Hi,
I have setup with one default tenant and next user/bucket structure:
user1
bucket1
bucket11
user2
bucket2
user3
bucket3
IAM and STS APIs are enabled, user1 has roles=* capabilities.
When user1 permit user2 to assume role with next permission policy:
{"Version":"2012-10-17",
"Statement":[
{"Effect":"Allow",
"Action":["s3:*"],
"Resource":"arn:aws:s3:::*"}]
}
user2 can use temporary credentials (after AssumeRole action) which give him access to ALL buckets of ALL users in this tenant (bucket3 for example).
But I expect that access should be limited by user1 own buckets.
I understand that roles=* caps it’s some kind of global admin permissions, but this caps are so powerful and give access to all buckets through roles.
How can I use Role to limit access to only all own buckets? Now I can specify one or few exact buckets or ALL (*) in tenant.
In AWS, we can give access to all buckets (*) but it will be all buckets in our account, not all buckets in S3.
_______________________________________________
ceph-users mailing list -- ceph-users@xxxxxxx
To unsubscribe send an email to ceph-users-leave@xxxxxxx
