Zata
LoginSignup
  • Getting Started with Zata.ai
    • Create & activate Account
  • Dashboard
  • Manage
    • Bucket
      • Create Bucket
        • To store objects in a Bucket
      • Deleting the Bucket
      • Bucket Policy
      • Applying Limitations with Bucket Policies
      • Share an object with a presigned URL
    • Access Keys
      • Creating a New Access Key
    • Service URLs for Zata.ai S3
    • Migration
      • Migrate from AWS S3 storage to Zata.ai S3 storage
      • Migrate from Wasabi S3 storage to Zata.ai S3 storage
      • Migrate from Google Drive to Zata.ai S3 storage
  • Users
    • Create a Subuser
    • Create a new access key and secret key for the specific subuser.
    • Roles
  • Account
    • Billing
    • Ingress and Egress Policy
  • KnowledgeBase
    • Integration
      • Connect Acronis Backup Gateway With ZATA.AI
      • Connect Bucket with CloudBerry
      • Connect MSP360 Backup With ZATA.AI
      • Connect Veeam Backup Gateway With ZATA.AI
      • Connect Ahsay cloud backup suite(ACBS) with Zata.ai
      • Connect Commvault Backup with ZATA.AI
      • Connect Vembu Backup with ZATA.AI
    • Mount S3 bucket to Linux operating system
    • Connect Bucket with S3 Client
    • Connect Bucket with Cyberduck
    • How to Transfer Data to Zata.ai Bucket Using Rclone
      • For Linux Server
      • For Windows Server
    • Connect S3 storage to CPanel
    • Backup your WordPress Site to Zata.ai S3 storage with using Updraft plugin.
    • Connect S3 Drive to Zata.ai
    • Mount Bucket to Local system using the TntDrive
    • How to Integrate QNAP NAS storage and Backup to Zata.ai
  • FAQ
    • What are the regions of Zata.ai?
    • What is the billing process for Zata.ai ?
    • What happens if I miss a Payment ?
    • How can I get support for billing-related issue?
    • What are the terms and conditions for using Zata.ai services?
    • Where can I find additional information on pricing and billing?
  • Support
Powered by GitBook
On this page
  • Policy Creation and Removal
  • Limitations
  • Bucket Related Operations
  • Object Related Operations
  1. Manage
  2. Bucket

Applying Limitations with Bucket Policies

We have support a subset of the Amazon s3 policy language applied to buckets.

Policy Creation and Removal

Bucket policies are managed through standard S3 operations.

For example, I have created a policy to access objects inside the bucket.

{
    "Version": "2012-10-17",
    "Statement": [{
      "Effect": "Allow",
      "Principal": {"AWS": ["arn:aws:iam:::user/4fe084dd-8531-4087-bc89-91cca2c9ea8d:Access"]},
      "Action": "s3:GetObject",
      "Resource": [
        "arn:aws:s3:::pankimages/*"
      ]
    }]
  }

Limitations

Currently, we support only the following actions:

