Resource-level Permissions in an IAM Policy
Describes various resource-level permissions that can be allowed or denied in an IAM policy.
You can configure the resource-level permissions at the following levels:
- Fabric level
- Bucket level
- Volume level
Fabric-level Permissions
You can configure the following permissions in an IAM policy for fabrics, external S3 servers, or external NFS servers.
| Permission | Description |
|---|---|
| ViewClusterConfig | Permission to view cluster configuration. |
| ManageClusterServices | Permission to manage various fabric-level services. |
| ManageClusterOperations | Permission to manage cluster operations. |
| ManageClusterSettings | Permission to manage various cluster settings. |
| ManageIamRoleOperations | Permission to manage operations related to user-defined roles. |
| ManageClusterACE | Permission to manage fabric ACE. |
| ManageStartStopService | Permission to start and stop fabric services |
| ManageClusterVolume | Permission to manage volumes on a fabric. |
Volume-level Permissions
The following permissions can be granted in an IAM policy for volumes.
| Permission | Description |
|---|---|
| ReadVolume | Permission to read a volume. |
| WriteVolume | Permission to write a volume. |
| DeleteVolume | Permission to delete a volume. |
| MountVolume | Permission to mount a volume. |
| MirrorVolume | Permission to mirror a volume. |
| ManageVolumeConfig | Permission to manage volume configuration. |
| ManageVolumeACE | Permission to manage volume ACE. |
| VolumeFullControl | Permission to perform all allowable operations on a volume. |
Bucket-level Permissions
The following permissions can be granted in an IAM policy for Data Fabric S3 buckets.
| Permission | Description |
|---|---|
| AbortMultiPartUpload | Permission to abort multi-part upload of an object to S3 bucket |
| DeleteBucket | Permission to delete an S3 bucket |
| ForceDeleteBucket | Permission to force an S3 bucket deletion |
| DeleteBucketPolicy | Permission to delete an S3 bucket policy |
| DeleteObject | Permission to delete object from an S3 bucket |
| GetBucketLocation | Permission to get location or region for an S3 bucket |
| GetBucketNotification | Permission to get notification for an S3 bucket |
| GetBucketPolicy | Permission to get the policy of an S3 bucket. |
| GetObject | Permission to retrieve an object from S3 server/bucket. |
| HeadBucket | Permission to access S3 bucket to check for its existence and contents |
| ListAllMyBuckets | Permission to retrieve a list of S3 buckets owned by the sender of the request |
| ListBucket | Permission to retrieve a list of S3 buckets |
| ListBucketVersions | Permission to retrieve a list of S3 bucket versions |
| ListBucketMultiPartUploads | Permission to retrieve a list of the multi part uploads for an S3 bucket. |
| ListMultiPartUploadParts | Permission to retrieve list of parts in a multi-part upload into an S3 bucket |
| PutBucketLifeCycle | Permission to create a new lifecycle configuration for S3 bucket or replaces an existing lifecycle configuration. |
| GetBucketLifeCycle | Permission to retrieve lifecycle configuration for S3 bucket |
| PutBucketNotification | Permission to enable notifications for specified events related to S3 bucket. |
| PutBucketEncryption | Permission to configure encryption and keys on an S3 bucket |
| DeleteObjectTagging | Permission to delete object tagging |
| PutBucketPolicy | Permission to apply bucket policy to an S3 bucket |
| PutObject | Permission to add object to S3 bucket |
| PutObjectRetention | Permission to configure object retention settings on an object |
| GetObjectRetention | Permission to retrieve object retention configuration on an object |
| GetObjectLegalHold | Permission to retrieve the legal hold status for an object |
| PutObjectLegalHold | Permission to configure legal hold for an object. |
| GetBucketObjectLockConfiguration | Permission to retrieve the object lock configuration for an S3 bucket |
| PutBucketObjectLockConfiguration | Permission to configure the object lock settings for an S3 bucket |
| GetBucketTagging | Permission to retrieve the tags associated with an S3 bucket |
| PutBucketTagging | Permission to set tags for an S3 bucket |
| GetObjectVersion | Permission to access a specific version of an object |
| GetObjectVersionTagging | Permission to retrieve tag of an object version |
| DeleteObjectVersion | Permission to delete an object version |
| DeleteObjectVersionTagging | Permission to delete an object version tagging |
| PutObjectVersionTagging | Permission to set a tag for an object version |
| GettObjectTagging | Permission to retrieve the set of tags for an object |
| PutObjectTagging | Permission to set the tags for an object |
| GetBucketEncryption | Permission to retrieve the encryption settings for an S3 bucket |
| PutBucketVersioning | Permission to set the versioning state for an S3 bucket |
| GetBucketVersioning | Permission to retrieve the versioning state for an S3 bucket |
| GetReplicationConfiguration | Permission to retrieve replication configuration |
| PutReplicationConfiguration | Permission to set replication configuration |