Question & Answer
Question
Answer
Summary
This article describes the minimum permissions requirements for Aspera to upload, download or list content in an S3 bucket. The IAM policy can be used in multiple types of Aspera deployments, e.g. If you are running your own Aspera server on Demand (AOD), or if you are using the Aspera Transfer Service (ATS).
Details
The table below shows the IAM policy rules required for the specific operation. The table shows the permissions required for each operation separately; that is, upload, download or browse.
Permission | Required for upload? |
Required for download? |
Required for browse or delete? |
Comments |
---|---|---|---|---|
s3:AbortMultipartUpload | X | browse + delete | ||
s3:DeleteObject | X | browse + delete | ||
s3:GetBucketLocation | X | X | browse | Tuning exists if user wants to remove need for this permission. (2) |
s3:GetObject | X | browse | ||
s3:ListBucket | X | X | browse | |
s3:ListBucketMultipartUpload | X | X | browse + delete | |
s3:ListMultipartUploadParts | X | |||
s3:PutObject | X | |||
s3:ListAllMyBuckets (1) | X (1) | No longer required as of 3.5.2; however it is required if a bucket name is not included on the policy (like *). |
Example
Here is an example IAM policy that provides the minimum required permissions for a specific bucket (YOUR_BUCKET). Please make the appropriate substitutions.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1464034295000",
"Effect": "Allow",
"Action": [
"s3:AbortMultipartUpload",
"s3:DeleteObject",
"s3:ListMultipartUploadParts",
"s3:PutObject",
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::my_bucket/*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:ListBucket",
"s3:ListBucketMultipartUploads"
],
"Resource": [
"arn:aws:s3:::my_bucket"
]
}
]
}
1. In the Enterprise Server 3.5.2 release ListAllMyBuckets permissions are no longer required for Aspera to upload to object storage.
NOTE: ATS is running a version newer than 3.5.2.
2. To disable the requirement for "GetBucketLocation" starting with 3.5.2 release do the following (NOTE: ATS requires this option):
(a) Edit/opt/aspera/etc/trap/s3.properties
and disable the requirement by setting the following option:
aspera.session.check-bucket.transfer=false
(b) Restart asperatrapd
with the following command:
# /etc/init.d/asperatrapd restart
Was this topic helpful?
Document Information
Modified date:
20 February 2022
UID
ibm10748023