If I want that only a user can put objects, and not download or delete.
I have to apply a secondary statement denying the GetObject. Yet I did
not specify the GetObject.
This works
{
"Sid": "put-only-objects-s2",
"Effect": "Deny",
"Principal": { "AWS": [ "arn:aws:iam::Company:user/user1",
"arn:aws:iam::Company:user/user2" ] },
"Action": [
"s3:GetObject"
],
"Resource": "arn:aws:s3:::testbucket/user1/*"
},
{
"Sid": "put-only-objects-s3",
"Effect": "Allow",
"Principal": { "AWS": [ "arn:aws:iam::Company:user/user1",
"arn:aws:iam::Company:user/user2" ] },
"Action": [
"s3:ListBucket",
"s3:HeadObject",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::testbucket/user1/*"
},
This does not, you can still download the ones you upload.
{
"Sid": "put-only-objects-s3",
"Effect": "Allow",
"Principal": { "AWS": [ "arn:aws:iam::Company:user/user1",
"arn:aws:iam::Company:user/user2" ] },
"Action": [
"s3:ListBucket",
"s3:HeadObject",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::testbucket/user1/*"
},
_______________________________________________
ceph-users mailing list
ceph-users@lists.ceph.com
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
