On 07/21/2017 02:23 AM, Pritha Srivastava wrote:
----- Original Message -----
From: "Pritha Srivastava" <prsrivas@xxxxxxxxxx>
----- Original Message -----
From: "Graham Allan" <gta@xxxxxxx>
I'm a bit surprised that allowing "s3:GetObject" doesn't seem to permit
reading the same object back out again. Even using a wildcard for the
action, I haven't been able to fetch an object or read bucket contents.
Admittedly I have no experience with AWS bucket policies so I could be
doing something dumb...
I think for reading the object back, you need to provide Read permissions on
the bucket.
You can try setting the Action to s3:ListBucket, and then under Resources,
list the bucket name and all objects under it (using *) or the object that
you want to read back, like below:
Action: s3:ListBucket
Resource: [
"arn:aws:s3::*:my-bucket",
"arn:aws:s3::*:my-bucket/*"
]
On second thoughts, the above Action and Resource will only list the bucket and the object names under it, but if you want to read back the contents of an object, then you need to provide permission for s3:Getobject also, something like the following:
{
"Version": "2017-07-21",
"Statement": [
{
"Effect": "Allow",
"Action": ["s3:ListBucket"],
"Resource": [
"arn:aws:s3::*:my-bucket",
"arn:aws:s3::*:my-bucket/*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
],
"Resource": ["arn:aws:s3::*:my-bucket/*"]
}
]
}
This works perfectly, thanks - now in retrospect it seems obvious that I
would need permissions on the bucket itself as well as its contents.
Thanks for your patience in explaining it to me!
G.
--
Graham Allan
Minnesota Supercomputing Institute - gta@xxxxxxx
_______________________________________________
ceph-users mailing list
ceph-users@xxxxxxxxxxxxxx
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
