Excerpt | ||
---|---|---|
| ||
Using policiesThis page shows you how to control access to your resources on Acacia. Using policies you can give list, upload, download, and delete permissions to other Acacia users and projects. |
This page shows you how to control access to your resources on Acacia. Using policies you can give list, upload, download, and delete permissions to other Acacia users and projects.
What makes up a policy?
Policies consist of a JSON formatted text file which contain the following basic elements (for a complete description see AWS Identity and Access Management (external link)):
- Effect - this can be either allow or deny.
- Principal - the user or project for which the policy determines access to your resources.
- Action - the S3 operation which is affected by this policy. These include CreateBucket, DeleteBucket, DeleteObject, GetObject, ListBucket, PutBucketPolicy, PutObject. For the full listing of supported actions see Ceph Bucket policies (external link).
- Resource - your resource to which the policy is to be applied.
A template policy file is shown below:
Code Block | ||
---|---|---|
| ||
{ "Statement": [{ "Effect": "EFFECT", "Principal": {"AWS": ["arn:aws:iam::ACCOUNTID"]}, "Action": "s3:ACTION", "Resource": ["arn:aws:s3:::BUCKET"] }] } |
To create a policy you can copy this template and create a file with a .json extension. You then substitute the appropriate information for each element into the file.
Note | ||
---|---|---|
| ||
The policy file cannot be larger than 20 KB in size. |
Policy example
A single policy can include multiple accounts and actions. For example, if you wanted to give the user lcampbell and the project pawsey0002 permission to list the bucket cou01-share01 belonging to the project courses01 (of which you are a member), you would make the following substitutions:
EFFECT = Allow
ACCOUNTID = :user/USERNAME, ACCOUNTID = UUID:root
ACTION = ListBucket
BUCKET = cou01-share01
Note | ||
---|---|---|
| ||
|
Code Block | ||
---|---|---|
| ||
{ "Statement": [{ "Effect": "Allow", "Principal": {"AWS": ["arn:aws:iam:::user/lcampbell","arn:aws:iam::0519d807c3a549c0b73cdc8244d6a0c5:root"]}, "Action": "s3:ListBucket", "Resource": ["arn:aws:s3:::cou01-share01"] }] } |
...