How to separate access at a Bucket level?

  • Published on Dec 19, 2023
  • 1 minute(s) read
Prev Next

Use case:

In some scenarios, you may wish to separate users at the bucket level (each sub-user has their own bucket and while a sub-user can access their own bucket, they can't access other sub-users buckets).

At a high level, the following steps are involved:

  1. Create or log into your Wasabi root account

  2. Create a storage bucket for each sub-user

  3. Create sub-user(s)

  4. Create an IAM policy for each sub-user that limits their access to just their storage bucket

  5. Attach the IAM policy to your sub-user

 For this article, let's consider a company account with two sub-users

  • panjack

  • stonecold

Execution Steps:

Let's walk through this bucket separation for sub-user 'panjack'

1. Create a bucket

In this example, we are creating a bucket called 'bucket-meant-for-panjack'

Screen_Shot_2021-04-09_at_1.22.46_PM.png

2. Create user

In this example, we are creating a sub-user called 'panjack'

Screen_Shot_2021-04-09_at_1.25.22_PM.png

3. Create an IAM policy

From the Wasabi web console UI, choose the Policies -> Create Policy option to create a policy using the example below. 

The actual policy syntax for limiting sub-user 'panjack' access to bucket 'bucket-meant-for-panjack' is provided below (this needs to be edited with your own bucket name in your actual use case).


{
 "Version": "2012-10-17",
 "Statement": [
 {
 "Effect": "Allow",
 "Action": "s3:ListAllMyBuckets",
 "Resource": "arn:aws:s3:::*"
 },
 {
 "Effect": "Allow",
 "Action": "s3:*",
 "Resource": [
 "arn:aws:s3:::bucket-meant-for-panjack",
 "arn:aws:s3:::bucket-meant-for-panjack/*"
 ]
 }
 ]
}
Screen_Shot_2021-04-09_at_1.35.08_PM.png

Note: To perform any bucket/object operations through the console the sub-user MUST have "ListAllMyBuckets" permission. This will allow the sub-user to list all the buckets when logged into the console but can access content only from the bucket that the sub-user has permission to

4. Attach the above-created policy to sub-user 'panjack'

Navigate to User --> your sub-user (panjack in this case) ---> Policies and attach the above-created policy to them

Screen_Shot_2021-04-09_at_1.37.15_PM.png

Now this sub-user will ONLY be able to access their own bucket

------------------------------------------------------------------------------------------------------

Now for sub-user 'stonecold'

Repeat the same exact process as above

  1. Create Bucket, for example, a bucket called 'bucket-meant-for-stonecold'

  2. Create sub-user 'stonecold'

  3. Create an IAM Policy that will have the appropriate bucket name for this sub-user, see how the bucket name is different in the below policy example

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::bucket-meant-for-stonecold",
"arn:aws:s3:::bucket-meant-for-stonecold/*"
]
}
]
}

  1. Finally, attach this policy to 'stonecold' sub-user

------------------------------------------------------------------------------------------------------

If your company has hundreds and thousands of sub-users requirement, you may use an automated approach to do this as shown here

How to automate infrastructure design on Wasabi