All posts
September 11, 20251 min read

A single wrong command, and your S3 bucket is wide open.

When you work with AWS S3 from the terminal, power and risk walk side by side. The Z shell (Zsh) is fast, flexible, and unforgiving if permissions are not locked down. That’s where AWS S3 read-only roles come in — granting exactly what’s needed without leaving a back door for deletion or overwrite. The principle is simple: allow access to read data, list objects, and check metadata. Deny the ability to modify, upload, or delete. In practice, setting this up with Zsh and AWS CLI means writing po

Free White Paper

Open Policy Agent (OPA) + Single Sign-On (SSO): The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Andrios Robert

When you work with AWS S3 from the terminal, power and risk walk side by side. The Z shell (Zsh) is fast, flexible, and unforgiving if permissions are not locked down. That’s where AWS S3 read-only roles come in — granting exactly what’s needed without leaving a back door for deletion or overwrite.

The principle is simple: allow access to read data, list objects, and check metadata. Deny the ability to modify, upload, or delete. In practice, setting this up with Zsh and AWS CLI means writing policies that leave no gaps.

Step 1: Create the Read-Only Policy
Define the AWS IAM policy with the minimum S3 permissions. For example:

{
 "Version": "2012-10-17",
 "Statement": [
 {
 "Effect": "Allow",
 "Action": [
 "s3:GetObject",
 "s3:ListBucket"
 ],
 "Resource": [
 "arn:aws:s3:::your-bucket-name",
 "arn:aws:s3:::your-bucket-name/*"
 ]
 }
 ]
}

Attach this policy to a new role or an existing read-only user.

Step 2: Assume the Role in Zsh
Experienced users prefer short, clean commands. Store role parameters in environment variables. Use aws sts assume-role and export the temporary credentials directly into your Zsh session:

Continue reading? Get the full guide.

Open Policy Agent (OPA) + Single Sign-On (SSO): Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.
CREDS=$(aws sts assume-role \
 --role-arn arn:aws:iam::ACCOUNT_ID:role/ReadOnlyS3 \
 --role-session-name zsh-session)

export AWS_ACCESS_KEY_ID=$(echo $CREDS | jq -r '.Credentials.AccessKeyId')
export AWS_SECRET_ACCESS_KEY=$(echo $CREDS | jq -r '.Credentials.SecretAccessKey')
export AWS_SESSION_TOKEN=$(echo $CREDS | jq -r '.Credentials.SessionToken')

Now every aws s3 ls or aws s3 cp for that bucket runs in a sandbox of read access.

Step 3: Automate for Speed
Embed the assume-role logic into a Zsh function or script file. This turns multi-line commands into a single alias. Name it well, call it often, and you have secure, temporary access built into your workflow.

Step 4: Test and Verify
Run commands against the S3 bucket. Confirm you can list and read files but not delete or upload. If aws s3 rm fails, you have done it right.

Using Zsh with AWS S3 read-only roles keeps terminal power while respecting least privilege. This blend of shell efficiency and tight IAM controls reduces mistakes and meets compliance needs without slowing you down.

You can spin this up, connect, and verify in minutes. See it live, ready to run, at hoop.dev — and keep both speed and safety on your side.

Get started

See hoop.dev in action

One gateway for every database, container, and AI agent. Deploy in minutes.

Get a demoMore posts