Introduction
This page is specific to S3 remote types (eg acacia and AWS) it does not apply to the more specialised banksia service. If you need more sophisticated policies and lifecycles, you can use the generated ones shown here as a starting point but will have to use awscli to add any customisations. Please refer to Acacia access and identities and Using policies for more details.
Setup
An acacia project can be added to your list of pshell remotes by using an arbitrary remote name (eg project123) and supplying the access/secret pair after you select the remote and login. An example is given below:. After this, the usual file and folder commands will be available.
| Expand |
|---|
|
| Code Block |
|---|
pshell:/> remote add project123 s3 https://projects.pawsey.org.au
pshell:/> remote project123
project123:/>login
Access: xyz
Secret: *** |
|
...
The info command on a bucket.
Policies
Simple S3 policies can also be automatically created for you, noting that:
- Policies are attached to buckets and are a list of statements about actions allowed or denied for that bucket only.
- Policies override the default project permissions so care should be taken not to lock yourself out of the bucket.
- Any DENY in a policy statement counts as a negative permission overall for that action, even if there is also an ALLOW elsewhere.
- Policies only grant visibility of objects in a bucket, not visibility of the bucket itself.
| Note |
|---|
You can use the pshell command "info mybucket" to examine the active policies on that bucket. |
| Expand |
|---|
|
| Panel |
|---|
| title | Example1 - give a list of Pawsey |
|---|
|
usernames (user1, user2, user3, and user4) readonly access to a project bucket called p0002-sfx.Note: if a user (eg user1) attempts to list buckets they will see nothing. However, if they attempt to list objects inside the bucket it will show the objects inside p0002-sfx/ - see Note 4. | Code Block |
|---|
pawsey0002 |
| Code Block |
|---|
project123:/>policy |
p0002sfxbucket +r user1,user2,user3,user4
Setting bucket= |
p0002sfxbucket, perm=+r, for user(s)='user1,user2,user3,user4' |
Note: if a user attempts to list buckets they will see nothing. However, if they attempt to list objects inside the bucket it will show the objects inside my-bucket/ - see Note 4. |
| Panel |
|---|
| title | Example 2 - revoke user3 from having read access |
|---|
|
to the bucket. |
pawsey0002p0002sfxbucket -r user3
Setting bucket= |
p0002sfxbucket, perm=-r, for user(s)='user3' |
|
| Panel |
|---|
| title | Example 3 - grant read and write permission |
|---|
|
on a bucket. |
pawsey0002p0002sfxbucket +rw user1
Setting bucket= |
p0002sfxbucket, perm=+rw, for user(s)='user1' |
|
the objects in p0002-sfx | a bucket readonly and publicly accessible |
|
. |
pawsey0002p0002sfxbucket +r *
Setting bucket= |
p0002sfxbucket, perm=+r, for user(s)=None |
|
| Panel |
|---|
| title | Example 5 - remove all policies on a bucket |
|---|
|
. |
pawsey0002p0002sfxbucket -
Deleting all policies on bucket= |
p0002sfx
|
|
Lifecycles
Simple S3 bucket lifecycles can also be automatically created for you affecting multi-part uploads and versioning.
| Note |
|---|
Remember to use Use the pshell command "info mybucket" to check if there are any current lifecycle rules as you the following may overwrite them with the following examples. |
| Expand |
|---|
|
- a basic bucket lifecycle that cleans up failed | - enable multi-part and expired version cleanup after 30 days |
|
| Code Block |
|---|
pshell> lifecycle my-bucket +mv |
|
| Panel |
|---|
| title | Example 2 - clean up incomplete multi-part uploads after 7 days |
|---|
|
. |
| Code Block |
|---|
pshell> lifecycle |
mybucket
|
2 - a basic bucket lifecycle that turns | 3 - turn on versioning and |
|
deletes | delete expired non-current objects after 30 days |
|
. |
| Code Block |
|---|
pshell> lifecycle |
mybucket
|
If versioning is enabled on a bucket, then you will have the option to review and restore deleted objects in the window before the lifecycle cleanup policy permanently removes them. | Panel |
|---|
| title | Example 4 - Reviewing deleted objects |
|---|
|
| Code Block |
|---|
pshell> lifecycle my-bucket --review
Reviewing deletions: bucket=my-bucket, prefix=
* folder1/my_file.txt |
|
| Panel |
|---|
| title | Example 5 - Restoring an object |
|---|
|
| Code Block |
|---|
pshell> lifecycle my-bucket/folder1 --restore
Restoring deletions: bucket=my-bucket, prefix=folder1
restoring: folder1/my_file.txt
Restored object count: 1 |
|
|