Ask The Experts

Need StorageGRID access policy based on IP address

schmitz_peter
views-count 942 Views

Hi all,

 

I would like to block access to some buckets from the world, except for the local networks.


How do I do that? I found the policies in the documentation, especially the "IP range" example, but when I push the policy to the bucket (aws s3api put-bucket-policy...) the "Condition" keyword is not recognized.

 

The note in the docu says, that this keyword is only supported in the Tenant Management interface.

 

But how is it used, then?

 

Thanks and kind regards

 

Peter

3 REPLIES 3

Re: Need StorageGRID access policy based on IP address

AlexDawson
views-count 943 Views

Hi there!

 

Are you trying to push the policy using a tenant account? or the administrator account?

 

In the devolved permission model common in the cloud, the tenant's permissions are not a subset of the administrator - they are often a superset - so some actions must be done by the tenant only.

Re: Need StorageGRID access policy based on IP address

schmitz_peter
views-count 943 Views

Hi Alex,

 

I tried to push via "aws s3api put-bucket-policy --bucket..." as tenant (like described in https://docs.netapp.com/sgws-112/topic/com.netapp.doc.sg-s3/GUID-D15FCD21-1869-4546-9234-56227206AB99.html)

 

The JSON file uses the resource "urn:sgws:s3:::<BUCKET>" and tries to enforce a condition "NotIpAddress", which, as per documentation "is only supported in the Tenant Management Interface".

 

All I want is to prohibit access to buckets from the internet, but it doesn't work as I imagine...

 

Thanks for your reply.

 

Peter

Re: Need StorageGRID access policy based on IP address

schmitz_peter
views-count 943 Views

I would like to recall my question 😄

 

Of course, StorageGRID will never see IP addresses of connecting clients, but only the address of the load balancer.

 

So, I will have to find another solution, I guess...

 

Best regards

 

Peter

G2 Review Banner
All Community Forums
Public