This should do it sort of. { "Id": "Policy1548367105316", "Version": "2012-10-17", "Statement": [ { "Sid": "Stmt1548367099807", "Effect": "Allow", "Action": "s3:ListBucket", "Principal": { "AWS": "arn:aws:iam::Company:user/testuser" }, "Resource": "arn:aws:s3:::archive" }, { "Sid": "Stmt1548369229354", "Effect": "Allow", "Action": [ "s3:GetObject", "s3:PutObject", "s3:ListBucket" ], "Principal": { "AWS": "arn:aws:iam::Company:user/testuser" }, "Resource": "arn:aws:s3:::archive/folder2/*" } ] } -----Original Message----- From: Matt Benjamin [mailto:mbenjami@xxxxxxxxxx] Sent: 24 January 2019 21:36 To: Marc Roos Cc: ceph-users Subject: Re: Radosgw s3 subuser permissions Hi Marc, I'm not actually certain whether the traditional ACLs permit any solution for that, but I believe with bucket policy, you can achieve precise control within and across tenants, for any set of desired resources (buckets). Matt On Thu, Jan 24, 2019 at 3:18 PM Marc Roos <M.Roos@xxxxxxxxxxxxxxxxx> wrote: > > > It is correct that it is NOT possible for s3 subusers to have > different permissions on folders created by the parent account? > Thus the --access=[ read | write | readwrite | full ] is for > everything the parent has created, and it is not possible to change > that for specific folders/buckets? > > radosgw-admin subuser create --uid='Company$archive' > --subuser=testuser > --key-type=s3 > > Thus if archive created this bucket/folder structure. > └── bucket > ├── folder1 > ├── folder2 > └── folder3 > └── folder4 > > It is not possible to allow testuser to only write in folder2? > > > _______________________________________________ > ceph-users mailing list > ceph-users@xxxxxxxxxxxxxx > http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com -- Matt Benjamin Red Hat, Inc. 315 West Huron Street, Suite 140A Ann Arbor, Michigan 48103 http://www.redhat.com/en/technologies/storage tel. 734-821-5101 fax. 734-769-8938 cel. 734-216-5309 _______________________________________________ ceph-users mailing list ceph-users@xxxxxxxxxxxxxx http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com