- Notes, cautions, and warnings
- Revision history
- About using this guide
- Overview
- Getting Started with ObjectScale
- IAM accounts and account entities
- Introduction to Identity and Access Management
- Accounts
- New Accounts
- View the summary of an account
- Edit Account
- Enable or Disable an Account
- Delete an account
- Users
- Groups
- Roles
- Policies
- Create a new customer-managed policy
- Edit a customer-managed policy
- Delete a customer-managed policy
- Attach a policy to an account entity
- Detach a policy from an account entity
- Attach a permission boundary to an account entity
- Detach a permission boundary from an account entity
- Actions in IAM Policy
- Principal types in IAM Policies
- Identity Provider
- Root Access Keys
- Notification Destinations
- Object stores
- About ObjectScale object stores
- Creating a new object store
- Edit the settings of an object store
- Delete an object store
- View the Summary of an object store
- View the Dashboard of an Object Store
- Understand object store space reclamation
- Set capacity alerts for an object store
- Add additional accounts to an object store
- Edit an account values for an object store
- Remove an account from an object store
- View the certificates for an object store
- Monitor and manage replication for an object store
- View the health of an object store
- Metrics
- Buckets
- About ObjectScale buckets
- Create a bucket
- Edit a bucket
- View the summary of a bucket
- Delete a bucket
- Configure Bucket Logging
- About bucket policies
- Setting up bucket event notifications
- View the Bucket Summary
- Managing Bucket Replication
- Federate ObjectScale Systems
- ObjectScale Replication
- Platform settings
- Management Users and Roles in ObjectScale
- Authentication Providers in ObjectScale Software Bundle
- ObjectScale Administration
- About the Administration section of the ObjectScale Portal
- Installing and maintaining the health of ObjectScale
- Licensing ObjectScale
- System support
- SAML Service Provider Metadata
- Manage ObjectScale Certificates
- Security settings
- Active sessions
- ObjectScale Upgrades
- ObjectScale 1.3 upgrade considerations
- Upgrade ObjectScale on OpenShift
- Upgrade Considerations for OpenShift Container Platform from 4.12 to 4.13
- Prerequisites for OpenShift Container Platform Upgrade from 4.12 to 4.13
- Upgrade Procedure for OpenShift Container Platform from 4.12 to 4.13
- Upgrade ObjectScale on Software Bundle
- Upgrade ObjectScale on Appliance
- Troubleshooting Object store upgrade status in progress after failed node repair
- ObjectScale Management REST API
- Accessing data with IAM and S3
- ObjectScale IAM overview
- Amazon S3 API support in ObjectScale
- Alerts
- About ObjectScale instance event and issue monitoring
- Monitoring Events, Audits, and Alerts
- CSI-01
- CSI-03
- CSI-05
- DECKS-HC-1000
- DECKS-LIC-1002
- DECKS-LIC-1005
- DECKS-LIC-1006
- DECKS-LIC-1008
- DECKS-LIC-1011
- DECKS-SA-1023
- DECKS-SA-1024
- KAHM-HC-1000
- OBJSC-CO-0000
- OBJSC-CO-0001
- OBJSC-CO-0002
- OBJSC-CO-0003
- OBJSC-CO-0004
- NVMF-1389
- NVMF-1390
- NVMF-1393
- NVMF-1395
- NVMF-1396
- OBJPRECHK-2000
- OBJPRECHK-2001
- OBJPRECHK-2002
- OBJPRECHK-2003
- OBJPRECHK-2004
- OBJPRECHK-2005
- OBJPRECHK-2006
- OBJPRECHK-2007
- OBJPRECHK-2008
- OBJPRECHK-2009
