Contents x
      How to Separate Access at the Folder Level
      • 30 Oct 2024
      • 2 Minutes to read
      • Print
      • PDF
      Contents

      How to Separate Access at the Folder Level

      • Updated on 30 Oct 2024
      • 2 Minutes to read
      • Print
      • PDF
      Article summary

      Use case:

      In some scenarios, you may wish to separate users at the folder level (users share a common bucket but each user has their own folder that is not accessible by other users with access to the same bucket).

      At a high level, the following steps are involved: 

      1. Create or log into your Wasabi root account

      2. Create a storage bucket for users to share

      3. Create sub-users

      4. Create an IAM policy for each sub-user that limits their access to just their folder within storage bucket

      5. Attach the IAM policy to your sub-user

      For this article, let's consider a Wasabi account that manages storage for multiple companies, with multiple clients in a company. Each Company has its own storage bucket, and each client within a company has their own folder they need private access to within that bucket. Let’s take Company-A for example that has two clients, Dollar Bill and Dave Starsky. These two clients cannot see each other’s data, so they will be given access to their own folders within the company bucket.

      Bucket Name: 

      bucket-company-a

      Sub-users:

      dollar-bill

      dave-starsky

      Execution Steps:

      Let's start by creating folder access separation for sub-user 'dollar-bill'

      1) Create Bucket

      Create a bucket for Company-A, in this case we will call it 'bucket-company-a'

      mceclip0.png

      2) Create folder within bucket for sub-user 'dollar-bill'

      In this case we will call the folder 'dollar-bills-folder'

      mceclip5.png

      3) Create User

      Create sub-user to give folder access to, 'dollar-bill'

      mceclip1.png

      4) Create an IAM policy

      From the Wasabi web console UI, choose the Policies -> Create Policy option to create a policy using the example below. 

      The actual policy syntax for limiting sub-user 'dollar-bill' access to his folder 'dollar-bills-folder' inside the bucket 'bucket-company-a' is provided below (this needs to be edited with your own bucket and folder names in your actual use case).

      {
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowUserToSeeBucketListInTheConsole",
"Action": ["s3:ListAllMyBuckets", "s3:GetBucketLocation", "s3:GetBucketCompliance"],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::*"]
},
{
"Sid": "AllowRootAndHomeListingOfCompanyBucket",
"Action": ["s3:ListBucket"],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::bucket-company-a"],
"Condition":{"StringEquals":{"s3:prefix":["","dollar-bills-folder/"],"s3:delimiter":["/"]}}
},
{
"Sid": "AllowListingOfUserFolder",
"Action": ["s3:ListBucket"],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::bucket-company-a"],
"Condition":{"StringLike":{"s3:prefix":["dollar-bills-folder/*"]}}
},
{
"Sid": "AllowAllS3ActionsInUserFolder",
"Effect": "Allow",
"Action": ["s3:*"],
"Resource": ["arn:aws:s3:::bucket-company-a/dollar-bills-folder/*"]
}
]
}

      mceclip2.png

      5) Attach the above-created policy to sub-user 'dollar-bill'

      Navigate to User --> your sub-user (dollar-bill in this case) ---> Policies and attach the above-created policy to them

      mceclip3.png

      Now this sub-user will be able to access ONLY their folder within that bucket.

      ------------------------------------------------------------------------------------------------------

      Now for sub-user 'dave-starsky'

      Repeat the same exact process as above

      1. Create a folder in the Bucket 'bucket-company-a' , for example, a folder called 'dave-starskys-folder'

      2. Create a sub-user 'dave-starsky'

      3. Create an IAM Policy that will give access to the appropriate folder within a bucket for this sub-user, see how the folder name is different in the below policy example

      {
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowUserToSeeBucketListInTheConsole",
"Action": ["s3:ListAllMyBuckets", "s3:GetBucketLocation", "s3:GetBucketCompliance"],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::*"]
},
{
"Sid": "AllowRootAndHomeListingOfCompanyBucket",
"Action": ["s3:ListBucket"],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::bucket-company-a"],
"Condition":{"StringEquals":{"s3:prefix":["","dave-starskys-folder/"],"s3:delimiter":["/"]}}
},
{
"Sid": "AllowListingOfUserFolder",
"Action": ["s3:ListBucket"],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::bucket-company-a"],
"Condition":{"StringLike":{"s3:prefix":["dave-starskys-folder/*"]}}
},
{
"Sid": "AllowAllS3ActionsInUserFolder",
"Effect": "Allow",
"Action": ["s3:*"],
"Resource": ["arn:aws:s3:::bucket-company-a/dave-starskys-folder/*"]
}
]
}

      1. Lastly, attach this policy to the 'dave-starsky' sub-user.

      If your company has hundreds and thousands of sub-users requirement, you may use an automated approach to do this as shown here

      How to automate infrastructure design on Wasabi

      What's Next
      Copyright © 2024 by Wasabi Technologies LLC
      75 Arlington Street, Suite 810, Boston, MA 02116 USA
      All Rights Reserved
      Visit us at https://wasabi.com.
      WASABI and the WASABI logo are trademarks of Wasabi Technologies LLC and may not be used without permission of Wasabi Technologies. All other names are used for identification purposes only and are trademarks or registered trademarks of their respective companies.

      Information presented herein is subject to change without notice. Companies, names, and data used in examples are fictitious unless otherwise noted. No part of this information may be reproduced or transmitted in any form by means electronic or mechanical, for any purpose, without express written permission of Wasabi Technologies.