  • s3:AbortMultipartUpload

  • s3:CreateBucket

  • s3:DeleteBucketPolicy

  • s3:DeleteBucket

  • s3:DeleteBucketWebsite

  • s3:DeleteObject

  • s3:DeleteObjectVersion

  • s3:DeleteReplicationConfiguration

  • s3:GetAccelerateConfiguration

  • s3:GetBucketAcl

  • s3:GetBucketCORS

  • s3:GetBucketLocation

  • s3:GetBucketLogging

  • s3:GetBucketNotification

  • s3:GetBucketPolicy

  • s3:GetBucketRequestPayment

  • s3:GetBucketTagging

  • s3:GetBucketVersioning

  • s3:GetBucketWebsite

  • s3:GetLifecycleConfiguration

  • s3:GetObjectAcl

  • s3:GetObject

  • s3:GetObjectTorrent

  • s3:GetObjectVersionAcl

  • s3:GetObjectVersion

  • s3:GetObjectVersionTorrent

  • s3:GetReplicationConfiguration

  • s3:IPAddress

  • s3:NotIpAddress

  • s3:ListAllMyBuckets

  • s3:ListBucketMultipartUploads

  • s3:ListBucket

  • s3:ListBucketVersions

  • s3:ListMultipartUploadParts

  • s3:PutAccelerateConfiguration

  • s3:PutBucketAcl

  • s3:PutBucketCORS

  • s3:PutBucketLogging

  • s3:PutBucketNotification

  • s3:PutBucketPolicy

  • s3:PutBucketRequestPayment

  • s3:PutBucketTagging

  • s3:PutBucketVersioning

  • s3:PutBucketWebsite

  • s3:PutLifecycleConfiguration

  • s3:PutObjectAcl

  • s3:PutObject

  • s3:PutObjectVersionAcl

  • s3:PutReplicationConfiguration

  • s3:RestoreObject

Instead of the Amazon twelve-digit account ID, we utilize the RGW 'tenant' identifier. In the future, assigning an account ID to a tenant may be possible. However, for now, when creating users for policies between AWS S3 and RGW S3, you must use the Amazon account ID as the tenant ID

In AWS, a single namespace is shared by all tenants. RGW provides each tenant with a dedicated namespace for their buckets. In future releases, there might be a choice to activate a 'flat' bucket namespace similar to AWS. Currently, in order to reach a bucket owned by a different tenant, refer to it as "tenant:bucket" when making an S3 request

In AWS, a bucket policy allows giving access to a different account, which can further grant access to specific users by assigning user permissions. As user, role, and group permissions are not yet supported, account owners must currently give access to individual users directly. Granting access to a bucket for an entire account will give access to all users in that account.

String interpolation is not currently supported by bucket policies.

The condition keys we support for all requests are: - aws:CurrentTime - aws:EpochTime - aws:PrincipalType - aws:Referer - aws:SecureTransport - aws:SourceIp - aws:UserAgent - aws:username

We uphold specific s3 condition keys for requests related to buckets and objects.

Functionality for the specified bucket operations has been included.

Bucket Related Operations

Permission

Condition Keys

s3:createBucket

s3:x-amz-acl s3:x-amz-grant-<perm> where perm is one of read/write/read-acp write-acp/ full-control

s3:ListBucket &

s3:ListBucketVersions

s3:prefix

s3:delimiter

s3:max-keys

s3:PutBucketAcl

s3:x-amz-acl s3:x-amz-grant-<perm>

Object Related Operations

Permission

Condition Keys

Comments

s3:x-amz-acl & s3:x-amz-grant-<perm>

s3:x-amz-copy-source

s3:x-amz-server-side-encryption

s3:PutObject

s3:x-amz-server-side-encryption-aws-kms-key-id

s3:x-amz-metadata-directive

PUT & COPY to overwrite/preserve metadata in COPY requests

s3:RequestObjectTag/<tag-key>

s3:PutObjectAcl

s3:PutObjectVersionAcl

s3:x-amz-acl & s3-amz-grant-<perm>

s3:ExistingObjectTag/<tag-key>

s3:PutObjectTagging & s3:PutObjectVersionTagging

s3:RequestObjectTag/<tag-key>

s3:ExistingObjectTag/<tag-key>

s3:GetObject &

s3:GetObjectVersion

s3:ExistingObjectTag/<tag-key>

s3:GetObjectAcl &

s3:GetObjectVersionAcl

s3:ExistingObjectTag/<tag-key>

s3:GetObjectTagging & s3:GetObjectVersionTagging

s3:ExistingObjectTag/<tag-key>

s3:DeleteObjectTagging & s3:DeleteObjectVersionTagging

s3:ExistingObjectTag/<tag-key>

Additional support may be available in the near future as we merge with the recently revamped Authentication/Authorization subsystem.

PreviousBucket PolicyNextShare an object with a presigned URL

Last updated 7 months ago