- OBJPRECHK-2010
- OBJPSTCHK-3000
- OBJPSTCHK-3001
- OBJPSTCHK-3002
- OBJPSTCHK-3003
- OBJSC-FED-1001
- OBJSC-IAM-1004
- OBJSC-LIC-0004
- OBJSC-MGR-3000
- OBJSC-MGR-HC-1000
- OBJSC-MON-1111
- OBJSC-MON-1112
- OBJSC-MON-1113
- OBJSC-MON-3002
- OBJSC-MON-3003
- OBJSC-MON-4019
- OBJSC-MON-4020
- OBJSC-MON-4021
- OBJSC-MON-4022
- OBJSC-MON-4025
- OBJSC-MON-4028
- OBJSC-SP-0000
- OBJSC-SP-0001
- OBJSC-SP-0002
- OBJSC-SP-0003
- OBJSC-SP-0004
- OBJSC-TARGET-01
- OBJSOP-1000
- OBJSOP-1001
- OBJSOP-1002
- OBJSOP-1003
- OBJSOP-1004
- OBJSOP-1005
- OBJSOP-1006
- OBJSOP-2001
- OBJSOP-2002
- OBJST-1006
- OBJST-1008
- OBJST-12001
- OBJST-12003
- OBJST-12004
- OBJST-12005
- OBJST-12006
- OBJST-12007
- OBJST-12008
- OBJST-12010
- OBJST-12011
- OBJST-13000
- OBJST-13001
- OBJST-13002
- OBJST-13003
- OBJST-13004
- OBJST-13005
- OBJST-13006
- OBJST-13007
- OBJST-13008
- OBJST-13009
- OBJST-13010
- OBJST-13011
- OBJSTEPUPD-4000
- OBJSTEPUPD-4001
- OBJSTEPUPD-4002
- OBJSTEPUPD-4003
- OBJSTEPUPD-4004
- OBJSTEPUPD-4005
- OBJSTEPUPD–4006
- OBJSTEPUPD–4007
- OBJSTEPUPD–4008
- OBJST-1320
- OBJST-1321
- OBJST-1324
- OBJST-1325
- OBJST-1328
- OBJST-1329
- OBJST-1332
- OBJST-1333
- OBJST-1336
- OBJST-1337
- OBJST-1340
- OBJST-1341
- OBJST-1344
- OBJST-1345
- OBJST-1352
- OBJST-1354
- OBJST-1364
- OBJST-1365
- OBJST-1366
- OBJST-1389
- OBJST-1390
- OBJST-1392
- OBJST-1600
- OBJST-1601
- OBJST-1602
- OBJST-1603
- OBJST-1604
- OBJST-1605
- OBJST-1700
- OBJST-1701
- OBJST-2100
- OBJST-2101
- OBJST-MON-4016
- OBJST-MON-4019
- OBJST-MON-4020
- OBJSTORE-HC-1000
- OBJUPD-1000
- SNMPNOTI-1000
- TEST TRAP
- Metrics for ObjectScale and object stores
- Maintain ObjectScale
- About ObjectScale service procedures
- About ObjectScale capacity expansion procedures
- About ObjectScale maintenance modes
- Maintenance mode in ObjectScale on OpenShift
- Place a node into temporary maintenance mode (ObjectScale on OpenShift)
- Remove a node from temporary maintenance mode (ObjectScale on OpenShift)
- Place a healthy node into permanent maintenance mode (ObjectScale on OpenShift)
- Place a failed node into permanent maintenance mode (ObjectScale on OpenShift)
- Temporary maintenance mode for ObjectScale Software Bundle
- Maintenance mode in ObjectScale on Appliance
- Disk replacement service procedure
- Perform a node replacement service procedure (ObjectScale on OpenShift)
- Add a node (ObjectScale Software Bundle)
- Remove a node (ObjectScale Software Bundle)
- Prepare a failed node for node hardware or software maintenance (ObjectScale Software Bundle)
- Prepare a healthy node for node hardware or software maintenance (ObjectScale Software Bundle)
- Replace a healthy node within the ObjectScale Software Bundle
- Replace a failed node within the ObjectScale Software Bundle
- Add a node (ObjectScale Appliance)
- Node Replacement on ObjectScale Appliance
- Node Repair on ObjectScale Appliance
- Failed Node Repair on ObjectScale Appliance
- View service procedure status
- Updating iDRAC IPs Using Server Patch API for ObjectScale Appliance
- Shutting Down and Restarting ObjectScale
- About ObjectScale service procedures
Dell ObjectScale 1.3 Administration Guide
Actions in IAM Policy
This section describes all the supported actions in IAM policies that allow system account users or IAM users to perform operations.
