You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Since the attached dataall policy to the registered role gives full s3 permissions to the bucket it is not possible to register a read only role and request read permissions to the dataset.
How to Reproduce
Register a read only role to dataall
Request access to a dataset within the same AWS account
This role now has write permissions to the s3 bucket.
Expected behavior
Expected behavior is an option to register a read only role, or allow request access to a dataset eventhough the role doesn't have a dataall managed policy.
Your project
No response
Screenshots
No response
OS
N/A
Python version
N/A
AWS data.all version
N/A
Additional context
No response
The text was updated successfully, but these errors were encountered:
Hi @Leonkoithara, let me confirm I understand your issue. In step 1 you are referring to an IAM role with IAM permissions to read from S3. Then you either import that role as a team role or as a consumption role and the data.all ManagedS3 IAM policy grants READ and WRITE permissions to S3.
I think you are correct, I will add this issue as a bug and we will assess it in 2.5. Thanks for opening an issue
One last question, would you see value in having 2 types of shares: READ-ONLY and WRITE shares?
I think this PR already scopes down the s3 permissions given to a role on a bucket share
For any S3 Bucket Share now:
S3 Bucket Policy gets updated - ['s3:List*', 's3:GetObject'] for requester role ARN
(if applicable) KMS Policy Updated w/ - 'kms:Decrypt' for requester role ARN
Requestor IAM Updated w/ - ['s3:List*', 's3:Describe*', 's3:GetObject'] to Bucket + kms:* to Key if applicable
The above should enforce that for either cross account or same account sharing the requester role can only read from the target resource
I will confirm the above with a quick test and report back
I set up a same account share to a new requestor role (tested with both sharing S3 Bucket + Folder/AccessPoint) and can confirm that there is only read access with no write access for this role
Describe the bug
Since the attached dataall policy to the registered role gives full s3 permissions to the bucket it is not possible to register a read only role and request read permissions to the dataset.
How to Reproduce
Expected behavior
Expected behavior is an option to register a read only role, or allow request access to a dataset eventhough the role doesn't have a dataall managed policy.
Your project
No response
Screenshots
No response
OS
N/A
Python version
N/A
AWS data.all version
N/A
Additional context
No response
The text was updated successfully, but these errors were encountered: