Versions Compared

Old Version 11

changes.mady.by.user Sean Fleming

Saved on

compared with

New Version 12

changes.mady.by.user Sean Fleming

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Panel
titleExample 1

Here we give a list of Pawsey usernames (user1, user2, user3, and user4) readonly access to a project bucket called p0002-sfx.

Code Block
pawsey0002:/>policy p0002-sfx +r user1,user2,user3,user4
Setting bucket=p0002-sfx, perm=+r, for user(s)='user1,user2,user3,user4'


Expand
titleShow the generated S3 policy...


Code Block
pawsey0002:/>info p0002-sfx
              bucket : p0002-sfx
               owner : pawsey0002
             objects : 6
                size : 174.03 GB
 === Policy === 
{
    "Id": "generated-policy",
    "Statement": [
        {
            "Sid": "2022Sep08_10:21:17",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam:::user/user1",
                    "arn:aws:iam:::user/user2",
                    "arn:aws:iam:::user/user3",
                    "arn:aws:iam:::user/user4",
                ]
            },
            "Action": [
                "s3:ListBucket",
                "s3:GetObject"
            ],
            "Resource": [
                "arn:aws:s3:::p0002-sfx",
                "arn:aws:s3:::p0002-sfx/*"
            ]
        }
    ]
}


Note: if a user (eg user1) attempts to list buckets they will see nothing. However, if they attempt to list objects inside the bucket it will show the objects inside p0002-sfx/ - see Note 4.

...

Panel
titleExample 2

Here we want to revoke user3 from having read access to the bucket.

Code Block
pawsey0002:/>policy p0002-sfx -r user3
Setting bucket=p0002-sfx, perm=-r, for user(s)='user3'


Expand
titleShow the generated policy...


Code Block
pawsey0002:/>info p0002-sfx
              bucket : p0002-sfx
               owner : pawsey0002
             objects : 6
                size : 174.03 GB
 === Policy === 
{
    "Id": "generated-policy",
    "Statement": [
        {
            "Sid": "2022Sep08_10:21:17",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam:::user/user1",
                    "arn:aws:iam:::user/user2",
                    "arn:aws:iam:::user/user3",
                    "arn:aws:iam:::user/user4",
                ]
            },
            "Action": [
                "s3:ListBucket",
                "s3:GetObject"
            ],
            "Resource": [
                "arn:aws:s3:::p0002-sfx",
                "arn:aws:s3:::p0002-sfx/*"
            ]
        },
        {
            "Sid": "2022Sep08_10:28:44",
            "Effect": "Deny",
            "Principal": {
                "AWS": [
                    "arn:aws:iam:::user/user3"
                ]
            },
            "Action": [
                "s3:ListBucket",
                "s3:GetObject"
            ],
            "Resource": [
                "arn:aws:s3:::p0002-sfx",
                "arn:aws:s3:::p0002-sfx/*"
            ]
        }
    ]
}


This works as the combined effect of having both ALLOW and DENY for user3 acts as an overall DENY - see Note 3.

...

Panel
titleExample 4

This will grant read and write permission on a bucket.

Code Block
pawsey0002:/>policy p0002-sfx +rw sean
Setting bucket=p0002-sfx, perm=+rw, for user(s)='sean'


Expand
titleShow the S3 policy...


Code Block
pawsey0002:/>info p0002-sfx
              bucket : p0002-sfx
               owner : pawsey0002
             objects : 6
                size : 174.03 GB
 === Policy === 
{
    "Id": "generated-policy",
    "Statement": [
        {
            "Sid": "2022Sep08_11:12:28",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam:::user/sean",
                ]
            },
            "Action": [
                "s3:ListBucket",
                "s3:GetObject",
                "s3:PutObject",
                "s3:DeleteObject"
            ],
            "Resource": [
                "arn:aws:s3:::p0002-sfx",
                "arn:aws:s3:::p0002-sfx/*"
            ]
        }
    ]
}



...

Panel
titleExample 6

This will make the objects in p0002-sfx readonly and publicly accessible.

Code Block
pawsey0002:/>policy p0002-sfx +r *
Setting bucket=p0002-sfx, perm=+r, for user(s)=None


Expand
titleShow the S3 policy...


Code Block
pawsey0002:/>info p0002-sfx
              bucket : p0002-sfx
               owner : pawsey0002
             objects : 6
                size : 174.03 GB
 === Policy === 
{
    "Id": "generated-policy",
    "Statement": [
        {
            "Sid": "2022Sep08_11:12:28",
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:GetObject"
            ],
            "Resource": [
                "arn:aws:s3:::p0002-sfx",
                "arn:aws:s3:::p0002-sfx/*"
            ],
            "Principal": "*"
        }
    ]
}



...