- Notes, cautions, and warnings
- Overview
- Getting Started with ECS
- Storage Pools, VDCs, and Replication Groups
- Authentication Providers
- Namespaces
- Users and Roles
- Identity and Access Management (S3)
- Buckets
- File Access
- Introduction to file access
- ECS multi-protocol access
- Working with NFS exports in the ECS Portal
- Working with user/group mappings in the ECS Portal
- ECS NFS configuration tasks
- Mount an NFS export example
- NFS access using the ECS Management REST API
- NFS WORM (Write Once, Read Many)
- S3A support
- Geo-replication status
- Maintenance
- Certificates
- ECS Settings
- ECS Outage and Recovery
- Advanced Monitoring
- Advanced Monitoring
- View Advanced Monitoring Dashboards
- View mode
- Export CSV
- Data Access Performance - Overview
- Data Access Performance - by Namespaces
- Data Access Performance - by Nodes
- Data Access Performance - by Protocols
- Disk Bandwidth - by Nodes
- Disk Bandwidth - Overview
- Node Rebalancing
- Process Health - by Nodes
- Process Health - Overview
- Process Health - Process List by Node
- Recovery Status
- SSD Read Cache
- Tech Refresh: Data Migration
- Top Buckets
- Automatic Metering Reconstruction
- Share Advanced Monitoring Dashboards
- View Advanced Monitoring Dashboards
- Flux API
- Dashboard APIs
- Advanced Monitoring
ECS 3.5.0.1 Administration Guide
Bucket policy scenarios
In general, the bucket owner has full control on a bucket and can grant permissions to other users and can set S3 bucket policies using an S3 client. In ECS, it is also possible for an ECS System or Namespace Administrator to set bucket policies using the Bucket Policy Editor from the ECS Portal.
You can use bucket policies in the following typical scenarios:
- Grant bucket permissions to a user
- Grant bucket permissions to all users
- Automatically assign permissions to created objects
Grant bucket permissions to a user
To grant permission on a bucket to a user apart from the bucket owner, specify the resource that you want to change the permissions for. Set the principal attribute to the name of the user, and specify one or more actions that you want to enable.
The following example shows a policy that grants a user who is named user1 the permission to update and read objects in the bucket that is named mybucket:
{
"Version": "2012-10-17",
"Id": "S3PolicyId1",
"Statement": [
{
"Sid": "Grant permission to user1",
"Effect": "Allow",
"Principal": ["user1"],
"Action": [ "s3:PutObject","s3:GetObject" ],
"Resource":[ "mybucket/*" ]
}
]
}
You can also add conditions. For example, if you only want the user to read and write object when accessing the bucket from a specific IP address, add a
IpAddress condition as shown in the following policy:
{
"Version": "2012-10-17",
"Id": "S3PolicyId1",
"Statement": [
{
"Sid": "Grant permission ",
"Effect": "Allow",
"Principal": ["user1"],
"Action": [ "s3:PutObject","s3:GetObject" ],
"Resource":[ "mybucket/*" ]
"Condition": {"IpAddress": {"aws:SourceIp": "<Ip address>"}
}
]
}
Grant bucket permissions to all users
To grant permission on a bucket to a user apart from the bucket owner, specify the resource that you want to change the permissions for. Set the principal attribute as anybody (*), and specify one or more actions that you want to enable.
The following example shows a policy that grants anyone permission to read objects in the bucket that is named mybucket:
{
"Version": "2012-10-17",
"Id": "S3PolicyId2",
"Statement": [
{
"Sid": "statement2",
"Effect": "Allow",
"Principal": ["*"],
"Action": [ "s3:GetObject" ],
"Resource":[ "mybucket/*" ]
}
]
}
Automatically assign permissions to created objects
You can use bucket policies to automatically enable access to ingested object data. In the following example bucket policy, user1 and user2 can create subresources (that is, objects) in the bucket that is named mybucket and can set object ACLs. With the ability to set ACLs, the users can then set permissions for other users. If you set the ACL in the same operation, a condition can be set. Such that a canned ACL public-read must be specified when the object is created. This ensures anybody can read all the created objects.
{
"Version": "2012-10-17",
"Id": "S3PolicyId3",
"Statement": [
{
"Sid": "statement3",
"Effect": "Allow",
"Principal": ["user1", "user2"],
"Action": [ "s3:PutObject, s3:PutObjectAcl" ],
"Resource":[ "mybucket/*" ]
"Condition":{"StringEquals":{"s3:x-amz-acl":["public-read"]}}
}
]
}
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please select whether the article was helpful or not.
Comments cannot contain these special characters: <>()\