How to separate access at a Bucket level?
    • 19 Dec 2023
    • 1 Minute to read
    • PDF

    How to separate access at a Bucket level?

    • PDF

    Article summary

    Use case:

    In some scenarios, you may wish to separate users at the bucket level (each sub-user has their own bucket and while a sub-user can access their own bucket, they can't access other sub-users buckets).

    At a high level, the following steps are involved:

    1. Create or log into your Wasabi root account

    2. Create a storage bucket for each sub-user

    3. Create sub-user(s)

    4. Create an IAM policy for each sub-user that limits their access to just their storage bucket

    5. Attach the IAM policy to your sub-user

     For this article, let's consider a company account with two sub-users

    • panjack

    • stonecold

    Execution Steps:

    Let's walk through this bucket separation for sub-user 'panjack'

    1. Create a bucket

    In this example, we are creating a bucket called 'bucket-meant-for-panjack'

    Screen_Shot_2021-04-09_at_1.22.46_PM.png

    2. Create user

    In this example, we are creating a sub-user called 'panjack'

    Screen_Shot_2021-04-09_at_1.25.22_PM.png

    3. Create an IAM policy

    From the Wasabi web console UI, choose the Policies -> Create Policy option to create a policy using the example below. 

    The actual policy syntax for limiting sub-user 'panjack' access to bucket 'bucket-meant-for-panjack' is provided below (this needs to be edited with your own bucket name in your actual use case).

    
    {
     "Version": "2012-10-17",
     "Statement": [
     {
     "Effect": "Allow",
     "Action": "s3:ListAllMyBuckets",
     "Resource": "arn:aws:s3:::*"
     },
     {
     "Effect": "Allow",
     "Action": "s3:*",
     "Resource": [
     "arn:aws:s3:::bucket-meant-for-panjack",
     "arn:aws:s3:::bucket-meant-for-panjack/*"
     ]
     }
     ]
    }
    Screen_Shot_2021-04-09_at_1.35.08_PM.png

    Note: To perform any bucket/object operations through the console the sub-user MUST have "ListAllMyBuckets" permission. This will allow the sub-user to list all the buckets when logged into the console but can access content only from the bucket that the sub-user has permission to

    4. Attach the above-created policy to sub-user 'panjack'

    Navigate to User --> your sub-user (panjack in this case) ---> Policies and attach the above-created policy to them

    Screen_Shot_2021-04-09_at_1.37.15_PM.png

    Now this sub-user will ONLY be able to access their own bucket

    ------------------------------------------------------------------------------------------------------

    Now for sub-user 'stonecold'

    Repeat the same exact process as above

    1. Create Bucket, for example, a bucket called 'bucket-meant-for-stonecold'

    2. Create sub-user 'stonecold'

    3. Create an IAM Policy that will have the appropriate bucket name for this sub-user, see how the bucket name is different in the below policy example

    {
    "Version": "2012-10-17",
    "Statement": [
    {
    "Effect": "Allow",
    "Action": "s3:ListAllMyBuckets",
    "Resource": "arn:aws:s3:::*"
    },
    {
    "Effect": "Allow",
    "Action": "s3:*",
    "Resource": [
    "arn:aws:s3:::bucket-meant-for-stonecold",
    "arn:aws:s3:::bucket-meant-for-stonecold/*"
    ]
    }
    ]
    }
    1. Finally, attach this policy to 'stonecold' sub-user

    ------------------------------------------------------------------------------------------------------

    If your company has hundreds and thousands of sub-users requirement, you may use an automated approach to do this as shown here

    How to automate infrastructure design on Wasabi


    ESC

    Eddy AI, facilitating knowledge discovery through conversational intelligence