Skip to main content

Lyve Cloud Documentation

Managing bucket access permissions

Permissions are used to control access to buckets and define which actions the service accounts are allowed for a bucket. Bucket permission and Policy permission are two options available for granting permission to your buckets.

  • Bucket permission: Bucket permission is used to set Read only, Write only, or All operations permission for selected buckets. Using Bucket permission, you can grant access permissions to your bucket and the objects in the bucket. Only the admin and storage admin can associate permissions for the buckets. The permissions attached to the bucket apply to all of the objects in the bucket. For more information, see Creating bucket permission.

  • Policy permission: Policy permission is used for creating policy permission by uploading a JSON file. You can also import a file which is compatible with the AWS IAM policy file. Using the Policy permission, you can allow or deny requests at a granular level based on the elements in the policy, resources, and aspects or conditions of the request. For more information, see Creating policy permission.

Role-based access to permission management

The following table describes access to permission management features based on your role.

Actions

Admin

Storage Admin

Auditor (Read only)

Create permission

×

Edit

×

Delete

×

Status

×

List and view

Creating bucket access permissions

You can create bucket permissions without any buckets in the account, only if you apply the permission to all buckets in the account or all buckets with a prefix.

Procedure. To create bucket permissions:
  1. On the left-hand menu, select Permissions.

  2. On the Permissions page, select Create bucket permission.

  3. On the Create bucket permission dialog, enter the following:

    • Name: Enter a name for the permission.

    • Which buckets does this permission apply to?: Select any one from the following:

      • One or more existing buckets: Choose one or more buckets from the Buckets list.

        • Buckets: The buckets field is displayed on when you select One or more existing buckets.

      • All buckets in this account with a prefix:

        The bucket names must use the same few initial characters. For example, if four unique buckets for customer01 are created, such as customer01rawdata, customer01zipdata, customer01media and customer01, enter a prefix of the bucket names to assign and apply the permission. In this case, use the same beginning characters for each bucket for our prefix, customer01.

        Note

        • Only one prefix is allowed for a single permission.

        • The prefix field allows a maximum of 64 characters.

      • All buckets in the account: Apply permission to all current and future buckets in the account.

    • Actions: Select actions to assign privileges as:

      • All Operations: Allows all operations in all buckets meeting the conditions defined under Which buckets this permission applies to?.

      • Read only: This option allows you to perform a read only operation on one or more selected buckets and its objects.

      • Write only: This option allows you to write objects into the selected buckets without reading them back.

      Createbucketpermission.png

    Once you select the desired options, the description of the permissions is displayed for that bucket permission.

  4. Select Create to save the permission for a bucket.

The permissions list page displays all permissions. To manage permissions, see Editing bucket permissions and Deleting bucket permissions.

Creating a policy permission

Lyve Cloud allows the migration of AWS IAM policy files to the Lyve Cloud policy permission, making it simple to start working with service accounts based on existing policies. A policy file uses a JSON file format that is compatible with an AWS IAM policy.

Working with policy files allows you to specify the Condition element. Query the exact request values to determine when a policy is in effect, or list specific actions such as, Action: ["s3:GetObject","s3:PuObject"] and specify the Resource element for several buckets and objects. For more information, see Example of policy permission file.

How to get an IAM policy file from AWS?

You must manually copy policy permission details from AWS IAM policy to use in Lyve Cloud:

  1. Login to AWS Management Console using the credentials.

  2. Select Services on the top left to view the list of services.

  3. Select IAM in Security, Identity, & Compliance.

  4. Under Access Management, select Policies and use the Search field to find the relevant policy to copy the policy details.

  5. Select the JSON tab, copy the policy details into a new file, and then save it as a JSON file.

Using a policy permission file

The following table lists the mandatory, optional, and invalid elements in a policy permission file.

Note

  • Invalid elements must be removed from the file before importing, as these elements are not used in the Lyve Cloud policy permission file.

  • Remove tags from elements available in AWS IAM policy, as tags cannot be used in the policy permission file.

Elements

Mandatory/Optional/Invalid

Description

Statement

Mandatory

Contains a single statement or an array of individual statements.

Resource

Mandatory

Specifies object(s) or bucket(s) that is related to the statement.

Effect

Mandatory

Allows or denies access to the resource.

Action

Mandatory

Describes specific action(s) that will be allowed or denied.

Version

Mandatory

It defines the version of the policy language and specifies the language syntax rules that are to be used to process a policy file.

Condition

Optional

Allows you to specify conditions when a policy is in effect.

The Condition element includes expressions that match the condition keys and values in the policy file against keys and values in the request.

Specifying invalid condition keys returns an error. For more information, see Known Issues.Known Issues

Sid

Optional

A statement ID.

The statement ID must be unique when assigned to statements in the statement array. This value is used as sub ID for policy document's ID.

Id

Optional

A policy identifier, such as UUID (GUID).

Principal

Invalid

Specifies the service account that is allowed or denied to access a resource.

NotPrincipal

Invalid

The service accounts that are not specified, are allowed or denied access to the resource.

NotAction

Invalid

Specifies that it matches everything except the specified list of actions.

If this element is part of the permission file, you need to replace it with the Action element.

NotResource

Invalid

Specifies that it matches every resource except the available specified list.

If this element is part of the permission file, you need to replace it with the resource element.