Actions supported for system account user
| Action | Description | Access Level | Resource Type (* required) | Condition Keys |
|---|---|---|---|---|
| account:* | All account actions. | N/A | - | - |
| account:CreateAccount | Create an account in ObjectScale instance. | Write | - | - |
| account:UpdateAccount | Update account configuration. | Write | - | - |
| account:ListAccounts | List all accounts created in all ObjectScale instances. | List | - | - |
| account:GetAccount | Retrieves information about the specified account. | Read | - | - |
| account:DeleteAccount | Delete the specified account. | Write | - | - |
| account:AssociateAccountToObjectStore | Associate account to object store. | Write | - | If required, can support below condition key. account:objectStoreId |
| account:UnassociateAccountToObjectStore | Disassociate account from object store. | Write | - | - |
| Action | Description | Access Level | Resource Type (* required) | Condition Keys |
|---|---|---|---|---|
| grafana:* | Grant all access for all object store operations. | * | - | - |
| Action | Description | Access Level | Resource Type (* required) | Condition Keys |
|---|---|---|---|---|
| objectstore:* | Grant access for all object store operations. | * | - | - |
| objectstore:Get* | Grant read access to object store. | Read | - | - |
| objectstore:Write* | Grant write access to object store. | Write | - | - |
| Action | Description | Access Level | Resource Type (* required) | Condition Keys |
|---|---|---|---|---|
| influxdb:* | Grant all influxdb operations. | * | - | - |
| influxdb:Get* | Grant influxdb read. | Read | - | - |
| influxdb:Write* | Grant influxdb write. | Write | - | - |
| Action | Description | Access Level | Resource Type (* required) | Condition Keys |
|---|---|---|---|---|
| Alert:* | Allows system account user to perform all alert operations. | * | - | - |
Actions supported for IAM identities
IAM user, role, and group support these actions.
| Action | Description | Access Level | Resource Type (* required) | Condition Keys |
|---|---|---|---|---|
| iam:AddUserToGroup | Adds an IAM user to the specified IAM group. | Write | group* | - |
| iam:AttachGroupPolicy | Attaches a specified managed policy to the specified IAM group. | Permissions management | group* | iam:PolicyARN |
| iam:AttachRolePolicy | Attaches a specified managed policy to the specified IAM role. | Permissions management | role* | iam:PolicyARN iam:PermissionsBoundaryiam:ResourceTag/${TagKey} |
| iam:AttachUserPolicy | Attaches a specified managed policy to the specified IAM user. | Permissions management | user* | iam:PolicyARN iam:PermissionsBoundary iam:ResourceTag/${TagKey} |
| iam:CreateAccessKey | Creates a new secret access credential for a specified IAM user. | Write | user* | - |
| iam:CreateGroup | Creates a IAM group in the namespace. | Write | group* | - |
| iam:CreatePolicy | Creates a new managed policy in the namespace. | Permissions management | policy* | - |
| iam:CreatePolicyVersion | Creates a version of the specified managed policy in namespace. | Permissions management | policy* | - |
| iam:CreateRole | Creates a IAM role in the namespace. | Write | role* | iam:PermissionsBoundary |
| iam:CreateSAMLProvider | Creates a SAML 2.0 identity provider (IdP) in the namespace. | Write | saml-provider* | - |
| iam:CreateUser | Creates an IAM user in namespace. | Write | user* | iam:PermissionsBoundary |
| iam:DeleteAccessKey | Deletes the specified access key credentials that are associated with the specified IAM user. | Write | user* | - |
| iam:DeleteGroup | Deletes the specified IAM group from the namespace. | Write | group* | - |
| iam:DeleteGroupPolicy | Deletes the specified inline policy from its group. | Permissions management | group* | - |
| iam:DeletePolicy | Deletes the specified managed policy. | Permissions management | policy* | iam:PolicyARN |
| iam:DeletePolicyVersion | Deletes the specified version from the managed policy. | Permissions management | policy* | - |
| iam:DeleteRole | Grants permission to delete the specified role. | Write | role* | - |
