If you need to use instance profiles and IAM Roles to send Gravity Forms file uploads to an Amazon S3 bucket, SyncS3 for Gravity Forms includes a filter for overwriting the S3 client object. This will allow you to assume an IAM user role, and configure the S3 client to use that role’s credentials to upload files.
Using Amazon’s sample code in Assuming IAM Roles in another AWS account, we’ll adapt it to work with SyncS3. Note that some of this code needs modified to use your own AWS credentials.
add_filter( 'syncs3_s3_client', 'my_iam_syncs3_s3_client', 10, 3 );
/**
* Overwrites the S3 client to use an IAM user's credentials.
* @see https://docs.aws.amazon.com/sdk-for-php/v3/developer-guide/guide_credentials_assume_role.html#assuming-an-iam-role-in-another-aws-account
*
* @param object $client S3Client
* @param array $config Default configuration data
* @param mixed $entry Entry data aray, if available, else empty
*
* @return object S3Client
*/
function my_iam_syncs3_s3_client( $client, $config, $entry ) {
SyncS3::autoload();
// This needs modified to fit your account
$stsClient = new Aws\Sts\StsClient([
'profile' => 'default',
'region' => 'us-east-2',
'version' => '2011-06-15'
]);
// This needs modified to fit your account
$result = $stsClient->AssumeRole( array(
'RoleArn' => 'arn:aws:iam::123456789012:role/xaccounts3access',
'RoleSessionName' => 's3-access-example',
) );
// Create the new S3 client using the IAM user
$client = new Aws\S3\S3Client([
'region' => $config['region'],
'credentials' => array(
'key' => $result['Credentials']['AccessKeyId'],
'secret' => $result['Credentials']['SecretAccessKey'],
'token' => $result['Credentials']['SessionToken']
)
]);
return $client;
}