StorageGRID was created from the ground up as a secure multi-tenancy object store. By default, user access is denied and must be explicitly granted. When the AWS S3 API was added to StorageGRID it adopted the same policy and permission system of bucket and user policies that AWS implemented. A StorageGRID tenant is equivalent to an AWS account and StorageGRID group policies are the same as AWS user IAM S3 service policies. This means that you can use the AWS policy generator to form the JSON policies to use in your StorageGRID system.
User policies are assigned to a group of users to define the access to their own tenant space. We refer to these as group policies for StorageGRID. Bucket policies are assigned to an individual bucket and define the access to that bucket for any user or group of users from any Tenant of the StorageGRID system.
You should use group policies to provide most of your access controls to encompass the largest number of users in the fewest policies possible. Then use bucket policies when you need to restrict that bucket to just a few users, or to provide cross tenant access. When using bucket policies especially for restricting to a subset of users, it is a good practice to start with explicitly denying access to all that should not have access, then allow the specific users or groups that should have access.
To build a policy, we first need to understand the elements of a policy. All policies will define the effect, action(s), and resource(s). Bucket policies will also define a principal.
The “Effect” will be either to Allow or Deny permission for the set of elements.
The “Principal” only applies for bucket policies. The principal is the account(s)/user(s) being granted or denied the permissions. It can be defined as a wildcard "*", a tenant ID for all users in a tenant, a user (local or federated from within the tenant the bucket resides, or another tenant in the grid), and a group (local or federated from within the tenant the bucket resides, or another tenant in the grid). The principal will always contain the tenant ID unless it is the wildcard for everyone. In a group policy, the group that the policy is assigned to is the principal.
All Principals will be in the format: “arn:aws:iam:: Tenant_ID:User_or_Group_type/User_or_group_name”.
The “Action” is the set of S3 operations being granted or denied to the user(s). In order for users to have any access, their Group policy must have the “ListBucket” Action allowed.
The Resource is the bucket or buckets the principals being granted or denied the ability to perform the actions on. The resource for a bucket policy must be the bucket or path within the bucket it is assigned to. A group policy may contain multiple buckets and/or paths within buckets. The Resource will be in the format “arn:s3:::Bucket_Name_path”.
Here is what a policy looks like.
Now that we understand what the policies are, lets look at the AWS policy generator. This policy generator makes it easy to build the policy the way you want, and ensures you end up with correctly formatted JSON code to copy into your group configuration or upload to your bucket.
AWS has many different policies this tool can be used for. Today we are only interested in the “S3 Bucket Policy” type and “IAM Policy” type from the “Select Type of Policy” dropdown box.
I want to create a bucket policy for the bucket “eaccounts” to only allow the Active Directory Managers group of tenant1 (Tenant ID= 27233906934684427525) read-only access, local Finance group of tenant2(Tenant ID= 76233906934699427431) full control, and a user with an Active Directory account “JaneD” in tenant1 read-only access as well.
In the policy generator,
- I will choose the “S3 Bucket Policy” type.
- Since I want this to be a very restricted bucket, I will start by denying all users access to the bucket so I will click the “Deny” Effect.
- In the AWS service drop down box it should be set to “Amazon S3” option
- For the Actions dropdown I will select the “All Actions (‘*’)”
- Then in the Amazon Resource Name (ARN) box I will enter the bucket in the format: "arn:aws:s3:::eaccounts/*"
- And click the “Add Statement” button.
Do not click the Generate Policy yet, we still need to add the allow statement for the Managers group, Finance group, and JaneD user. Since JaneD and the Managers will have the same permissions, we can do them next.
- Go back up and select the Allow radio button for the Effect.
- In the Principal box we will add both the Managers and user arn strings with a comma separator.
“arn:aws:iam:: 27233906934684427525:federated-group/managers,arn:aws:iam:: 27233906934684427525:user/JaneD”
- In the Actions drop down select the GetObject, GetObjectTagging,GetObjectVersion, and GetObjectVersionTagging
- And the same Resource "arn:aws:s3:::eaccounts/*"
- Then click the “Add Statement” button again.
Do not click the Generate Policy yet, we have do it one more time to add the Finance group
- Go back up and select the Allow radio button for the Effect.
- In the Principal box we will the Finance group arn string. “arn:aws:iam:: 76233906934699427431:group/Finance”
- In the Actions select the “All Actions (‘*’)” check box.
- And the same Resource "arn:aws:s3:::eaccounts/*"
- Then click the “Add Statement” button again and now you can click the “Generate Policy” button.
Copy out the Policy JSON code and paste into a file (I called mine “eaccounts.json”) and it is ready to be installed on the bucket. The “ID and “sid” lines can be modified to be a description that is meaningful to you if you like.
{
"Id": "Policy1745607535533",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1745605787992",
"Action": "s3:*",
"Effect": "Deny",
"Resource": "arn:aws:s3:::eaccounts",
"Principal": "*"
},
{
"Sid": "Stmt1745607207726",
"Action": [
"s3:GetObject",
"s3:GetObjectTagging",
"s3:GetObjectVersion",
"s3:GetObjectVersionTagging"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::eaccounts",
"Principal": {
"AWS": [
"arn:aws:iam:: 27233906934684427525:federated-group/managers",
"arn:aws:iam:: 27233906934684427525:user/JaneD"
]
}
},
{
"Sid": "Stmt1745607503280",
"Action": "s3:*",
"Effect": "Allow",
"Resource": "arn:aws:s3:::eaccounts/*",
"Principal": {
"AWS": [
"arn:aws:iam:: 76233906934699427431:group/Finance"
]
}
}
]
}
I use the aws cli to install my bucket policy.
aws s3api put-bucket-policy --bucket eaccounts --policy file://eaccounts.json --profile demo --endpoint-url https://demogrid.netapp.com
For a group policy example, lets create a policy to allow read-only permission to the bucket raw-data, deny access to the eaccounts bucket, and full control of any other buckets.
Lets start with the deny statement. In the policy generator choose “IAM Policy” in the Policy type dropdown box. Select the “Deny” radio button. Check the “All Actions (‘*’)” box, put in “arn:aws:s3:::eaccounts/*" in the resource box, and click the Add Statement button.
Now I will add the read-only statement for the raw-data bucket
And finally add the full access for the rest of the tenant space. And generate the policy.
{
"Version": "20 12-10-17",
"Statement": [
{
"Sid": "Stmt1746216778139",
"Action": "s3:*",
"Effect": "Deny",
"Resource": "arn:aws:s3:::eaccounts/*"
},
{
"Sid": "Stmt1746216938016",
"Action": [
"s3:GetObject",
"s3:GetObjectTagging",
"s3:GetObjectVersion",
"s3:GetObjectVersionTagging",
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::raw-data/*"
},
{
"Sid": "Stmt1746217203311",
"Action": "s3:*",
"Effect": "Allow",
"Resource": "arn:aws:s3:::*"
}
]
}
Now create or edit the group you want to assign the permissions and in the “S3 group policy” tab, select the radio button for “Custom”, and paste the json code in the box and save.
I hope this helps provide a better understanding of S3 Policies and permissions. For more information you can check out our documentation on the subject.
https://docs.netapp.com/us-en/storagegrid/s3/bucket-and-group-access-policies.html
https://docs.netapp.com/us-en/storagegrid-enable/examples/bucket-policy-examples.html