| iam:DeleteRolePermissionsBoundary | Deletes the permissions boundary for the specified IAM role. | Permissions management | role* | iam:PermissionsBoundaryiam:ResourceTag/${TagKey} |
| iam:DeleteRolePolicy | Deletes the specified inline policy from its role. | Permissions management | role* | iam:PermissionsBoundary |
| iam:DeleteSAMLProvider | Deletes a specified SAML provider. | Write | saml-provider* | - |
| iam:DeleteUser | Deletes the specified IAM user from the namespace. | Write | user* | iam:ResourceTag/${TagKey} |
| iam:DeleteUserPermissionsBoundary | Deletes the permissions boundary for the specified IAM user. | Permissions management | user* | iam:PermissionsBoundaryiam:ResourceTag/${TagKey} |
| iam:DeleteUserPolicy | Deletes the specified inline policy from its user. | Permissions management | user* | iam:PermissionsBoundary iam:ResourceTag/${TagKey} |
| iam:DetachGroupPolicy | Detach a specified managed policy from the specified IAM group. | Permissions management | group* | - |
| iam:DetachRolePolicy | Detach a specified managed policy from the specified IAM role. | Permissions management | role* | iam:PolicyARN iam:PermissionsBoundaryiam:ResourceTag/${TagKey} |
| iam:DetachUserPolicy | Detach a specified managed policy from the specified IAM user. | Permissions management | user* | iam:PolicyARN iam:PermissionsBoundaryiam:ResourceTag/${TagKey} |
| iam:GetAccessKeyLastUsed | Retrieves best effort information about when the specified access key was last used. | Read | user* | - |
| iam:GetContextKeysForCustomPolicy | Retrieves a list of all the context keys that are referenced in the input policies. | Read | - | - |
| iam:GetContextKeysForPrincipalPolicy | Detach a specified managed policy from the specified IAM entity. | Read | user, group, role | - |
| iam:GetGroup | Retrieves a list of IAM users that are in the specified IAM group. You can paginate the results using the MaxItems and Marker parameters. | Read | group* | - |
| iam:GetGroupPolicy | Gets the specified inline policy document from the specified IAM group. | Read | group* | - |
| iam:GetPolicy | Retrieves information about the specified managed policy. | Read | policy* | - |
| iam:GetPolicyVersion | Retrieve information about a version of the specified managed policy. | Read | policy* | - |
| iam:GetRole | Retrieves information about the specified role. | Read | role* | iam:ResourceTag/${TagKey} |
| iam:GetPolicy | Retrieves information about specified managed policy. | Read | policy* | - |
| iam:GetPolicyVersion | Retrieves information about specified version of the managed policy. | Read | policy* | - |
| iam:GetRolePolicy | Retrieves the specified inline policy document that is embedded with the specified IAM role. | Read | role* | iam:ResourceTag/${TagKey} |
| iam:GetSAMLProvider | Retrieves the SAML provider metadata document that is associated with the IAM SAML provider resource. | Read | saml-provider* | - |
| iam:GetUser | Retrieves information about the specified IAM user. | Read | user* | iam:ResourceTag/${TagKey} |
| iam:GetUserPolicy | Retrieves the specified inline policy document of the specified IAM user. | Read | user* | iam:ResourceTag/${TagKey} |
| iam:ListAccessKeys | Lists information about the access key IDs that are associated with the specified IAM user. | List | user* | - |
| iam:ListAttachedGroupPolicies | Lists all managed policies that are attached to the specified IAM group. | List | group* | - |
| iam:ListAttachedRolePolicies | Lists all managed policies that are attached to the specified IAM role. | List | role* | iam:ResourceTag/${TagKey} |
| iam:ListAttachedUserPolicies | Lists all managed policies that are attached to the specified IAM user. | List | user* | iam:ResourceTag/${TagKey} |
| iam:ListEntitiesForPolicy | Lists all entities (IAM users, groups, and roles) that are attached to the specified managed policy. | List | policy* | - |
| iam:ListGroupPolicies | List the names of the inline policies that are in the specified IAM group. | List | group* | - |
| iam:ListGroups | List the IAM groups that have the specified path prefix. | List | - | - |
