All posts
September 9, 20251 min read

The safest way to give someone access to Amazon S3 is to never give them a key at all

The safest way to give someone access to Amazon S3 is to never give them a key at all. Federation with AWS S3 read‑only roles makes that possible. It grants access without exposing permanent credentials. It keeps your buckets locked tight while still letting the right people read what they need. To set it up, you create an AWS Identity and Access Management (IAM) role with s3:GetObject permission on the paths you want. Then, you configure a trusted identity provider — AWS supports SAML 2.0, OID

Free White Paper

Customer Support Access to Production + API Key Management: The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Andrios Robert

The safest way to give someone access to Amazon S3 is to never give them a key at all. Federation with AWS S3 read‑only roles makes that possible. It grants access without exposing permanent credentials. It keeps your buckets locked tight while still letting the right people read what they need.

To set it up, you create an AWS Identity and Access Management (IAM) role with s3:GetObject permission on the paths you want. Then, you configure a trusted identity provider — AWS supports SAML 2.0, OIDC, and even custom providers. When a user logs in through that provider, AWS Security Token Service issues temporary credentials. Those creds expire fast and require no storage. They can be scoped to a single folder or a single object if you want.

Read‑only access means exactly that: no writes, no deletes, no accidental overrides. S3 read‑only federation is ideal for analytics dashboards, data sharing, and controlled access to logs and reports. Instead of scattering static keys across codebases or configs, every session is authorized in real‑time, and every action is logged in CloudTrail.

To boost security further, use explicit denial statements for actions you don’t allow. Combine them with policies that only match required prefixes. This protects even if a user discovers an unlisted object. Add MFA to the identity provider for critical datasets. Always test policies with iam:SimulatePrincipalPolicy before rollout.

Continue reading? Get the full guide.

Customer Support Access to Production + API Key Management: Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.

Federated roles scale cleanly. You can integrate with corporate SSO, developer accounts, or service accounts in partner systems, all without creating local IAM users. If you need to revoke access, you disable it in your identity provider and the AWS side stops granting credentials instantly.

S3 federation is not just a security improvement, it’s an operational win. You reduce key rotation burden, you avoid the drift of forgotten IAM users, and you can onboard or offboard in minutes. Logs and metrics remain intact for audits.

If you want to see AWS S3 federation and read‑only roles in action without grinding through hours of setup, you can try it live in minutes with hoop.dev — connect, federate, and verify in real‑time.

Do you want me to also include a fully fleshed-out example of an IAM role trust policy and bucket policy for this blog so that it's more actionable and keyword-rich?

Get started

See hoop.dev in action

One gateway for every database, container, and AI agent. Deploy in minutes.

Get a demoMore posts