Skip to main content

Create an S3 policy configuration

Contributors
PDFs

POST /protocols/s3/services/{svm.uuid}/policies

Introduced In: 9.8

Creates the S3 policy configuration.

Important notes

  • Each SVM can have one or more s3 policy configurations.

Required properties

  • svm.uuid - Existing SVM in which to create the s3 policy configuration.

  • name - Policy name that is to be created.

  • comment - Short description about the S3 policy.

  • statements.effect - Indicates whether to allow or deny access.

  • statements.actions - List of actions that can be allowed or denied access. Example: GetObject, PutObject, DeleteObject, ListBucket, ListMyBuckets, ListBucketMultipartUploads, ListMultipartUploadParts, CreateBucket, DeleteBucket, GetObjectTagging, PutObjectTagging, DeleteObjectTagging, GetBucketVersioning, PutBucketVersioning.

  • statements.resources - Buckets or objects that can be allowed or denied access.

  • statements.sid - Statement identifier providing additional information about the statement.

  • vserver object-store-server policy create

  • vserver object-store-server policy add-statement

Learn more

Parameters

Name Type In Required Description

return_records

boolean

query

False

The default is false. If set to true, the records are returned.

  • Default value:

svm.uuid

string

path

True

UUID of the SVM to which this object belongs.

Request Body

Name Type Description

comment

string

Can contain any additional information about the S3 policy.

name

string

Specifies the name of the policy. A policy name length can range from 1 to 128 characters and can only contain the following combination of characters 0-9, A-Z, a-z, "_", "+", "=", ",", ".","@", and "-". It cannot be specified in a PATCH method.

read-only

boolean

Specifies whether or not the s3 policy is read only. This parameter should not be specified in the POST method.

statements

array[s3_policy_statement]

Specifies the policy statements.

svm

svm

SVM, applies only to SVM-scoped objects.
Example request 
{
  "comment": "S3 policy.",
  "name": "Policy1",
  "statements": {
    "actions": [
      "*"
    ],
    "effect": "allow",
    "index": 0,
    "resources": [
      "bucket1",
      "bucket1/*"
    ],
    "sid": "FullAccessToBucket1"
  },
  "svm": {
    "_links": {
      "self": {
        "href": "/api/resourcelink"
      }
    },
    "name": "svm1",
    "uuid": "02c9e252-41be-11e9-81d5-00a0986138f7"
  }
}

Response

Status: 201, Created
Name Type Description

_links

collection_links

num_records

integer

Number of records

records

array[s3_policy]
Example response 
{
  "_links": {
    "next": {
      "href": "/api/resourcelink"
    },
    "self": {
      "href": "/api/resourcelink"
    }
  },
  "num_records": 1,
  "records": {
    "comment": "S3 policy.",
    "name": "Policy1",
    "statements": {
      "actions": [
        "*"
      ],
      "effect": "allow",
      "index": 0,
      "resources": [
        "bucket1",
        "bucket1/*"
      ],
      "sid": "FullAccessToBucket1"
    },
    "svm": {
      "_links": {
        "self": {
          "href": "/api/resourcelink"
        }
      },
      "name": "svm1",
      "uuid": "02c9e252-41be-11e9-81d5-00a0986138f7"
    }
  }
}

Headers

Name Description Type

Location

Useful for tracking the resource location

string

Error

Status: Default

ONTAP Error Response Codes

Error Code Description

92405906

The specified action name is invalid.

92405947

Creating an object store server policy or statement requires an effective cluster version of 9.8 or later.

92405948

Policy name is not valid. Policy names must have between 1 and 128 characters.

92405949

Policy name contains invalid characters. Valid characters: 0-9, A-Z, a-z, "_", "+", "=", ",", ".", "@", and "-".

92405950

Policy name already exists for SVM.

92405954

Policy name is reserved for read-only policies. Cannot be used for custom policy creation.

92405963

Failed to create policy statements for policy. Reason: "{reason of failure}". Resolve all issues and retry the operation.

92405863

Failed to create s3 policy statements. Reason: "{reason of failure}". Valid ways to specify a resource are "__", "", "/.../...".". Resolve all the issues and retry the operation. //end row

|Name |Type |Description

|error |returned_error a|

.Example error [%collapsible%closed] ==== [source,json,subs=+macros] { "error": { "arguments": { "code": "string", "message": "string" }, "code": "4", "message": "entry doesn't exist", "target": "uuid" } } ====

== Definitions

[.api-def-first-level] .See Definitions [%collapsible%closed] ==== [#s3_policy_statement] [.api-collapsible-fifth-title] s3_policy_statement

Specifies information about a single access policy statement.

