1.参考链接。设置一个群组(Group),并设置此组的用户有Programmatic (the user can create an API key) 权限。
2.给根目录的用户(root user)设置权限:
Steps 1 & 2 (creation of the root user and storage buckets) should be familiar to all Wasabi users so they are not covered in depth here.
For this example, click + to select the WasabiFullAccess policy.
下载CSV文件,保存用户的Access Key ID, Secret Access Key信息。
Step 3 (creation of an IAM policy for each customer that limits their access to just their storage bucket) will be new to some Wasabi users so the process is covered here.
In this example, an IAM policy called IAM_policy is created for customer1 and a bucket name of user1-bucket is used.
Note: To perform any bucket/object operations through the console the sub-user MUST have “ListAllMyBuckets” permission. This will allow the sub-user to list all the buckets when logged into the console, but can access content only from the bucket that sub-user has permission to
{
“Version”: “2012-10-17”,
“Statement”: [
{
“Effect”: “Allow”,
“Action”: “s3:ListAllMyBuckets”,
“Resource”: “arn:aws:s3:::”
},
{
“Effect”: “Allow”,
“Action”: “s3:”,
“Resource”: [
“arn:aws:s3:::user1-bucket”,
“arn:aws:s3:::user1-bucket/*”
]
}
]
}
Now that you have created a bucket limit policy for each customer, you can create sub-users for each customer (step 4 described above). From the Wasabi web console IAM menu, you can create a user using the guidelines below. Remember to select the “Programmatic (create API key)” option so you can create an API key set for future use with this customer’s storage app. You can also provide this customer with console access if needed.
4.Sub-user-limiting access policy to allow read/write/delete inside their own bucket but not allow to delete the bucket itself
新建一个policy,加入如下内容:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::bucket-name",
"arn:aws:s3:::bucket-name/*"
]
},
{
"Effect": "Deny",
"Action": "s3:DeleteBucket",
"Resource": [
"arn:aws:s3:::bucket-name",
"arn:aws:s3:::bucket-name/*"
]
}
]
}