IAM role permissions for S3 buckets

Summary

This article describes the minimum permissions requirements for Aspera to upload, download or list content in an S3 bucket.  The IAM policy can be used in multiple types of Aspera deployments, e.g. If you are running your own Aspera server on Demand (AOD), or if you are using the Aspera Transfer Service (ATS).

Details

The table below, shows the IAM policy rules required for the specific operation.  The table shows the permissions required for each operation separately, e.g. upload, download or browse.

 
Permission Required for upload? Required for download? Required for browse or delete? Comments
s3:AbortMultipartUpload X   Browse + Delete  
s3:DeleteObject X   Browse + Delete  
s3:GetBucketLocation X X   Tuning exists if user wants to remove need for this permission (2)
s3:GetObject   X    
s3:ListBucket X X Browse  
s3:ListBucketMultipartUploads X X Browse  
s3:ListMultipartUploadParts X   Browser + Delete  
s3:PutObject X      
s3:ListAllMyBuckets (1) X (1)      - No longer required in 3.5.2 release

 

Example

Here is an example IAM policy that provides the minimum required permissions for a specific bucket (YOUR_BUCKET).  Please make the appropriate substitutions.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1464034295000",
            "Effect": "Allow",
            "Action": [
                "s3:AbortMultipartUpload",
                "s3:DeleteObject",
                "s3:ListMultipartUploadParts",
                "s3:PutObject",
"s3:GetObject"             ],
            "Resource": [                 "arn:aws:s3:::YOUR_BUCKET/*"             ]         },         {             "Effect": "Allow",             "Action": [                 "s3:GetBucketLocation",                 "s3:ListBucket",                 "s3:ListBucketMultipartUploads"             ],
            "Resource": [                 "arn:aws:s3:::YOUR_BUCKET"             ]         }     ] }

 

1) In the Enterprise Server 3.5.2 release, ListAllMyBuckets permissions is no longer required for Aspera to upload to object storage.  NOTE: Aspera transfer service is running version > 3.7.3

2) To disable the requirement for "GetBucketLocation", starting with 3.5.2 release, do the following (NOTE: ATS requires this option):

     a) Edit /opt/aspera/etc/trap/s3.properties and disable the requirement by setting the option aspera.session.check-bucket.transfer=false 

     b) Restart asperatrapd with this command

# /etc/init.d/asperatrapd restart

 

Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.
Powered by Zendesk