amazon-s3cephradosgw

How do Ceph S3 user and subuser permissions work together?


I have the following user configuration:

namespace: s3test
user:      s3test
  subuser:   backup (set up with s3 credentials instead of swift)

I want to define a bucket policy that explicitly prevents the backup user from putting to a bucket called hedgehogs, which was created by the s3test user:

{
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "DenyPutToHedgehogsForBackup",
                "Effect": "Deny",
                "Principal": {
                    "CanonicalUser": "s3test:backup"
                },
                "Action": ["s3:PutObject"],
                "Resource": [
                    "arn:aws:s3:::hedgehogs/*"
                ]
            }
        ]
}

However, this seems to prevent both s3test and s3test:backup from putting to hedgehogs.

Is something wrong with my policy syntax or does that mean that subusers configured with s3 credentials is just another way of accessing s3 with the main user permissions?


Solution

  • Your bucket policy should be like this:

    {
      "Version": "2012-10-17",
      "Statement": [{
        "Effect": "Deny",
        "Principal": {"AWS": ["arn:aws:iam:::user/s3test:backup"]},
        "Action": "s3:PutObject",
        "Resource": [
          "arn:aws:s3:::hedgehogs/*"
        ]
      }]
    }