Sign in Subscribe
Compare

Role-Based S3 Access with HashiCorp Boundary

Andrios Robert

1 min read

A single Boundary worker connects. On the other side, an S3 bucket waits, exposed only through the role you define.

HashiCorp Boundary gives you a secure way to broker credentials without handing them out. When paired with AWS S3 read-only roles, you can let users or services pull objects without granting broader access or storing static keys. The result: least privilege, delivered just in time.

Start with a Boundary target that points to AWS. Use Boundary’s credential store integration with AWS IAM. Define a role with an IAM policy that includes only s3:GetObject permissions for the specific bucket or path. This role should exclude write actions like s3:PutObject or s3:DeleteObject.

In AWS IAM, create the policy:

{
 "Version": "2012-10-17",
 "Statement": [
 {
 "Effect": "Allow",
 "Action": [
 "s3:GetObject"
 ],
 "Resource": "arn:aws:s3:::my-bucket-name/*"
 }
 ]
}

Attach this policy to a role assumed by Boundary’s AWS credential store. Configure the credential store with STS so Boundary can fetch temporary credentials tied to the read-only role. This avoids embedding static IAM keys anywhere in your code or infrastructure.

Within Boundary, assign the credential store to your target. When a session starts, Boundary calls AWS STS to assume the S3 read-only role. The user receives temporary access scoped exactly as you defined. Once the session ends, the credentials expire automatically. No key rotation. No lingering secrets.

This setup works across teams, CI systems, or automation pipelines. You can gate every request to S3 through Boundary. Audit logs in Boundary and AWS CloudTrail give you a full record of each access event.

You can layer on controls by restricting the role’s trust relationship so only your Boundary worker can assume it. This eliminates the risk of the role being used from outside the approved environment. Combined with Boundary’s identity-based policies, you get granular, session-based control over your AWS S3 data.

Test your integration by connecting to Boundary, starting a session, and issuing a simple AWS CLI s3 cp command to pull an object. You should see the data flow without any write or delete permissions available.

Get this running fast. See how role-based S3 access with HashiCorp Boundary works in practice at hoop.dev and have it live in minutes.

Sign up for more like this.

Enter your email
Subscribe