Specifying permissions in a policy

In a policy, the Action element is used to allow/deny permissions to a resource. There are a set of permissions that you can specify in a policy, which are denoted by the element "Action," or alternatively, "NotAction" for exclusion. Each of these elements maps to specific S3 REST API operations.

The tables lists the permissions that apply to buckets and the permissions that apply to objects.

Permissions that apply to buckets

Permissions S3 REST API operations Custom for StorageGRID Webscale
s3:CreateBucket PUT Bucket  
s3:DeleteBucket DELETE Bucket  
s3:DeleteBucketMetadataNotification DELETE Bucket metadata notification configuration Yes
s3:DeleteBucketPolicy DELETE Bucket policy  
s3:GetBucketAcl GET Bucket ACL  
s3:GetBucketCompliance GET Bucket compliance Yes
s3:GetBucketConsistency GET Bucket consistency Yes
s3:GetBucketCORS GET Bucket cors  
s3:GetBucketLastAccessTime GET Bucket last access time Yes
s3:GetBucketLocation GET Bucket location  
s3:GetBucketMetadataNotification GET Bucket metadata notification configuration Yes
s3:GetBucketNotification GET Bucket notification  
s3:GetBucketPolicy GET Bucket policy  
s3:GetBucketReplication GET Bucket replication  
s3:GetBucketVersioning GET Bucket versioning  
s3:ListAllMyBuckets GET Service, GET Storage Usage Yes for GET Storage Usage
s3:ListBucket GET Bucket (List Objects), HEAD Bucket  
s3:ListBucketMultipartUploads List Multipart Uploads  
s3:ListBucketVersions GET Bucket versions  
s3:PutBucketCompliance PUT Bucket compliance Yes
s3:PutBucketConsistency PUT Bucket consistency Yes
s3:PutBucketCORS

DELETE Bucket cors

PUT Bucket cors

 
s3:PutBucketLastAccessTime PUT Bucket last access time Yes
s3:PutBucketMetadataNotification PUT Bucket metadata notification configuration Yes
s3:PutBucketNotification PUT Bucket notification  
s3:PutBucketPolicy PUT Bucket policy  
s3:PutBucketReplication PUT Bucket replication  
s3:PutBucketVersioning PUT Bucket versioning  

Permissions that apply to objects

Permissions S3 REST API operations Custom for StorageGRID Webscale
s3:AbortMultipartUpload Abort Multipart Upload  
s3:DeleteObject DELETE Object, DELETE Multiple Objects  
s3:DeleteObjectTagging DELETE Object Tagging  
s3:DeleteObjectVersionTagging DELETE Object Tagging (a specific version of the object)  
s3:DeleteObjectVersion DELETE Object (a specific version of the object)  
s3:GetObject GET Object, HEAD Object  
s3:GetObjectAcl GET Object ACL  
s3:GetObjectTagging GET Object Tagging  
s3:GetObjectVersionTagging GET Object Tagging (a specific version of the object)  
s3:GetObjectVersion GET Object (a specific version of the object)  
s3:ListMultipartUploadParts List Parts  
s3:PutObject PUT Object, PUT Object - Copy, Initiate Multipart Upload, Complete Multipart Upload, Upload Part, and Upload Part - Copy  
s3:PutObjectTagging PUT Object Tagging  
s3:PutObjectVersionTagging PUT Object Tagging (a specific version of the object)  
s3:PutOverwriteObject PUT Object, PUT Object - Copy, PUT Object tagging, DELETE Object tagging, and Complete Multipart Upload Yes