Object Storage

restrict access to S3 bucket base on aws_access_key_id=ACCESS_KEY

manistorage
5,382 Views

I have four S3 buckets bucket1, bucket2, bucket3, bucket4. I would like to create a new Access/secret key that only has access to ONE of these four buckets. at least deny list all bucket. 

 Since it’s the client that is going to write data to S3 Bucket. I don’t want to go the IAM way. I am keen to explore the access based on access-key?

I want to use bucket policy to grant access to bucket based on access-key and deny access for the remaining buckets in the tenant.

Am also open to any other means to achieve the desired results.

5 REPLIES 5

elementx
5,295 Views

Create 4 tenant users and security policies for each bucket that allow only one user to r/w and deny certain actions for the rest.

https://docs.netapp.com/sgws-110/topic/com.netapp.doc.sg-s3/GUID-53596498-9334-44DB-A4CE-DFEC28CF21FF.html?cp=5_0_5_1

Create a key for each tenant user

https://docs.netapp.com/sgws-110/index.jsp?topic=%2Fcom.netapp.doc.sg-tenant-admin%2FGUID-87FC9E42-0113-429B-BB77-F078E12AEDC4.html

manistorage
5,281 Views

Hi,

we mount the s3 bucket to a UNIX server for application access. the s3 buckets are mounted using tenant credentials, not using IAM credentials.

I am trying to restrict list bucket access to specific  ws_access_key_id=ACCESS_KEY

 

Regards,

Mani

elementx
5,279 Views

How do you mount the buckets? With s3fs? Or through SG NAS Bridge?

 

https://github.com/s3fs-fuse/s3fs-fuse#examples shows how s3fs uses S3 keys and not account name.

 

If you don't want the app to use S3 keys, you can still pre-populate the s3fs credentials for the user's $HOME, and each app can use a separate UID/GID ($HOME) or user profile to access S3 bucket.

 

If each user (app) has own .passwd-s3fs, they don't need to be specifically aware of it. For example, /home/user1/.s3pass, /home/user2/.s3pass, etc. You just need to maintain and push these .s3pass config files to the apps' home directories or environment variables/profiles.

 

manistorage
5,272 Views

Indeed, we use s3fs to mount the bucket with a credential file.  now on storage grid how do I restrict  access to a bucket with aws_access_key. I have a tenant  with 4 S3 buckets & its respective keys-

tenant_A

  - S3 buckets. Bucket_1,Bucket_2,Bucket_3,Bucket_4

I generate 4 separate access_key& secret key

 

how do we tie a bucket to a key with out a IAM user?

how to restrict bucket list access on Bucket_2 to access_key_01,access_key03,access_key04.

 

        {
            "Effect": "Deny",
            "Action": [
                "s3:GetObject",
                "s3:PutObject",
                "s3:GetObjectAcl",
                "s3:PutObjectAcl",
                "s3:ListBucket",
                "s3:GetBucketAcl",
                "s3:PutBucketAcl",
                "s3:GetBucketLocation"
    ],
            "Resource": "arn:aws:s3:::Bucket_2/*",
            "Condition": {}
        },

 

Regards,

Mani

elementx
5,263 Views

If you can create "directories" such as

s3/bucket_1/app1

s3/bucket_1/app2

s3/bucket_1/app3

 

Then create a group ("app1") and in it have 4 accounts with 1 key each.  Then you could do ACLs according by account (group1/app1, group1/app2, etc.). If you could containerize the apps, each could mount the bucket and there'd be no overlap.

s3:prefix (bucket_1/app1, for example) would let you do per "directory" ACLs.

But this would necesitate the creation of a group and separate accounts.

 

If you could route the apps through different IP addresses (hard to enforce, but if you could), you could use aws:SourceIp.

This could be "enforced" by having a TLS terminating proxy that would ensure each app is accessing via the correct IP.

aws:NotIpAddress would be use to ban the other 3 apps from performing certain operations on certain s3:prefix or object names/extensions.

 

It seems there's no easy way to do this.  I don't know what other ways are possible and what are the limitations (can't create more accounts, can containerize, etc.) in this environment. Hopefully some other community members can provide additional ideas.

 

Public