions tab
- Click the cog icon, then Amazon Customer Email address.
- Type firstname.lastname@example.org. In the right column, choose WRITE
- Repeat the last two steps, but choose READ in the right column. (this step is optional)
- Your user now has read and write access to the myproject.example.com bucket.
Note that if you try to use Cyberduck to view the S3 account for the email@example.com it will fail. This is because Cyberduck uses s3 features that assume that the account is signed up for S3 services (which requires a credit card). For the same reason using s3cmd (command-line tools for S3 acccess) to list all buckets will also fail. However, using s3cmd to view the contents of the specific bucket we have granted access to will succeed (for example s3cmd ls s3://myproject.example.com will work)
This tutorial assumes unfuddle, but will work for any third-party cloud service that wants to read or write to S3 buckets.
Thanks to Tom & Richard of Calvium for the idea, and for their help setting this up.
EDIT: 16-02-2011. This currently doesn't work properly on unfuddle due to their system failing in the same way that cyberduck does. Am in contact with them to sort it out