amazon-s3access-controlcephidentity-management

How to format Ceph S3 bucket-policy Principal?

I'm trying to set the bucket policy for a Ceph S3 bucket.

This policy works but enables public access

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowAllForAuthenticatedUsers",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "*"
                ]
            },
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::mybucket",
                "arn:aws:s3:::mybucket/*"
            ]
        }
    ]
}

I believe I need to specify each user who has access to the bucket in Principal. The Ceph docs here show this example:

{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Principal": {"AWS": ["arn:aws:iam::usfolks:user/fred:subuser"]},
    "Action": "s3:PutObjectAcl",
    "Resource": [
      "arn:aws:s3:::happybucket/*"
    ]
  }]
}

I believe usfolks in the example is the tenant, the docs make this mention:

We use the RGW ‘tenant’ identifier in place of the Amazon twelve-digit account ID. In the future, we may allow you to assign an account ID to a tenant, but for now, if you want to use policies between AWS S3 and RGW S3 you will have to use the Amazon account ID as the tenant ID when creating users.

I checked that the tenant on my bucket is an empty string, verified using radosgw-admin bucket stats. Also subsers are not set when looking at radosgw-admin user info: "subusers": [],.

Here are some of the many formats I've tried for Principal, in each case I tested by attempting to download a file and I got an error 403 HeadObject operation Forbidden:

"AWS": ["myuser-000"]
"AWS": ["arn:aws:iam:::user/myuser-000:"]
"AWS": ["arn:aws:iam:::user/*"]
"AWS": ["arn:aws:iam::usfolks:user/myuser-000:"]
"AWS": ["arn:aws:iam:::myuser-000:"]

In these cases myuser-000 is also the bucket owner, I'm using this user's credentials for authentication.

Solution

  • Here's the bucket policy that finally worked:

    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam:::user/USERNAMEA",
          "arn:aws:iam:::user/USERNAMEB",
          "arn:aws:iam:::user/USERNAMEC"
        ]
      },
      "Action": "s3:*",
      "Resource": [
        "arn:aws:s3:::BUCKETNAME",
        "arn:aws:s3:::BUCKETNAME/*"
      ]
    }
  ]
}

    This assumes a default Ceph environment not using tenants. Replace BUCKETNAME and USERNAME#

    There is a default deny for principal's not matching the list of users in this policy doc.

    Notably wildcards * in the principals didn't work in Ceph.