Resource-level Permissions in an IAM Policy
Describes various resource-level permissions that can be allowed or denied in an IAM policy.
You can configure the resource-level permissions at the following levels:
- Fabric level
- Bucket level
- Volume level
Fabric-level Permissions
You can configure the following permissions in an IAM policy for fabrics, external S3 servers, or external NFS servers.
Permission | Description |
---|---|
ViewClusterConfig | Permission to view cluster configuration. |
ManageClusterServices | Permission to manage various fabric-level services. |
ManageClusterOperations | Permission to manage cluster operations. |
ManageClusterSettings | Permission to manage various cluster settings. |
ManageIamRoleOperations | Permission to manage operations related to user-defined roles. |
ManageClusterACE | Permission to manage fabric ACE. |
ManageStartStopService | Permission to start and stop fabric services |
ManageClusterVolume | Permission to manage volumes on a fabric. |
Volume-level Permissions
The following permissions can be granted in an IAM policy for volumes.
Permission | Description |
---|---|
ReadVolume | Permission to read a volume. |
WriteVolume | Permission to write a volume. |
DeleteVolume | Permission to delete a volume. |
MountVolume | Permission to mount a volume. |
MirrorVolume | Permission to mirror a volume. |
ManageVolumeConfig | Permission to manage volume configuration. |
ManageVolumeACE | Permission to manage volume ACE. |
VolumeFullControl | Permission to perform all allowable operations on a volume. |
Bucket-level Permissions
The following permissions can be granted in an IAM policy for Data Fabric S3 buckets.
Permission | Description |
---|---|
AbortMultiPartUpload | Permission to abort multi-part upload of an object to S3 bucket |
DeleteBucket | Permission to delete an S3 bucket |
ForceDeleteBucket | Permission to force an S3 bucket deletion |
DeleteBucketPolicy | Permission to delete an S3 bucket policy |
DeleteObject | Permission to delete object from an S3 bucket |
GetBucketLocation | Permission to get location or region for an S3 bucket |
GetBucketNotification | Permission to get notification for an S3 bucket |
GetBucketPolicy | Permission to get the policy of an S3 bucket. |
GetObject | Permission to retrieve an object from S3 server/bucket. |
HeadBucket | Permission to access S3 bucket to check for its existence and contents |
ListAllMyBuckets | Permission to retrieve a list of S3 buckets owned by the sender of the request |
ListBucket | Permission to retrieve a list of S3 buckets |
ListBucketVersions | Permission to retrieve a list of S3 bucket versions |
ListBucketMultiPartUploads | Permission to retrieve a list of the multi part uploads for an S3 bucket. |
ListMultiPartUploadParts | Permission to retrieve list of parts in a multi-part upload into an S3 bucket |
PutBucketLifeCycle | Permission to create a new lifecycle configuration for S3 bucket or replaces an existing lifecycle configuration. |
GetBucketLifeCycle | Permission to retrieve lifecycle configuration for S3 bucket |
PutBucketNotification | Permission to enable notifications for specified events related to S3 bucket. |
PutBucketEncryption | Permission to configure encryption and keys on an S3 bucket |
DeleteObjectTagging | Permission to delete object tagging |
PutBucketPolicy | Permission to apply bucket policy to an S3 bucket |
PutObject | Permission to add object to S3 bucket |
PutObjectRetention | Permission to configure object retention settings on an object |
GetObjectRetention | Permission to retrieve object retention configuration on an object |
GetObjectLegalHold | Permission to retrieve the legal hold status for an object |
PutObjectLegalHold | Permission to configure legal hold for an object. |
GetBucketObjectLockConfiguration | Permission to retrieve the object lock configuration for an S3 bucket |
PutBucketObjectLockConfiguration | Permission to configure the object lock settings for an S3 bucket |
GetBucketTagging | Permission to retrieve the tags associated with an S3 bucket |
PutBucketTagging | Permission to set tags for an S3 bucket |
GetObjectVersion | Permission to access a specific version of an object |
GetObjectVersionTagging | Permission to retrieve tag of an object version |
DeleteObjectVersion | Permission to delete an object version |
DeleteObjectVersionTagging | Permission to delete an object version tagging |
PutObjectVersionTagging | Permission to set a tag for an object version |
GettObjectTagging | Permission to retrieve the set of tags for an object |
PutObjectTagging | Permission to set the tags for an object |
GetBucketEncryption | Permission to retrieve the encryption settings for an S3 bucket |
PutBucketVersioning | Permission to set the versioning state for an S3 bucket |
GetBucketVersioning | Permission to retrieve the versioning state for an S3 bucket |
GetReplicationConfiguration | Permission to retrieve replication configuration |
PutReplicationConfiguration | Permission to set replication configuration |