[cols=3*,options=header]

|Name |Type |Description

|actions |array[string] a|For each resource, S3 supports a set of operations. The resource operations allowed or denied are identified by an action list:

  • GetObject - retrieves objects from a bucket.

  • PutObject - puts objects in a bucket.

  • DeleteObject - deletes objects from a bucket.

  • ListBucket - lists the objects in a bucket.

  • GetBucketAcl - retrieves the access control list (ACL) of a bucket.

  • GetObjectAcl - retrieves the access control list (ACL) of an object.

  • ListAllMyBuckets - lists all of the buckets in a server.

  • ListBucketMultipartUploads - lists the multipart uploads in progress for a bucket.

  • ListMultipartUploadParts - lists the parts in a multipart upload.

  • CreateBucket - creates a new bucket.

  • DeleteBucket - deletes an existing bucket.

  • GetObjectTagging - retrieves the tag set of an object.

  • PutObjecttagging - sets the tag set for an object.

  • DeleteObjectTagging - deletes the tag set of an object.

  • GetBucketLocation - retrieves the location of a bucket.

  • GetBucketVersioning - retrieves the versioning configuration of a bucket.

  • PutBucketVersioning - modifies the versioning configuration of a bucket.

  • ListBucketVersions - lists the object versions in a bucket.

  • PutBucketPolicy - puts bucket policy on the bucket specified.

  • GetBucketPolicy - retrieves the bucket policy of a bucket.

  • DeleteBucketPolicy - deletes the policy created for a bucket. The wildcard character "*" can be used to form a regular expression for specifying actions.

|effect |string a|Specifies whether access is allowed or denied. If access (to allow) is not granted explicitly to a resource, access is implicitly denied. Access can also be denied explicitly to a resource, in order to make sure that a user cannot access it, even if a different policy grants access.

|index |integer a|Specifies a unique statement index used to identify a particular statement. This parameter should not be specified in the POST method. A statement index is automatically generated. It is not retrieved in the GET method.

|resources |array[string] a|

|sid |string a|Specifies the statement identifier which contains additional information about the statement.

[#href] [.api-collapsible-fifth-title] href

[cols=3*,options=header]

|Name |Type |Description

|href |string a|

[#_links] [.api-collapsible-fifth-title] _links

[cols=3*,options=header]

|Name |Type |Description

|self |href a|

[#svm] [.api-collapsible-fifth-title] svm

SVM, applies only to SVM-scoped objects.

[cols=3*,options=header]

|Name |Type |Description

|_links |_links a|

|name |string a|The name of the SVM. This field cannot be specified in a PATCH method.

|uuid |string a|The unique identifier of the SVM. This field cannot be specified in a PATCH method.

[#s3_policy] [.api-collapsible-fifth-title] s3_policy

An S3 policy is an object. It defines resource (bucket, folder or object) permissions. These policies get evaluated when an object store user user makes a request. Permissions in the policies determine whether the request is allowed or denied.

[cols=3*,options=header]

|Name |Type |Description

|comment |string a|Can contain any additional information about the S3 policy.

|name |string a|Specifies the name of the policy. A policy name length can range from 1 to 128 characters and can only contain the following combination of characters 0-9, A-Z, a-z, "_", "+", "=", ",", ".","@", and "-". It cannot be specified in a PATCH method.

|read-only |boolean a|Specifies whether or not the s3 policy is read only. This parameter should not be specified in the POST method.

|statements |array[s3_policy_statement] a|Specifies the policy statements.

|svm |svm a|SVM, applies only to SVM-scoped objects.

[#collection_links] [.api-collapsible-fifth-title] collection_links

[cols=3*,options=header]

|Name |Type |Description

|next |href a|

|self |href a|

[#error_arguments] [.api-collapsible-fifth-title] error_arguments

[cols=3*,options=header]

|Name |Type |Description

|code |string a|Argument code

|message |string a|Message argument

[#returned_error] [.api-collapsible-fifth-title] returned_error

[cols=3*,options=header]

|Name |Type |Description

|arguments |array[error_arguments] a|Message arguments

|code |string a|Error code

|message |string a|Error message

|target |string a|The target parameter that caused the error.

====