| iam:ListGroupsForUser | List the IAM groups that the provided IAM user belongs to. | List | user* | iam:ResourceTag/${TagKey} |
| iam:ListPolicies | Lists all managed policies that are associated with the namespace. | List | - | - |
| iam:ListPolicyVersions | Lists information about the versions of the requested managed policy. | List | policy* | - |
| iam:ListRolePolicies | Lists the names of the inline policies that are in the specified IAM role. | List | role* | iam:ResourceTag/${TagKey} |
| iam:ListRoles | Lists the IAM roles that have the specified path prefix. | List | - | - |
| iam:ListRoleTags | Lists the tags that are attached to the specified role. | List | role* | iam:ResourceTag/${TagKey} |
| iam:ListSAMLProviders | Lists the SAML providers that are in the namespace. | List | - | - |
| iam:ListUserPolicies | Lists the names of the inline policies that are in the specified IAM user. | List | user* | iam:ResourceTag/${TagKey} |
| iam:ListUsers | Lists the IAM users that have the specified path prefix. | List | - | - |
| iam:ListUserTags | Lists the tags that are attached to the specified user. | List | user* | iam:ResourceTag/${TagKey} |
| iam:PutGroupPolicy | Adds or updates an inline policy document to the specified IAM group. | Permissions management | group* | - |
| iam:PutRolePermissionsBoundary | Sets or updates the provided managed policy as the roles permissions boundary. | Permissions management | role* | iam:PermissionsBoundaryiam:ResourceTag/${TagKey} |
| iam:PutRolePolicy | Adds or updates an inline policy document to the specified IAM role. | Permissions management | role* | iam:PermissionsBoundaryiam:ResourceTag/${TagKey} |
| iam:PutUserPermissionsBoundary | Sets or updates the provided managed policy as the permissions boundary of a user. | Permissions management | user* | iam:PermissionsBoundaryiam:ResourceTag/${TagKey} |
| iam:PutUserPolicy | Adds or updates an inline policy document to the specified IAM user. | Permissions management | user* | iam:PermissionsBoundaryiam:ResourceTag/${TagKey} |
| iam:RemoveUserFromGroup | Removes an IAM user from the specified group. | Write | group* | - |
| iam:SetDefaultPolicyVersion | Sets the specified version of the policy as default. | Permissions management | policy* | - |
| iam:SimulateCustomPolicy | Simulates how IAM policies and optionally a resource-based policy works with a list of API operations and ObjectScale resources to determine the effective permissions of the policy. | Read | - | - |
| iam:SimulatePrincipalPolicy | Simulates how IAM policies that are attached to an IAM entity (user, group, or role) works with a list of API operations and ObjectScale resources to determine the effective permissions of the policy. | Read | user, group, role | - |
| iam:TagRole | Adds tags to an IAM role. | Tagging | role* | - |
| iam:TagUser | Adds tags to an IAM user. | Tagging | user* | - |
| iam:UntagRole | Removes tags from specified IAM role. | Tagging | role* | iam:ResourceTag/${TagKey} |
| iam:UntagUser | Removes tags from specified IAM user. | Tagging | user* | iam:ResourceTag/${TagKey} |
| iam:UpdateAccessKey | Updates the status of specified access keys as Active or Inactive. | Write | user* | - |
| iam:UpdateAssumeRolePolicy | Updates the policy that grants an IAM entity permission to assume a role. | Permissions management | role* | iam:ResourceTag/${TagKey} |
| iam:UpdateRole | Updates the description or maximum session duration setting of an IAM role. | Write | role* | iam:ResourceTag/${TagKey} |
| iam:UpdateSAMLProvider | Updates the metadata document for an existing SAML provider. | Write | saml-provider* | - |
| Action | Description | Access Level | Resource Type (* required) | Condition Keys |
|---|---|---|---|---|
| sts:AssumeRole | Returns temporary security credentials for accessing ObjectScale resources that you might not have access to. | Write | role* |
aws:RequestTag/${TagKey}
aws:TagKeys
aws:PrincipalTag/${TagKey}
|
| sts:AssumeRoleWithSAML | Returns temporary security credentials for users who authenticated using a SAML authentication response. | Write | role* |
