To update my own question, it would seem that Principle should be
defined like this:
- "Principal": {"AWS": ["arn:aws:iam::Tenant1:user/readwrite"]}
And resource should:
"Resource": [ "arn:aws:s3:::backups"]
Is it worth having the docs updates -
https://docs.ceph.com/en/quincy/radosgw/bucketpolicy/
to indicate that usfolks in the example is the tenant name?
On Wed, 1 Nov 2023 at 18:27, Thomas Bennett <thomas@xxxxxxxx> wrote:
> Hi,
>
> I'm running Ceph Quincy (17.2.6) with a rados-gateway. I have muti
> tenants, for example:
>
> - Tenant1$manager
> - Tenant1$readwrite
>
> I would like to set a policy on a bucket (backups for example) owned by
> *Tenant1$manager* to allow *Tenant1$readwrite* access to that bucket. I
> can't find any documentation that discusses this scenario.
>
> Does anyone know how to specify the Principle and Resource section of a
> policy.json file? Or any other configuration that I might be missing?
>
> I've tried some variations on Principal and Resource including and
> excluding tenant information, but not no luck yet.
>
>
> For example:
> {
> "Version": "2012-10-17",
> "Statement": [{
> "Effect": "Allow",
> "Principal": {"AWS": ["arn:aws:iam:::user/*Tenant1$readwrite*"]},
> "Action": ["s3:ListBucket","s3:GetObject", ,"s3:PutObject"],
> "Resource": [
> "arn:aws:s3:::*Tenant1/backups*"
> ]
> }]
> }
>
> I'm using s3cmd for testing, so:
> s3cmd --config s3cfg.manager setpolicy policy.json s3://backups/
> Returns:
> s3://backups/: Policy updated
>
> And then testing:
> s3cmd --config s3cfg.readwrite ls s3://backups/
> ERROR: Access to bucket 'backups' was denied
> ERROR: S3 error: 403 (AccessDenied)
>
> Thanks,
> Tom
>
_______________________________________________
ceph-users mailing list -- ceph-users@xxxxxxx
To unsubscribe send an email to ceph-users-leave@xxxxxxx
