Michigan IBM Storage Protect User Group

Michigan IBM Storage Protect User Group

Our user group focuses on the IBM Storage family of software defined storage solutions.

 View Only

AWS object storage permissions

By Doug Grayer posted Thu November 10, 2016 11:27 AM

  

Permissions for Object Operations
s3:GetObject
s3:PutObject
s3:DeleteObject
s3:ListMultipartUploadParts
s3:AbortMultipartUpload
Permissions for Bucket Operations
s3:ListBucket
s3:ListBucketMultipartUploads
s3:CreateBucket (optional)
The s3:CreateBucket is needed if you want IBM Spectrum Protect to create its own buckets. However, you shouldn't need to put this in a bucket policy because the bucket has to exist to create the policy in the first place. It is possible to have IBM Spectrum Protect create the bucket initially and then change the policy.
An Example Bucket Policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:root"
},
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject",
"s3:ListMultipartUploadParts".
"s3:AbortMultipartUpload"
],
"Resource": "arn:aws:s3:::ibmsp.faceb28410a2e611b00200163eb00d27/*"
},
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:root"
},
"Action": [
"s3:ListBucket",
"s3:ListBucketMultipartUploads"
],
"Resource": "arn:aws:s3:::ibmsp.faceb28410a2e611b00200163eb00d27"
}
]
}
This principal here is NOT the principal who created the bucket. The principal who created the bucket as all authority for the bucket by default. You can restrict the original principal with "Deny" effects. However, you can not have a blanket "Deny" and then an "Allow" that re-allows specific actions. The "Deny" will take precedence.

0 comments
4 views

Permalink