Skip to main content

Add access rules to the default ONTAP S3 bucket policy

Contributors netapp-ahibbard netapp-dbagwell netapp-manini netapp-thomi netapp-aherbin

You can add access rules to the default bucket policy. The scope of its access control is the containing bucket, so it is most appropriate when there is a single bucket.

Before you begin

An S3-enabled storage VM containing an S3 server and a bucket must already exist.

You must have already created users or groups before granting permissions.

About this task

You can add new statements for new users and groups, or you can modify the attributes of existing statements. For more options, see the vserver object-store-server bucket policy man pages.

User and group permissions can be granted when the bucket is created or as needed later. You can also modify the bucket capacity and QoS policy group assignment.

Beginning with ONTAP 9.9.1, if you plan to support AWS client object tagging functionality with the ONTAP S3 server, the actions GetObjectTagging, PutObjectTagging, and DeleteObjectTagging need to be allowed using the bucket or group policies.

The procedure you follow depends on the interface that you use—​System Manager or the CLI:

System Manager
Steps
  1. Edit the bucket: click Storage > Buckets, click the desired bucket, and then click Edit. When adding or modifying permissions, you can specify the following parameters:

    • Principal: the user or group to whom access is granted.

    • Effect: allows or denies access to a user or group.

    • Actions: permissible actions in the bucket for a given user or group.

    • Resources: paths and names of objects within the bucket for which access is granted or denied.

      The defaults bucketname and bucketname/* grant access to all objects in the bucket. You can also grant access to single objects; for example, bucketname/*_readme.txt.

    • Conditions (optional): expressions that are evaluated when access is attempted. For example, you can specify a list of IP addresses for which access will be allowed or denied.

Note Beginning with ONTAP 9.14.1, you can specify variables for the bucket policy in the Resources field. These variables are placeholders that are replaced with contextual values when the policy is evaluated. For example, If ${aws:username} is specified as a variable for a policy, then this variable is replaced with the request context username, and the policy action can be performed as configured for that user.
CLI
Steps
  1. Add a statement to a bucket policy:

    vserver object-store-server bucket policy add-statement -vserver svm_name -bucket bucket_name -effect {allow|deny} -action object_store_actions -principal user_and_group_names -resource object_store_resources [-sid text] [-index integer]

    The following parameters define access permissions:

    -effect

    The statement may allow or deny access

    -action

    You can specify * to mean all actions, or a list of one or more of the following: GetObject, PutObject, DeleteObject, ListBucket, GetBucketAcl,GetObjectAcl, ListBucketMultipartUploads, and ListMultipartUploadParts.

    -principal

    A list of one or more S3 users or groups.

    • A maximum of 10 users or groups can be specified.

    • If an S3 group is specified, it must be in the form group/group_name.

    • * can be specified to mean public access; that is, access without an access-key and secret-key.

    • If no principal is specified, all S3 users in the storage VM are granted access.

    -resource

    The bucket and any object it contains. The wildcard characters * and ? can be used to form a regular expression for specifying a resource. For a resource, you can specify variables in a policy. These are policy variables are placeholders that are replaced with the contextual values when the policy is evaluated.

    You can optionally specify a text string as comment with the -sid option.

Examples

The following example creates an object store server bucket policy statement for the storage VM svm1.example.com and bucket1 which specifies allowed access to a readme folder for object store server user user1.

cluster1::> vserver object-store-server bucket policy statement create -vserver svm1.example.com -bucket bucket1 -effect allow -action GetObject,PutObject,DeleteObject,ListBucket -principal user1 -resource bucket1/readme/* -sid "fullAccessToReadmeForUser1"

The following example creates an object store server bucket policy statement for the storage VM svm1.example.com and bucket1 which specifies allowed access to all objects for object store server group group1.

cluster1::> vserver object-store-server bucket policy statement create -vserver svm1.example.com -bucket bucket1 -effect allow -action GetObject,PutObject,DeleteObject,ListBucket -principal group/group1 -resource bucket1/* -sid "fullAccessForGroup1"

Beginning with ONTAP 9.14.1, you can specify variables for a bucket policy. The following example creates a server bucket policy statement for the storage VM svm1 and bucket1, and specifies ${aws:username} as a variable for a policy resource. When the policy is evaluated, the policy variable is replaced with the request context username, and the policy action can be performed as configured for that user. For example, when the following policy statement is evaluated, ${aws:username} is replaced with the user performing the S3 operation. If a user user1 performs the operation, that user is granted access to bucket1 as bucket1/user1/*.

cluster1::> object-store-server bucket policy statement create -vserver svm1 -bucket bucket1 -effect allow -action * -principal - -resource bucket1,bucket1/${aws:username}/*##