Object Storage

restrict access to S3 bucket base on aws_access_key_id=ACCESS_KEY


I have four S3 buckets bucket1, bucket2, bucket3, bucket4. I would like to create a new Access/secret key that only has access to ONE of these four buckets. at least deny list all bucket. 

 Since it’s the client that is going to write data to S3 Bucket. I don’t want to go the IAM way. I am keen to explore the access based on access-key?

I want to use bucket policy to grant access to bucket based on access-key and deny access for the remaining buckets in the tenant.

Am also open to any other means to achieve the desired results.



Create 4 tenant users and security policies for each bucket that allow only one user to r/w and deny certain actions for the rest.


Create a key for each tenant user




we mount the s3 bucket to a UNIX server for application access. the s3 buckets are mounted using tenant credentials, not using IAM credentials.

I am trying to restrict list bucket access to specific  ws_access_key_id=ACCESS_KEY





How do you mount the buckets? With s3fs? Or through SG NAS Bridge?


https://github.com/s3fs-fuse/s3fs-fuse#examples shows how s3fs uses S3 keys and not account name.


If you don't want the app to use S3 keys, you can still pre-populate the s3fs credentials for the user's $HOME, and each app can use a separate UID/GID ($HOME) or user profile to access S3 bucket.


If each user (app) has own .passwd-s3fs, they don't need to be specifically aware of it. For example, /home/user1/.s3pass, /home/user2/.s3pass, etc. You just need to maintain and push these .s3pass config files to the apps' home directories or environment variables/profiles.



Indeed, we use s3fs to mount the bucket with a credential file.  now on storage grid how do I restrict  access to a bucket with aws_access_key. I have a tenant  with 4 S3 buckets & its respective keys-


  - S3 buckets. Bucket_1,Bucket_2,Bucket_3,Bucket_4

I generate 4 separate access_key& secret key


how do we tie a bucket to a key with out a IAM user?

how to restrict bucket list access on Bucket_2 to access_key_01,access_key03,access_key04.


            "Effect": "Deny",
            "Action": [
            "Resource": "arn:aws:s3:::Bucket_2/*",
            "Condition": {}





If you can create "directories" such as





Then create a group ("app1") and in it have 4 accounts with 1 key each.  Then you could do ACLs according by account (group1/app1, group1/app2, etc.). If you could containerize the apps, each could mount the bucket and there'd be no overlap.

s3:prefix (bucket_1/app1, for example) would let you do per "directory" ACLs.

But this would necesitate the creation of a group and separate accounts.


If you could route the apps through different IP addresses (hard to enforce, but if you could), you could use aws:SourceIp.

This could be "enforced" by having a TLS terminating proxy that would ensure each app is accessing via the correct IP.

aws:NotIpAddress would be use to ban the other 3 apps from performing certain operations on certain s3:prefix or object names/extensions.


It seems there's no easy way to do this.  I don't know what other ways are possible and what are the limitations (can't create more accounts, can containerize, etc.) in this environment. Hopefully some other community members can provide additional ideas.


NetApp on Discord Image

We're on Discord, are you?

Live Chat, Watch Parties, and More!

Explore Banner

Meet Explore, NetApp’s digital sales platform

Engage digitally throughout the sales process, from product discovery to configuration, and handle all your post-purchase needs.

NetApp Insights to Action
I2A Banner