aws:RequestTag/${TagKey}
aws:TagKeys
aws:PrincipalTag/${TagKey}
saml:iss
saml:aud
saml:sub
saml:sub_type
saml:edupersonorgdn
saml:namequalifier
|
| sts:GetFederationToken | Returns temporary security credentials (consisting of an access key ID, a secret access key, and a security token). | Read | user* |
aws:PrincipalTag/${TagKey}
aws:PrincipalArn
aws:username
aws:userid
aws:PrincipalAccount
|
| Action | Description | Access Level | Resource Type (* required) | Condition Keys |
|---|---|---|---|---|
| New operations supported by S3 service: | ||||
| s3:GetReplicationConfiguration | Grants permission to get the replication configuration information set on an amazon S3 bucket. | Read | bucket* |
s3:authType s3:signatureversion s3:x-amz-content-sha256 |
| s3:PutReplicationConfiguration | Grants permission to create a replication configuration or replace an existing one. | Write | bucket* |
s3:authType s3:signatureversion s3:x-amz-content-sha256 |
| s3:DeleteReplicationConfiguration | Grants permission to delete a replication configuration. | Write | bucket* | - |
| s3:GetBucketObjectLockConfiguration | Grants permission to get the object lock configuration of an amazon S3 bucket. | Read | bucket* |
s3:authType s3:signatureversion |
| s3:PUTBucketObjectLockConfiguration | Grants permission to get the object lock configuration of an amazon S3 bucket. | Write | bucket* |
s3:authType s3:signatureversion |
| s3:GetObjectLegalHold | Grants permission to get the current legal hold status of an object. | Read | object* |
s3:authType s3:signatureversion s3:x-amz-content-sha256 |
| s3:PutObjectLegalHold | Grants permission to apply a legal hold configuration to a specified object. | Write | object* |
s3:authType s3:signatureversion s3:x-amz-content-sha256 s3:object-lock-legal-hold |
| s3:GetObjectRetention | Grants permission to retrieve the retention settings for an object. | Read | object* |
s3:authType s3:signatureversion s3:x-amz-content-sha256 |
| s3:PutObjectRetention | Grants permission to place an object retention configuration on an object. | Write | object* |
s3:authType s3:signatureversion s3:x-amz-content-sha256 s3:object-lock-mode s3:object-lock-retain-until-date s3:object-lock-remaining-retention-days |
| s3:BypassGovernanceRetention | Grants permission to allow circumvention of governance-mode object retention settings. | Permission Management | object* |
s3:RequestObjectTag/<key> s3:RequestObjectTagKeys s3:authType s3:signatureversion s3:x-amz-acl s3:x-amz-content-sha256 s3:x-amz-copy-source s3:x-amz-grant-full-control s3:x-amz-grant-read s3:x-amz-grant-read-acp s3:x-amz-grant-write s3:x-amz-grant-write-acp s3:x-amz-metadata-directive s3:x-amz-server-side-encryption s3:x-amz-storage-class s3:object-lock-mode s3:object-lock-retain-until-date s3:object-lock-remaining-retention-days s3:object-lock-legal-hold |
| Existing S3 operations supported by S3 service: | ||||
| s3:AbortMultipartUpload | Grants permission to cancel a multipart upload. | Write | object* |
s3:authType s3:signatureversion s3:x-amz-content-sha256 |
| s3:CreateBucket | Grants permission to create a bucket. | Write | bucket* |
s3:authType s3:signatureversion s3:x-amz-acl s3:x-amz-content-sha256 s3:x-amz-grant-full-control s3:x-amz-grant-read s3:x-amz-grant-read-acp s3:x-amz-grant-write s3:x-amz-grant-write-acp |
| s3:DeleteBucket | Grants permission to delete the bucket named in the URI. | Write | bucket* |
s3:authType s3:signatureversion s3:x-amz-content-sha256 |
| s3:DeleteBucketPolicy | Grants permission to delete policy on a specified bucket. | Permission Management | bucket* |
s3:authType s3:signatureversion s3:x-amz-content-sha256 |
| s3:DeleteObject | Grants permission to remove the null version of an object and insert a delete marker, which becomes the current version of the object. | Write | object* |
s3:authType s3:signatureversion s3:x-amz-content-sha256 |
| s3:DeleteObjectTagging | Grants permission to use the tagging subresource to remove the entire tag set from the specified object. | Tagging | object* |
s3:ExistingObjectTag/<key> s3:authType s3:signatureversion s3:x-amz-content-sha256 |
