Manage user access to S3-enabled storage VMs

Contributors netapp-forry netapp-ahibbard netapp-aherbin netapp-rlithman

Edit the storage VM to add a policy that controls user and group access permissions to multiple buckets.

You can add a group policy to manage access to one or more buckets in an S3-enabled storage VM, rather than managing access permissions for individual buckets. Doing so simplifies management when buckets are added or when access needs change.

You must have already created users and at least one group before granting permissions in a policy.

In ONTAP 9.9.1 and later releases, if you plan to support AWS client object tagging functionality with the ONTAP S3 server, the actions GetObjectTagging, PutObjectTagging, and DeleteObjectTagging need to be allowed using the bucket or group policies.

  1. Edit the storage VM: click Storage > storage VMs, click the storage VM, click Settings and then click pencil icon under S3.

  2. Add a user: click Policies, then click Add.

    1. Enter a policy name and select from a list of groups.

    2. Select an existing default policy or add a new one.

      When adding or modifying a group policy, you can specify the following parameters:

      • Group: the groups to whom access is granted.

      • Effect: allows or denies access to one or more groups.

      • Actions: permissible actions in one or more buckets for a given group.

      • Resources: paths and names of objects within one or more buckets for which access is granted or denied.
        For example:

        • * grants access to all buckets in the storage VM.

        • bucketname and bucketname/* grant access to all objects in a specific bucket.

        • bucketname/readme.txt grants access to an object in a specific bucket.

    3. If desired, add statements to existing policies.