User and permission management in Atman Object Storage

Currently, the creation of accounts in the service is carried out through an email request or the customer portal. Access keys to the service can be downloaded from the customer panel.

There are two types of users in the Atman Object Storage service, the master account and sub-accounts (subuser). Sub-user accounts function within the main account and have their own credentials (access and secret keys). There are two options for setting up restrictions to individual resources: the access level of individual sub-accounts to all resources within the master account created, and access policies defined at the bucket level (Bucket Policies).

Entitlements at sub-account level

It is possible to create named sub-accounts that have their own access keys. To do this, please send a request by email or via the customer panel. In the message, please indicate the names of the sub-users and the preferred rights to the buckets created within the account.

Access types (applies to all resources created within the account):

Operation

READ

WRITE

READWRITE

FULL

creation of buckets

bucket list

listing the contents of buckets

removal of buckets

reading of objects

saving of objects

removal of objects

preview of bucket policies (ACLs and bucket policies)

assignment of access policies to buckets (ACLs and bucket policies)

The master account has full rights to the created resources (FULL). Any user, regardless of the permissions granted during creation, can list buckets and create new ones. The main account is the owner of all created buckets.

Separation at bucket level (Bucket Policies)

The Bucket Policies mechanism is the recommended way to manage bucket permissions within the Atman Object Storage service. Policies are applied to individual buckets. Inside each policy is an array of instructions, and each instruction contains the following elements:

Sid - an optional identifier for the instruction. This field allows the user to enter a brief description for the rule. This field must be unique within the policy being created. Acceptable characters: a-z, A-Z, and 0-9.

Effect - specifies whether the effect of the instruction will be to allow or deny the operation. By default, access to the resource is denied. Accepted values: Allow or Deny.

Principal/NotPrincipal - field defining the users affected by the rule. Users must be defined in ARN format (example below). The wildcard character * is not supported. Strict definition of users is required.

"Principal": {
  "AWS": \[
    "arn:aws:iam:::user/username01",
    "arn:aws:iam:::user/username01:subuser01" 
  \]
}

Action/NotAction - this field defines permitted or prohibited actions. A list of available actions is provided below.

Resource - resource for which permissions are granted; bucket or object.

Condition - optional element. Conditions allow you to create expressions that specify when to apply a rule.

List of supported actions:

  • s3:AbortMultipartUpload

  • s3:CreateBucket

  • s3:DeleteBucketPolicy

  • s3:DeleteBucket

  • s3:DeleteBucketWebsite

  • s3:DeleteObject

  • s3:DeleteObjectVersion

  • s3:DeleteReplicationConfiguration

  • s3:GetAccelerateConfiguration

  • s3:GetBucketAcl

  • s3:GetBucketCORS

  • s3:GetBucketLocation

  • s3:GetBucketLogging

  • s3:GetBucketNotification

  • s3:GetBucketPolicy

  • s3:GetBucketRequestPayment

  • s3:GetBucketTagging

  • s3:GetBucketVersioning

  • s3:GetBucketWebsite

  • s3:GetLifecycleConfiguration

  • s3:GetObjectAcl

  • s3:GetObject

  • s3:GetObjectTorrent

  • s3:GetObjectVersionAcl

  • s3:GetObjectVersion

  • s3:GetObjectVersionTorrent

  • s3:GetReplicationConfiguration

  • s3:ListAllMyBuckets

  • s3:ListBucketMultiPartUploads

  • s3:ListBucket

  • s3:ListBucketVersions

  • s3:ListMultipartUploadParts

  • s3:PutAccelerateConfiguration

  • s3:PutBucketAcl

  • s3:PutBucketCORS

  • s3:PutBucketLogging

  • s3:PutBucketNotification

  • s3:PutBucketPolicy

  • s3:PutBucketRequestPayment

  • s3:PutBucketTagging

  • s3:PutBucketVersioning

  • s3:PutBucketWebsite

  • s3:PutLifecycleConfiguration

  • s3:PutObjectAcl

  • s3:PutObject

  • s3:PutObjectVersionAcl

  • s3:RestoreObject

List of supported conditions:

  • aws:CurrentTime

  • aws:EpochTime

  • aws:SourceIp

  • aws:username

Examples of use

Public bucket

Allow objects to be listed and retrieved (including an anonymous user). The bucket to which the following policy is assigned will be visible to everyone, i.e. all Atman Object Storage users and public network queries.

Allow objects to be listed and retrieved (including an anonymous user). The bucket to which the following policy is assigned will be visible to everyone, i.e. all Atman Object Storage users and public network queries.

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Principal": {
            "AWS": "*"
          },
          "Action": [
            "s3:ListBucket",
            "s3:GetObject"
          ],
          "Resource": [
            "arn:aws:s3:::przykladowy-bucket",
            "arn:aws:s3:::przykladowy-bucket/*"
          ]
        }
      ]
    }

Application of policies

awscli

aws s3api put-bucket-policy --bucket examples-bucket --policy file://file.json --endpoint https://s3.atman.pl

s3cmd

s3cmd setpolicy policy.json s3://example-bucket