How to separate access at a Bucket level

Use case:

In some scenarios, you may wish to separate users at the bucket level (each sub-user has their own bucket and while a sub-user can access their own bucket, they can't access other sub-users buckets). 

 

At a high level, the following steps are involved: 

  1. Create or log into your Wasabi root account
  2. Create a storage bucket for each sub-user
  3. Create sub-user(s)
  4. Create an IAM policy for each sub-user that limits their access to just their storage bucket
  5. Attach the IAM policy to your sub-user

 For this article, let's consider a company account with two sub-users

  • panjack
  • stonecold

Execution Steps:

Let's walk through this bucket separation for sub-user 'panjack'

1. Create a bucket

In this example, we are creating a bucket called 'bucket-meant-for-panjack'

 

Screen_Shot_2021-04-09_at_1.22.46_PM.png

 

2. Create user

In this example, we are creating a sub-user called 'panjack'

 

Screen_Shot_2021-04-09_at_1.25.22_PM.png

 

3. Create an IAM policy

From the Wasabi web console UI, choose the Policies -> Create Policy option to create a policy using the example below. 

The actual policy syntax for limiting sub-user 'panjack' access to bucket 'bucket-meant-for-panjack' is provided below (this needs to be edited with your own bucket name in your actual use case).

 


{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::bucket-meant-for-panjack",
"arn:aws:s3:::bucket-meant-for-panjack/*"
]
}
]
}

Screen_Shot_2021-04-09_at_1.35.08_PM.png

 

 Note:  To perform any bucket/object operations through the console the sub-user MUST have "ListAllMyBuckets" permission.  This will allow the sub-user to list all the buckets when logged into the console but can access content only from the bucket that the sub-user has permission to

 

4. Attach the above-created policy to sub-user 'panjack'

Navigate to User --> your sub-user (panjack in this case) ---> Policies and attach the above-created policy to them

Screen_Shot_2021-04-09_at_1.37.15_PM.png

 

Now this sub-user will ONLY be able to access their own bucket

 

------------------------------------------------------------------------------------------------------

 

Now for sub-user 'stonecold'

Repeat the same exact process as above

1. Create Bucket, for example, a bucket called 'bucket-meant-for-stonecold'

2. Create sub-user 'stonecold'

3. Create an IAM Policy that will have the appropriate bucket name for this sub-user, see how the bucket name is different in the below policy example

 

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::bucket-meant-for-stonecold",
"arn:aws:s3:::bucket-meant-for-stonecold/*"
]
}
]
}

4. Finally, attach this policy to 'stonecold' sub-user

------------------------------------------------------------------------------------------------------

 

If your company has hundreds and thousands of sub-users requirement, you may use an automated approach to do this as shown here

How to automate infrastructure design on Wasabi

 

 

 

Have more questions? Submit a request