IBM Support

IAM role permissions for S3 buckets

Question & Answer


Question

IAM role permissions for S3 buckets

Answer

Summary

This article describes the minimum permissions requirements for Aspera to upload, download or list content in an S3 bucket. The IAM policy can be used in multiple types of Aspera deployments, e.g. If you are running your own Aspera server on Demand (AOD), or if you are using the Aspera Transfer Service (ATS).

Details

The table below shows the IAM policy rules required for the specific operation. The table shows the permissions required for each operation separately; that is, upload, download or browse.

Permission Required
for upload?		 Required for
download?		 Required
for browse
or delete?		 Comments
s3:AbortMultipartUpload X browse + delete
s3:DeleteObject X browse + delete
s3:GetBucketLocation X X browse Tuning exists if user wants to remove need for this permission. (2)
s3:GetObject X browse
s3:ListBucket X X browse
s3:ListBucketMultipartUpload X X browse + delete
s3:ListMultipartUploadParts X
s3:PutObject X
s3:ListAllMyBuckets (1) X (1) No longer required as of 3.5.2; however it is required if a bucket name is not included on the policy (like *).

Example

Here is an example IAM policy that provides the minimum required permissions for a specific bucket (YOUR_BUCKET). Please make the appropriate substitutions.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1464034295000",    
      "Effect": "Allow",
      "Action": [
        "s3:AbortMultipartUpload",
        "s3:DeleteObject",
        "s3:ListMultipartUploadParts",
        "s3:PutObject",
        "s3:GetObject"
      ],
      "Resource": [
        "arn:aws:s3:::my_bucket/*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetBucketLocation",
        "s3:ListBucket",
        "s3:ListBucketMultipartUploads"
      ],
      "Resource": [
        "arn:aws:s3:::my_bucket"
      ]
    }
  ]
}

1. In the Enterprise Server 3.5.2 release ListAllMyBuckets permissions are no longer required for Aspera to upload to object storage.

NOTE: ATS is running a version newer than 3.5.2.

2. To disable the requirement for "GetBucketLocation" starting with 3.5.2 release do the following (NOTE: ATS requires this option):

(a) Edit/opt/aspera/etc/trap/s3.properties and disable the requirement by setting the following option:

aspera.session.check-bucket.transfer=false

(b) Restart asperatrapd with the following command:

# /etc/init.d/asperatrapd restart

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSRFYR","label":"IBM Aspera on Demand"},"Component":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
20 February 2022

UID

ibm10748023

Page Feedback