Example of policy permission file

In the following example, the policy permission has three statements:

  • Statement1: Allows object listing with a prefix David in the bucket mybucket. It is done using a Condition element.

  • Statement2: Allows read and write operations for objects with the prefix David in bucket mybucket.

  • Statement3: Denies delete object operation for two resources:

    • All the objects in mybucket/David/*

    • All the objects in mycorporatebucket/share/marketing/*

      {   "Version": "2012-10-17",   
      "Statement": [     
      {        
      "Sid": "statement1",       
      "Action": ["s3:ListBucket"],       
      "Effect": "Allow",       
      "Resource": ["arn:aws:s3:::mybucket"],       
      "Condition": {"StringLike": {"s3:prefix": ["David/*"]}}     
      },     
      {       
      "Sid": "statement2",       
      "Action": [         "s3:GetObject",         "s3:PutObject"       ],       
      "Effect": "Allow",       "Resource": ["arn:aws:s3:::mybucket/David/*"]     
      },    
      {       
      "Sid": "statement3",       
      "Action": ["s3:DeleteObject"],       
      "Effect": "Deny",       
      "Resource": ["arn:aws:s3:::mybucket/David/*",       
      "arn:aws:s3:::mycorporatebucket/share/marketing/*"]     
      }   
      ] 
      }

    Use the following policy to limit the bucket access to specific IP's:

    {  "Version": "2012-10-17",  
       "Statement": [    
        {
             "Sid": "Sid-1",
             "Action": ["s3:*"], 
             "Effect": "Deny", 
             "Resource": ["arn:aws:s3:::mybucket"], 
             "Condition": {"NotIpAddress": {"aws:SourceIp": ["134.204.220.36/32"]}}    
        },
        { 
         "Sid": "Sid-2", 
         "Action": [ 
          "s3:*"   
        ],    
          "Effect": "Allow", 
          "Resource": ["arn:aws:s3:::mybucket", "arn:aws:s3:::mybucket/*"]  
        } 
       ]
    }
Procedure. To create policy permission:
  1. On the left-hand menu, select Permissions.

  2. On the Permissions page, select Create Policy Permission.

  3. On the Create Policy Permission dialog:

    • Enter a Name.

    • Displays a Description for the permission. You can also edit the description.

    • Drag and drop a policy permission file, or browse to upload a file.

    • Once the new policy permission file is available, download or replace the existing file.

    CreatepolicyPermission_1_.png
  4. Select Create.

You might encounter errors if the policy permission file (JSON) has any additional or missing elements. The following is the list of possible error messages. Read them carefully and update the policy permission file accordingly.

Error Message

Resolution

File Import Failed: Invalid JSON file.

Check the JSON file structure.

File Import Failed: Effect field is required.

Add this element to the policy permission file.

File Import Failed: Resource field is required.

File Import Failed: Action field is required.

File Import Failed: Statement is required.

File Import Failed: Version field value is empty.

Add a value to this element.

File Import Failed: Action canot be empty.

File Import Failed: Resource canot be empty.

File Import Failed: Condition canot be empty.

File Import Failed: Effect value is invalid.

Add a valid value to this element.

File Import Failed: Action value < action> is not valid.

File Import Failed: Resource value < resource> is not valid.

File Import Failed: Condition name is not valid: <condition entered> .

Choose a valid condition name, such as StringLike.

File Import Failed: Condition key is not valid: <condition key entered> .

Choose a valid condition key, such as s3:prefix.

Editing bucket permissions

Edit existing permissions to change selected buckets and their associated actions.

Procedure. To edit permissions:
  1. On the left-hand menu, select Permissions.

  2. On the Permissions page, select the ellipsis of the permission to modify, and select Edit.

    • To modify Policy Permission-type permissions:

      In the Edit Policy Permission dialog, edit the following:

      • Name

      • Description

      • Policy File: download or replace the existing file.

        editpermissionfile_1_.png
    • To modify Bucket Permission-type permissions:

      In the Edit Bucket Permission dialog, edit the following:

      • Name

      • Which buckets this permission applies to?

      • Actions

  3. Select Save.

    These changes take effect as soon as the updated permission is saved, and any subsequent application API calls will be affected.

Deleting bucket permissions

Note

Permissions used by any service accounts cannot be deleted.

Procedure. To delete permissions:
  1. In the menu, select Permissions.

  2. On the Permissions page, select the ellipsis (...)

  3. Select Delete, and select OK in the confirmation.

After you delete a permission, you cannot restore. However, you can create a new permission and reuse that permission name.

Viewing permissions

By default, the Permissions page displays 10 permissions at a time. You can sort the columns in the table.

Procedure. To view all permissions:
  1. In the left-hand navigation, select Permissions.

    listpermission_1_.png

    The following table describes the columns used to list permissions.

    Column Name

    Description

    Name

    Displays name of the permission.

    Description

    Displays the permission description.

    Type

    Displays the type of permission created. The type can be Policy permission and Bucket permission.

    Service Accounts

    Displays the number of service accounts using that specific permission. You can hover the mouse on the number to view the names of the attached service account and the question mark icon to view the tooltip.

    Creation On

    Displays the date and time when the permission was created in the year, day, month YY:DD:MM AM/PM format.

  2. Select the arrow next to Rows per page to change the number of permissions to list per page.