Using the PutOverwriteObject permission

The s3:PutOverwriteObject permission is a custom StorageGRID Webscale permission that applies to operations that create or update objects. The setting of this permission determines whether the client can overwrite an object's data, user-defined metadata, or S3 object tagging.

Possible settings for this permission include:
  • Allow: The client can overwrite an object. This is the default setting.
  • Deny: The client cannot overwrite an object. When set to Deny, the PutOverwriteObject permission works as follows:
    • If an existing object is found at the same path:
      • The object's data, user-defined metadata, or S3 object tagging cannot be overwritten.
      • Any ingest operations in progress are cancelled, and an error is returned.
      • If S3 versioning is enabled, the Deny setting prevents PUT Object tagging or DELETE Object tagging operations from modifying the TagSet for an object and its noncurrent versions.
    • If an existing object is not found, this permission has no effect.
  • When this permission is not present, the effect is the same as if Allow were set.
Attention: If the current S3 policy allows overwrite, and the PutOverwriteObject permission is set to Deny, the client cannot overwrite an object's data, user-defined metadata, or object tagging. In addition, if the Prevent Client Modify grid option is set to Enabled, that setting overrides the setting of the PutOverwriteObject permission.