Created
May 23, 2017 22:18
-
-
Save fwessels/903c5b07be6605a4cf4454441962f9de to your computer and use it in GitHub Desktop.
AWS policy with minimal permissions to allow Minio Gateway access to a single bucket
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "Version": "2012-10-17", | |
| "Statement": [ | |
| { | |
| "Sid": "Stmt1495498207000", | |
| "Effect": "Allow", | |
| "Action": [ | |
| "s3:GetBucketLocation", | |
| "s3:ListAllMyBuckets" | |
| ], | |
| "Resource": [ | |
| "arn:aws:s3:::*" | |
| ] | |
| }, | |
| { | |
| "Sid": "Stmt1495499162000", | |
| "Effect": "Allow", | |
| "Action": [ | |
| "s3:ListBucket" | |
| ], | |
| "Resource": [ | |
| "arn:aws:s3:::minio-gateway-test" | |
| ] | |
| }, | |
| { | |
| "Sid": "Stmt1495499056000", | |
| "Effect": "Allow", | |
| "Action": [ | |
| "s3:*" | |
| ], | |
| "Resource": [ | |
| "arn:aws:s3:::minio-gateway-test/*" | |
| ] | |
| } | |
| ] | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This is a policy definition for AWS in order to setup (for existing AWS users) access to just a single bucket.
By creating a new user (with its own ACCESS and SECRET key) and attaching the above policy to this user, if you subsequently run
minio gatewaywith these credentials, then the gateway will just allow access to this specific bucket (eg.mys3/minio-gateway-testin this case).Note that the policy allows some actions at higher levels. Also the user of the gateway is able to list the names of all buckets (eg.
mc ls mys3works) but obviously cannot list inside these buckets. (And the names of the buckets are public anyway because they are accessible under s3.amazonaws.com.)