| s3:DeleteObjectVersion | Grants permission to remove a specific version of an object. | Write | object* |
s3:authType s3:signatureversion s3:versionid s3:x-amz-content-sha256 |
| s3:DeleteObjectVersionTagging | Grants permission to remove the entire tag set for a specific version of the object. | Tagging | object* |
s3:ExistingObjectTag/<key> s3:authType s3:signatureversion s3:versionid s3:x-amz-content-sha256 |
| s3:GetBucketAcl | Grants permission to use the ACL subresource to return the access control list (ACL) of an Amazon S3 bucket. | Read | bucket* |
s3:authType s3:signatureversion s3:x-amz-content-sha256 |
| s3:GetBucketCORS | Grants permission to return the CORS configuration information set for an Amazon S3 bucket. | Read | bucket* |
s3:authType s3:signatureversion s3:x-amz-content-sha256 |
| s3:GetBucketPolicy | Grants permission to return the policy of the specified bucket. | Read | bucket* |
s3:authType s3:signatureversion s3:x-amz-content-sha256 |
| s3:GetBucketTagging | Grants permission to return the tag set associated with an Amazon S3 bucket. | Read | bucket* |
s3:authType s3:signatureversion s3:x-amz-content-sha256 |
| s3:GetBucketVersioning | Grants permission to return the versioning state of an Amazon S3 bucket. | Read | bucket* |
s3:authType s3:signatureversion s3:x-amz-content-sha256 |
| s3:GetLifecycleConfiguration | Grants permission to return the life-cycle configuration information set on an Amazon S3 bucket. | Read | bucket* |
s3:authType s3:signatureversion s3:x-amz-content-sha256 |
| s3:GetObject | Grants permission to retrieve objects from Amazon S3. | Read | object* |
s3:ExistingObjectTag/<key> s3:authType s3:signatureversion s3:x-amz-content-sha256 |
| s3:GetObjectAcl | Grants permission to return the access control list (ACL) of an object. | Read | object* |
s3:ExistingObjectTag/<key> s3:authType s3:signatureversion s3:x-amz-content-sha256 |
| s3:GetObjectTagging | Grants permission to return the tag set of an object. | Read | object* |
s3:ExistingObjectTag/<key> s3:authType s3:signatureversion s3:x-amz-content-sha256 |
| s3:GetObjectVersion | Grants permission to retrieve a specific version of an object. | Read | object* |
s3:ExistingObjectTag/<key> s3:authType s3:signatureversion s3:versionid s3:x-amz-content-sha256 |
| s3:GetObjectVersionAcl | Grants permission to return the access control list (ACL) of a specific object version. | Read | object* |
s3:ExistingObjectTag/<key> s3:authType s3:signatureversion s3:versionid s3:x-amz-content-sha256 |
| s3:GetObjectVersionTagging | Grants permission to return the tag set for a specific version of the object. | Read | object* |
s3:ExistingObjectTag/<key> s3:authType s3:signatureversion s3:versionid s3:x-amz-content-sha256 |
| s3:ListAllMyBuckets | Grants permission to list all buckets owned by the authenticated sender of the request. | List | - |
s3:authType s3:signatureversion s3:x-amz-content-sha256 |
| s3:ListBucket | Grants permission to list some or all the objects in an Amazon S3 bucket (up to 1000). | List | bucket* |
s3:authType s3:delimiter s3:max-keys s3:prefix s3:signatureversion s3:x-amz-content-sha256 |
| s3:ListBucketMultipartUploads | Grants permission to list in-progress multipart uploads. | Read | bucket* |
s3:authType s3:signatureversion s3:x-amz-content-sha256 |
| s3:ListBucketVersions | Grants permission to list metadata about all the versions of objects in an Amazon S3 bucket. | Read | bucket* |
s3:authType s3:delimiter s3:max-keys s3:prefix s3:signatureversion s3:x-amz-content-sha256 |
| s3:ListMultipartUploadParts | Grants permission to list the parts that have been uploaded for a specific multipart upload. | Read | object* |
s3:authType s3:signatureversion s3:x-amz-content-sha256 |
| s3:PutBucketAcl | Grants permission to set the permissions on an existing bucket using access control lists (ACLs). | Permission Management | bucket* |
s3:authType s3:signatureversion s3:x-amz-acl s3:x-amz-content-sha256 s3:x-amz-grant-full-control s3:x-amz-grant-read s3:x-amz-grant-read-acp s3:x-amz-grant-write s3:x-amz-grant-write-acp |
