Need StorageGRID access policy based on IP address

schmitz_peter · ‎2020-01-31

Hi all,

I would like to block access to some buckets from the world, except for the local networks.

How do I do that? I found the policies in the documentation, especially the "IP range" example, but when I push the policy to the bucket (aws s3api put-bucket-policy...) the "Condition" keyword is not recognized.

The note in the docu says, that this keyword is only supported in the Tenant Management interface.

But how is it used, then?

Thanks and kind regards

Peter

AlexDawson · ‎2020-02-02

Hi there!

Are you trying to push the policy using a tenant account? or the administrator account?

In the devolved permission model common in the cloud, the tenant's permissions are not a subset of the administrator - they are often a superset - so some actions must be done by the tenant only.

schmitz_peter · ‎2020-02-04

Hi Alex,

I tried to push via "aws s3api put-bucket-policy --bucket..." as tenant (like described in https://docs.netapp.com/sgws-112/topic/com.netapp.doc.sg-s3/GUID-D15FCD21-1869-4546-9234-56227206AB99.html)

The JSON file uses the resource "urn:sgws:s3:::<BUCKET>" and tries to enforce a condition "NotIpAddress", which, as per documentation "is only supported in the Tenant Management Interface".

All I want is to prohibit access to buckets from the internet, but it doesn't work as I imagine...

Thanks for your reply.

Peter

schmitz_peter · ‎2020-02-05

I would like to recall my question 😄

Of course, StorageGRID will never see IP addresses of connecting clients, but only the address of the load balancer.

So, I will have to find another solution, I guess...

Best regards

Peter

Need StorageGRID access policy based on IP address

Latest video from NetApp KBTV

Join us on Discord