Here we | Example 1 | Example1 - give a list of Pawsey |
| usernames (user1, user2, user3, and user4) readonly access to a project bucket called p0002-sfx. | title
pawsey0002p0002sfxbucket +r user1,user2,user3,user4
Setting bucket= | p0002sfxbucket, perm=+r, for user(s)='user1,user2,user3,user4' |
| Expand |
---|
| Show the generated S3 policy... | Code Block |
---|
pawsey0002:/>info p0002-sfx
bucket : p0002-sfx
owner : pawsey0002
objects : 6
size : 174.03 GB
=== Policy ===
{
"Id": "generated-policy",
"Statement": [
{
"Sid": "2022Sep08_10:21:17",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam:::user/user1",
"arn:aws:iam:::user/user2",
"arn:aws:iam:::user/user3",
"arn:aws:iam:::user/user4",
]
},
"Action": [
"s3:ListBucket",
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::p0002-sfx",
"arn:aws:s3:::p0002-sfx/*"
]
}
]
} |
Note: if a user | (eg user1) attempts to list buckets they will see nothing. However, if they attempt to list objects inside the bucket it will show the objects inside | p0002sfx
| Here we want to - revoke user3 from having read access |
| to the bucket. |
pawsey0002p0002sfxbucket -r user3
Setting bucket= | p0002sfxbucket, perm=-r, for user(s)='user3' |
| Expand |
---|
title | Show the generated policy... |
---|
| code | pawsey0002:/>info p0002-sfx
bucket : p0002-sfx
owner : pawsey0002
objects : 6
size : 174.03 GB
=== Policy ===
{
"Id": "generated-policy",
"Statement": [
{
"Sid": "2022Sep08_10:21:17",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam:::user/user1",
"arn:aws:iam:::user/user2",
"arn:aws:iam:::user/user3",
"arn:aws:iam:::user/user4",
]
},
"Action": [
"s3:ListBucket",
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::p0002-sfx",
"arn:aws:s3:::p0002-sfx/*"
]
},
{
"Sid": "2022Sep08_10:28:44",
"Effect": "Deny",
"Principal": {
"AWS": [
"arn:aws:iam:::user/user3"
]
},
"Action": [
"s3:ListBucket",
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::p0002-sfx",
"arn:aws:s3:::p0002-sfx/*"
]
}
]
} | |
This works as the combined effect of having both ALLOW and DENY for user3 acts as an overall DENY - see Note 3.
| This illustrates an alternative method for achieving the same overall result as in example2. Here we remove all policies on the bucket first, before adding back just the users we want. Code Block |
---|
pawsey0002- grant read and write permission |
|
Code Block |
---|
project123:/>policy | p0002-sfx -
Deleting all policies on bucket=p0002-sfx
pawsey0002:>policy p0002-sfx +r user1,user2,user4my-bucket +rw user1
Setting bucket= | p0002sfxr,user2,user4 | Note that the generated policy will look different to example2 and will actually be similar to example1 with user3 omitted from the list.
| This will grant read and write permission on a bucket.- make a bucket readonly and publicly accessible |
|
pawsey0002p0002sfxrwseanp0002sfxrw'sean'
|
Expandpanel |
---|
title | Show the S3 policy...Example 5 - remove all policies on a bucket |
---|
|
Code Block |
---|
pawsey0002project123:/>info>policy p0002my-sfxbucket -
Deleting all policies bucket : p0002-sfx
owner : pawsey0002
objects : 6
size : 174.03 GB
=== Policy ===
{
"Id": "generated-policy",
"Statement": [
{
"Sid": "2022Sep08_11:12:28",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam:::user/sean",
]
},
"Action": [
"s3:ListBucket",
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::p0002-sfx",
"arn:aws:s3:::p0002-sfx/*"
]
}
]
} |
|
|