0

I have the following user configuration:

namespace: s3test
user:      s3test
  subuser:   backup (set up with s3 credentials instead of swift)

I want to define a bucket policy that explicitly prevents the backup user from putting to a bucket called hedgehogs, which was created by the s3test user:

{
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "DenyPutToHedgehogsForBackup",
                "Effect": "Deny",
                "Principal": {
                    "CanonicalUser": "s3test:backup"
                },
                "Action": ["s3:PutObject"],
                "Resource": [
                    "arn:aws:s3:::hedgehogs/*"
                ]
            }
        ]
}

However, this seems to prevent both s3test and s3test:backup from putting to hedgehogs.

Is something wrong with my policy syntax or does that mean that subusers configured with s3 credentials is just another way of accessing s3 with the main user permissions?

Thurse
  • 253
  • 1
  • 3
  • 16

1 Answers1

1

Your bucket policy should be like this:

{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Deny",
    "Principal": {"AWS": ["arn:aws:iam:::user/s3test:backup"]},
    "Action": "s3:PutObject",
    "Resource": [
      "arn:aws:s3:::hedgehogs/*"
    ]
  }]
}
Seena Fallah
  • 560
  • 4
  • 12
  • @Thurse you don’t want to block access put to the bucket for backup subuser?! – Seena Fallah Nov 09 '20 at 07:45
  • Yes thats right, my original comment was bs. Still, it seems that the access policies for swift are all that matter. If I'm creating a swift subuser with full access and creating s3 keys for it, denying subuser `backup`with the policy stated above also locks out s3test. – Thurse Nov 09 '20 at 12:26
  • @Thurse Which version of ceph are you using? You should use nautilus 14.2.10 above! – Seena Fallah Nov 10 '20 at 00:28
  • Ahh, we're at 14.2.8. I cannot change that. Where you got the information that it's only working in 14.2.10 and above? – Thurse Nov 11 '20 at 07:58
  • @Thurse you can see the changelog for supporting bucket policy for subuser here under nautilus 14.2.10. https://docs.ceph.com/en/latest/releases/nautilus/ – Seena Fallah Nov 12 '20 at 08:39
  • Thanks! Since it's not clear when 14.2.10 gets rolled out in our company, I'll stick to the classical approach creating regular S3 users under the same namespace. – Thurse Nov 12 '20 at 08:47