Documentation Index

Fetch the complete documentation index at: https://docs.wasabi.com/llms.txt

Use this file to discover all available pages before exploring further.

Folder Management: Separating User Access

Prev Next

You can separate users at the folder level. Users will share a common bucket, but each user will have their own folder that is not accessible by other users who have access to the same bucket.

At a high level, separating user access involves:

  1. Creating a storage bucket for users to share

  2. Creating folders within the bucket for each sub-user

  3. Creating sub-users

  4. Creating an IAM policy for each sub-user to limit their access to just their folder within the storage bucket

  5. Attaching the IAM policy to your sub-user

If your company has hundreds or thousands of sub-user requirements, you can use an automated approach as described in Automating Infrastructure Design for Wasabi.

The following instructions consider a Wasabi account that manages storage for multiple companies with multiple clients (sub-users) in each company. Each company has its own storage bucket, and each sub-user within a company has their own folder with private access within that bucket. Company-A, for example, has two sub-users: Molly Bright and Dave Starsky. These two sub-users cannot see each other's data, so they will be given access to their own folders within the company bucket. In summary, the following instructions will work with:

Bucket name: 

bucket-company-a

Sub-users:

molly-bright

dave-starsky

Sub-user folders:

molly-brights-folder

Separating User Access

  1. Log in to your Wasabi Root account. (Create an account if you do not already have one.)

  2. Create a bucket for your company. In this example, a bucket named bucket-company-a is created.

  3. Create two folders within the bucket, one folder for each sub-user: molly-brights-folder and dave-starskys-folder.

  4. Create two sub-users: molly-bright and dave-starsky.

  5. Create a policy for each sub-user: molly-bright-separation and dave-starsky-separation. For example:

    The policy syntax below limits sub-user molly-bright access to molly-brights-folder inside the bucket-company-a bucket.

    {
    "Version":"2012-10-17",
    "Statement": [
    {
    "Sid": "AllowUserToSeeBucketListInTheConsole",
    "Action": ["s3:ListAllMyBuckets", "s3:GetBucketLocation", "s3:GetBucketCompliance"],
    "Effect": "Allow",
    "Resource": ["arn:aws:s3:::*"]
    },
    {
    "Sid": "AllowRootAndHomeListingOfCompanyBucket",
    "Action": ["s3:ListBucket"],
    "Effect": "Allow",
    "Resource": ["arn:aws:s3:::bucket-company-a"],
    "Condition":{"StringEquals":{"s3:prefix":["","molly-brights-folder/"],"s3:delimiter":["/"]}}
    },
    {
    "Sid": "AllowListingOfUserFolder",
    "Action": ["s3:ListBucket"],
    "Effect": "Allow",
    "Resource": ["arn:aws:s3:::bucket-company-a"],
    "Condition":{"StringLike":{"s3:prefix":["molly-brights-folder/*"]}}
    },
    {
    "Sid": "AllowAllS3ActionsInUserFolder",
    "Effect": "Allow",
    "Action": ["s3:*"],
    "Resource": ["arn:aws:s3:::bucket-company-a/molly-brights-folder/*"]
    }
    ]
    }

    This policy limits sub-user dave-starsky access to dave-starskys-folder inside the bucket-company-a bucket.

    {
    "Version":"2012-10-17",
    "Statement": [
    {
    "Sid": "AllowUserToSeeBucketListInTheConsole",
    "Action": ["s3:ListAllMyBuckets", "s3:GetBucketLocation", "s3:GetBucketCompliance"],
    "Effect": "Allow",
    "Resource": ["arn:aws:s3:::*"]
    },
    {
    "Sid": "AllowRootAndHomeListingOfCompanyBucket",
    "Action": ["s3:ListBucket"],
    "Effect": "Allow",
    "Resource": ["arn:aws:s3:::bucket-company-a"],
    "Condition":{"StringEquals":{"s3:prefix":["","dave-starskys-folder/"],"s3:delimiter":["/"]}}
    },
    {
    "Sid": "AllowListingOfUserFolder",
    "Action": ["s3:ListBucket"],
    "Effect": "Allow",
    "Resource": ["arn:aws:s3:::bucket-company-a"],
    "Condition":{"StringLike":{"s3:prefix":["dave-starskys-folder/*"]}}
    },
    {
    "Sid": "AllowAllS3ActionsInUserFolder",
    "Effect": "Allow",
    "Action": ["s3:*"],
    "Resource": ["arn:aws:s3:::bucket-company-a/dave-starskys-folder/*"]
    }
    ]
    }

    You would edit this to provide the bucket and folder names in your actual use case.

  6. Attach the appropriate policy to each sub-user. For example:

    1. Click Users.

    2. Click sub-user molly-bright.

    3. Click Policies and attach the molly-bright-separation policy.

    Sub-user molly-bright will be able to access ONLY molly-brights-folder within the bucket-company-a bucket.

    Complete the same steps to attach the dave-starsky-separation policy to the sub-user dave-starsky. Then, dave-starsky will be able to access ONLY dave-starskys-folder within the bucket-company-a bucket.