Create an S3 policy configuration
POST /protocols/s3/services/{svm.uuid}/policies
Introduced In: 9.8
Creates the S3 policy configuration.
Important notes
-
Each SVM can have one or more s3 policy configurations.
Required properties
-
svm.uuid
- Existing SVM in which to create the s3 policy configuration. -
name
- Policy name that is to be created.
Recommended optional properties
-
comment
- Short description about the S3 policy. -
statements.effect
- Indicates whether to allow or deny access. -
statements.actions
- List of actions that can be allowed or denied access. Example: GetObject, PutObject, DeleteObject, ListBucket, ListMyBuckets, ListBucketMultipartUploads, ListMultipartUploadParts, GetObjectTagging, PutObjectTagging, DeleteObjectTagging. -
statements.resources
- Buckets or objects that can be allowed or denied access. -
statements.sid
- Statement identifier providing additional information about the statement.
Related ONTAP commands
-
vserver object-store-server policy create
-
vserver object-store-server policy add-statement
Parameters
Name | Type | In | Required | Description |
---|---|---|---|---|
return_records |
boolean |
query |
False |
The default is false. If set to true, the records are returned.
|
svm.uuid |
string |
path |
True |
UUID of the SVM to which this object belongs. |
Request Body
Name | Type | Description |
---|---|---|
comment |
string |
Can contain any additional information about the S3 policy. |
name |
string |
Specifies the name of the policy. A policy name length can range from 1 to 128 characters and can only contain the following combination of characters 0-9, A-Z, a-z, "_", "+", "=", ",", ".","@", and "-". |
read-only |
boolean |
Specifies whether or not the s3 policy is read only. This parameter should not be specified in the POST method. |
statements |
array[s3_policy_statement] |
Specifies the policy statements. |
svm |
Example request
{
"comment": "S3 policy.",
"name": "Policy1",
"statements": [
{
"actions": [
"*"
],
"effect": "allow",
"index": 0,
"resources": [
"bucket1",
"bucket1/*"
],
"sid": "FullAccessToBucket1"
}
],
"svm": {
"_links": {
"self": {
"href": "/api/resourcelink"
}
},
"name": "svm1",
"uuid": "02c9e252-41be-11e9-81d5-00a0986138f7"
}
}
Response
Status: 201, Created
Name | Type | Description |
---|---|---|
_links |
||
num_records |
integer |
Number of records |
records |
array[s3_policy] |
Example response
{
"_links": {
"next": {
"href": "/api/resourcelink"
},
"self": {
"href": "/api/resourcelink"
}
},
"records": [
{
"comment": "S3 policy.",
"name": "Policy1",
"statements": [
{
"actions": [
"*"
],
"effect": "allow",
"index": 0,
"resources": [
"bucket1",
"bucket1/*"
],
"sid": "FullAccessToBucket1"
}
],
"svm": {
"_links": {
"self": {
"href": "/api/resourcelink"
}
},
"name": "svm1",
"uuid": "02c9e252-41be-11e9-81d5-00a0986138f7"
}
}
]
}
Error
Status: Default
ONTAP Error Response Codes
Error Code | Description |
---|---|
92405906 |
The specified action name is invalid. |
92405947 |
Creating an object store server policy or statement requires an effective cluster version of 9.8 or later. |
92405948 |
Policy name is not valid. Policy names must have between 1 and 128 characters. |
92405949 |
Policy name contains invalid characters. Valid characters: 0-9, A-Z, a-z, "_", "+", "=", ",", ".", "@", and "-". |
92405950 |
Policy name already exists for SVM. |
92405954 |
Policy name is reserved for read-only policies. Cannot be used for custom policy creation. |
92405963 |
Failed to create policy statements for policy. Reason: "{reason of failure}". Resolve all issues and retry the operation. |
Name | Type | Description |
---|---|---|
error |
Example error
{
"error": {
"arguments": [
{
"code": "string",
"message": "string"
}
],
"code": "4",
"message": "entry doesn't exist",
"target": "uuid"
}
}
Definitions
See Definitions
s3_policy_statement
Specifies information about a single access policy statement.
Name | Type | Description |
---|---|---|
actions |
array[string] |
For each resource, S3 supports a set of operations. The resource operations allowed or denied are identified by an action list:
|
effect |
string |
Specifies whether access is allowed or denied. If access (to allow) is not granted explicitly to a resource, access is implicitly denied. Access can also be denied explicitly to a resource, in order to make sure that a user cannot access it, even if a different policy grants access. |
index |
integer |
Specifies a unique statement index used to identify a particular statement. This parameter should not be specified in the POST method. A statement index is automatically generated and is retrieved using the GET method. |
resources |
array[string] |
|
sid |
string |
Specifies the statement identifier which contains additional information about the statement. |
href
Name | Type | Description |
---|---|---|
href |
string |
_links
Name | Type | Description |
---|---|---|
self |
svm
Name | Type | Description |
---|---|---|
_links |
||
name |
string |
The name of the SVM. |
uuid |
string |
The unique identifier of the SVM. |
s3_policy
An S3 policy is an object. It defines resource (bucket, folder or object) permissions. These policies get evaluated when an object store user user makes a request. Permissions in the policies determine whether the request is allowed or denied.
Name | Type | Description |
---|---|---|
comment |
string |
Can contain any additional information about the S3 policy. |
name |
string |
Specifies the name of the policy. A policy name length can range from 1 to 128 characters and can only contain the following combination of characters 0-9, A-Z, a-z, "_", "+", "=", ",", ".","@", and "-". |
read-only |
boolean |
Specifies whether or not the s3 policy is read only. This parameter should not be specified in the POST method. |
statements |
array[s3_policy_statement] |
Specifies the policy statements. |
svm |
collection_links
Name | Type | Description |
---|---|---|
next |
||
self |
error_arguments
Name | Type | Description |
---|---|---|
code |
string |
Argument code |
message |
string |
Message argument |
error
Name | Type | Description |
---|---|---|
arguments |
array[error_arguments] |
Message arguments |
code |
string |
Error code |
message |
string |
Error message |
target |
string |
The target parameter that caused the error. |