LoginSignup

Applying Limitations with Bucket Policies

We have support a subset of the Amazon s3 policy language applied to buckets.

Policy Creation and Removal

Bucket policies are managed through standard S3 operations.

For example, I have created a policy to access objects inside the bucket.

{
    "Version": "2012-10-17",
    "Statement": [{
      "Effect": "Allow",
      "Principal": {"AWS": ["arn:aws:iam:::user/4fe084dd-8531-4087-bc89-91cca2c9ea8d:Access"]},
      "Action": "s3:GetObject",
      "Resource": [
        "arn:aws:s3:::pankimages/*"
      ]
    }]
  }

Limitations

Currently, we support only the following actions:

  • s3:AbortMultipartUpload

  • s3:CreateBucket

  • s3:DeleteBucketPolicy

  • s3:DeleteBucket

  • s3:DeleteBucketWebsite

  • s3:DeleteObject

  • s3:DeleteObjectVersion

  • s3:DeleteReplicationConfiguration

  • s3:GetAccelerateConfiguration

  • s3:GetBucketAcl

  • s3:GetBucketCORS

  • s3:GetBucketLocation

  • s3:GetBucketLogging

  • s3:GetBucketNotification

  • s3:GetBucketPolicy

  • s3:GetBucketRequestPayment

  • s3:GetBucketTagging

  • s3:GetBucketVersioning

  • s3:GetBucketWebsite

  • s3:GetLifecycleConfiguration

  • s3:GetObjectAcl

  • s3:GetObject

  • s3:GetObjectTorrent

  • s3:GetObjectVersionAcl

  • s3:GetObjectVersion

  • s3:GetObjectVersionTorrent

  • s3:GetReplicationConfiguration

  • s3:IPAddress

  • s3:NotIpAddress

  • s3:ListAllMyBuckets

  • s3:ListBucketMultipartUploads

  • s3:ListBucket

  • s3:ListBucketVersions

  • s3:ListMultipartUploadParts

  • s3:PutAccelerateConfiguration

  • s3:PutBucketAcl

  • s3:PutBucketCORS

  • s3:PutBucketLogging

  • s3:PutBucketNotification

  • s3:PutBucketPolicy

  • s3:PutBucketRequestPayment

  • s3:PutBucketTagging

  • s3:PutBucketVersioning

  • s3:PutBucketWebsite

  • s3:PutLifecycleConfiguration

  • s3:PutObjectAcl

  • s3:PutObject

  • s3:PutObjectVersionAcl

  • s3:PutReplicationConfiguration

  • s3:RestoreObject

Instead of the Amazon twelve-digit account ID, we utilize the RGW 'tenant' identifier. In the future, assigning an account ID to a tenant may be possible. However, for now, when creating users for policies between AWS S3 and RGW S3, you must use the Amazon account ID as the tenant ID

In AWS, a single namespace is shared by all tenants. RGW provides each tenant with a dedicated namespace for their buckets. In future releases, there might be a choice to activate a 'flat' bucket namespace similar to AWS. Currently, in order to reach a bucket owned by a different tenant, refer to it as "tenant:bucket" when making an S3 request

In AWS, a bucket policy allows giving access to a different account, which can further grant access to specific users by assigning user permissions. As user, role, and group permissions are not yet supported, account owners must currently give access to individual users directly. Granting access to a bucket for an entire account will give access to all users in that account.

String interpolation is not currently supported by bucket policies.

The condition keys we support for all requests are: - aws:CurrentTime - aws:EpochTime - aws:PrincipalType - aws:Referer - aws:SecureTransport - aws:SourceIp - aws:UserAgent - aws:username

We uphold specific s3 condition keys for requests related to buckets and objects.

Functionality for the specified bucket operations has been included.

Bucket Related Operations

Object Related Operations

Additional support may be available in the near future as we merge with the recently revamped Authentication/Authorization subsystem.

PreviousBucket PolicyNextShare an object with a presigned URL

Last updated