Our user group focuses on the IBM Storage family of software defined storage solutions.
Permissions for Object Operationss3:GetObjects3:PutObjects3:DeleteObjects3:ListMultipartUploadPartss3:AbortMultipartUploadPermissions for Bucket Operationss3:ListBuckets3:ListBucketMultipartUploadss3:CreateBucket (optional)The s3:CreateBucket is needed if you want IBM Spectrum Protect to create its own buckets. However, you shouldn't need to put this in a bucket policy because the bucket has to exist to create the policy in the first place. It is possible to have IBM Spectrum Protect create the bucket initially and then change the policy.An Example Bucket Policy{"Version": "2012-10-17","Statement": [{"Effect": "Allow","Principal": {"AWS": "arn:aws:iam::111122223333:root"},"Action": ["s3:GetObject","s3:PutObject","s3:DeleteObject","s3:ListMultipartUploadParts"."s3:AbortMultipartUpload"],"Resource": "arn:aws:s3:::ibmsp.faceb28410a2e611b00200163eb00d27/*"},{"Effect": "Allow","Principal": {"AWS": "arn:aws:iam::111122223333:root"},"Action": ["s3:ListBucket","s3:ListBucketMultipartUploads"],"Resource": "arn:aws:s3:::ibmsp.faceb28410a2e611b00200163eb00d27"}]} This principal here is NOT the principal who created the bucket. The principal who created the bucket as all authority for the bucket by default. You can restrict the original principal with "Deny" effects. However, you can not have a blanket "Deny" and then an "Allow" that re-allows specific actions. The "Deny" will take precedence.
Copy