| s3:PutBucketCORS | Grants permission to set the CORS configuration for an Amazon S3 bucket. | Write | bucket* |
s3:authType s3:signatureversion s3:x-amz-content-sha256 |
| s3:PutBucketPolicy | Grants permission to add or replace a bucket policy on a bucket. | Permission Management | bucket* |
s3:authType s3:signatureversion s3:x-amz-content-sha256 |
| s3:PutBucketTagging | Grants permission to add tags to an existing Amazon S3 bucket. | Tagging | bucket* |
s3:authType s3:signatureversion s3:x-amz-content-sha256 |
| s3:PutBucketVersioning | Grants permission to set the versioning state of an existing Amazon S3 bucket. | Write | bucket* |
s3:authType s3:signatureversion s3:x-amz-content-sha256 |
| s3:PutLifecycleConfiguration | Grants permission to create a life-cycle configuration for the bucket or replace an existing life-cycle configuration. | Write | bucket* |
s3:authType s3:signatureversion s3:x-amz-content-sha256 |
| s3:PutObject | Grants permission to add an object to a bucket. | Write | object* |
s3:RequestObjectTag/<key> s3:RequestObjectTagKeys s3:authType s3:signatureversion s3:x-amz-acl s3:x-amz-content-sha256 s3:x-amz-copy-source s3:x-amz-grant-full-control s3:x-amz-grant-read s3:x-amz-grant-read-acp s3:x-amz-grant-write s3:x-amz-grant-write-acp s3:x-amz-metadata-directive s3:x-amz-server-side-encryption s3:x-amz-server-side-encryption-aws-kms-key-id s3:x-amz-storage-class s3:object-lock-mode s3:object-lock-retain-until-date s3:object-lock-remaining-retention-days s3:object-lock-legal-hold |
| s3:PutObjectAcl | Grants permission to set the access control list (ACL) permission for an object that exists in a bucket. | Permission Management | object* |
s3:ExistingObjectTag/<key> s3:authType s3:signatureversion s3:x-amz-acl s3:x-amz-content-sha256 s3:x-amz-grant-full-control s3:x-amz-grant-read s3:x-amz-grant-read-acp s3:x-amz-grant-write s3:x-amz-grant-write-acp s3:x-amz-storage-class |
| s3:PutObjectTagging | Grants permission to set the supplied tag-set to an object that exists in a bucket. | Tagging | object* |
s3:ExistingObjectTag/<key> s3:RequestObjectTag/<key> s3:RequestObjectTagKeys s3:authType s3:signatureversion s3:x-amz-content-sha256 |
| s3:PutObjectVersionAcl | Grants permission to use the ACL subresource to set the access control list (ACL) permissions for an object that exists in a bucket. | Permission Management | object* |
s3:ExistingObjectTag/<key> s3:authType s3:signatureversion s3:versionid s3:x-amz-acl s3:x-amz-content-sha256 s3:x-amz-grant-full-control s3:x-amz-grant-read s3:x-amz-grant-read-acp s3:x-amz-grant-write s3:x-amz-grant-write-acp s3:x-amz-storage-class |
| s3:PutObjectVersionTagging | Grants permission to set the supplied tag-set for a specific version of an object. | Tagging | object* |
s3:ExistingObjectTag/<key> s3:RequestObjectTag/<key> s3:RequestObjectTagKeys s3:authType s3:signatureversion s3:versionid s3:x-amz-content-sha256 |
| s3:ReplicationInfo | Grants permission to retrieve an object replication status. | Read | object* | - |
| s3:PutBucketLogging | Grants permission to configure bucket logging on a source bucket. | Permission Management | bucket* | - |
| s3:GetBucketLogging | Grants permission to retrieve bucket logging on a source bucket. | Permission Management | bucket* | - |
| Action | Description | Access Level | Resource Type (* required) | Condition Keys |
|---|---|---|---|---|
| dcm:GetWebhookConfiguration | Retrieves a webhook configuration to which notifications can be published. | Read | webhook* | Dependent actions |
| dcm:CreateWebhookConfiguration | Creates a webhook configuration to which notifications can be published. | Write | webhook* | Dependent actions |
| dcm:DeleteWebhookConfiguration | Deletes a webhook configuration. | Write | webhook* | Dependent actions |
| dcm:ListWebhookConfigurations | Retrieves a list of webhook configurations of the requester. Each call returns a limited list of configurations, up to 100. | List | webhook* | Dependent actions |
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please select whether the article was helpful or not.
Comments cannot contain these special characters: <>()\