IAM role permissions for S3 buckets

Summary

This article describes the minimum permissions requirements for Aspera to upload, download or list content in an S3 bucket.  The IAM policy can be used in multiple types of Aspera deployments, e.g. If you are running your own Aspera server on Demand (AOD), or if you are using the Aspera Transfer Service (ATS).

Details

The table below, shows the IAM policy rules required for the specific operation.  The table shows the permissions required for each operation separately; that is, upload, download, or browse.

Permission Required
for upload?
Required for
download?
Required
for browse

or delete?
Comments
s3:AbortMultipartUpload X   browse + delete  
s3:DeleteObject X   browse + delete  
s3:GetBucketLocation X X browse Tuning exists if user wants to remove need for this permission. (2)
s3:GetObject   X browse  
s3:ListBucket X X browse  
s3:ListBucketMultipartUpload X X browse + delete  
s3:ListMultipartUploadParts X      
s3:PutObject X      
s3:ListAllMyBuckets (1) X (1)     No longer required as of 3.5.2; however, it is required if a bucket name is not included on the policy (like *).

 

Example

Here is an example IAM policy that provides the minimum required permissions for a specific bucket (YOUR_BUCKET).  Please make the appropriate substitutions.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1464034295000",
            "Effect": "Allow",
            "Action": [
                "s3:AbortMultipartUpload",
                "s3:DeleteObject",
                "s3:ListMultipartUploadParts",
                "s3:PutObject",
"s3:GetObject"             ],
            "Resource": [                 "arn:aws:s3:::YOUR_BUCKET/*"             ]         },         {             "Effect": "Allow",             "Action": [                 "s3:GetBucketLocation",                 "s3:ListBucket",                 "s3:ListBucketMultipartUploads"             ],
            "Resource": [                 "arn:aws:s3:::YOUR_BUCKET"             ]         }     ] }

 

1. In the Enterprise Server 3.5.2 release, ListAllMyBuckets permissions is no longer required for Aspera to upload to object storage.  NOTE: ATS is running a version newer than 3.5.2.

2. To disable the requirement for "GetBucketLocation", starting with 3.5.2 release, do the following (NOTE: ATS requires this option):

(a) Edit /opt/aspera/etc/trap/s3.properties and disable the requirement by setting the following option:

aspera.session.check-bucket.transfer=false 

(b) Restart asperatrapd with the following command:

# /etc/init.d/asperatrapd restart

 

 

Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.
Powered by Zendesk