Permission requirements for an S3 bucket in a different AWS account Edit on GitHub Request doc changes

Contributors netapp-bcammett

When AWS S3 is the source or target in a sync relationship, you can manually specify a bucket that resides in an AWS account that isn’t associated with the data broker. Specific permissions must be applied to that S3 bucket so the data broker can access it.

Use the following permissions to add a bucket policy. These permissions enable the data broker to copy data to and from the bucket and to list the objects in the bucket.

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "sid",
"Effect": "Allow",
"Principal":
{ "AWS": "<RoleARN>" }
,
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject",
"s3:PutObjectTagging",
"s3:GetObjectTagging",
"s3:ListMultipartUploadParts",
"s3:AbortMultipartUpload",
"s3:PutObjectAcl"
],
"Resource": "arn:aws:s3:::<BucketName>/*"
},
{
"Sid": "sid",
"Effect": "Allow",
"Principal":
{ "AWS": "<RoleARN>" }
,
"Action": [
"s3:ListBucketMultipartUploads",
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:GetBucketTagging"
],
"Resource": "arn:aws:s3:::<BucketName>"
}
]
}

Notes:

  1. <BucketName> is the name of the bucket that resides in the AWS account that isn’t associated with the data broker.

  2. <RoleARN> should be replaced with one of the following:

    • If the data broker was manually installed on a Linux host, RoleARN should be the ARN of the AWS user for which you provided AWS credentials when deploying the data broker.

    • If the data broker was deployed in AWS using the CloudFormation template, RoleARN should be the ARN of the IAM role created by the template.

      You can find the Role ARN by going to the EC2 console, selecting the data broker instance, and clicking the IAM role from the Description tab. You should then see the Summary page in the IAM console that contains the Role ARN.

      A screenshot of the AWS IAM console showing a Role ARN.