archiecobbs
commented
2 years ago Thanks. What about listing blocks on startup... does that need a special right as well?
Open solracsf opened 2 years ago
archiecobbs
commented
2 years ago Thanks. What about listing blocks on startup... does that need a special right as well?
solracsf
commented
2 years ago Well this was rather a "question" than a definitive policy :) Based on your statement that:
Only three HTTP operations are used: GET, PUT, and DELETE.
If LIST is also needed, maybe:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::bucketName"
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::bucketName/*"
}
]
}By the way...
Only three HTTP operations are used: GET, PUT, and DELETE.
That statement is no longer accurate. We also use HEAD and POST.
Having said that I think your suggested policy should give sufficient rights. But I'm not an expert on Amazon JSON microcode so can't say for sure.
solracsf
commented
2 years ago I will do some tests and provide feedback later next week.
archiecobbs
commented
2 years ago OK thanks. By the way...
GET, PUT, and DELETE are used for regular block reads and writes.
HEAD is used at startup to read the meta-data associated with block zero (block size, mount token, etc.).
GET is also used for --listBlocks.
POST is used to implement the --erase operation.
So your tests should include all of the above.
The Minimal Policy would recommend the minimal rights needed for the application to run. Ex.:
or a JSON: