From e093c232751ebb5c74d76cadc4780f5c5653265b Mon Sep 17 00:00:00 2001 From: Samy OUBOUAZIZ Date: Fri, 10 Oct 2025 10:40:54 +0200 Subject: [PATCH 1/6] docs(obj): add API operation/bucket policy permission mapping MTA-6586 --- .../s3-iam-permissions-equivalence.mdx | 593 +++++------------- 1 file changed, 145 insertions(+), 448 deletions(-) diff --git a/pages/object-storage/reference-content/s3-iam-permissions-equivalence.mdx b/pages/object-storage/reference-content/s3-iam-permissions-equivalence.mdx index bab19ed27e..60731ad432 100644 --- a/pages/object-storage/reference-content/s3-iam-permissions-equivalence.mdx +++ b/pages/object-storage/reference-content/s3-iam-permissions-equivalence.mdx @@ -4,474 +4,171 @@ description: Understand how IAM permissions in Amazon S3 relate to Scaleway Obje tags: object-storage amazon-s3 aws action equivalent iam permission set --- +Below is a list of Object Storage API actions authorized for each [permission set](). + ## ObjectStorageFullAccess -| Amazon S3 action | IAM resource | IAM action | Authorized | -|---------------------------------| ------------ |------------|------------| -| DeleteBucketPolicy | Policy | Write | Yes | -| GetBucketPolicy | Policy | Read | Yes | -| GetBucketPolicyStatus | Policy | Read | Yes | -| PutBucketPolicy | Policy | Write | Yes | -| CreateBucket | Bucket | Create | Yes | -| DeleteBucket | Bucket | Delete | Yes | -| DeleteBucketCors | Bucket | Write | Yes | -| DeleteBucketLifecycle | Bucket | Write | Yes | -| DeleteBucketTagging | Bucket | Write | Yes | -| DeleteBucketWebsite | Bucket | Write | Yes | -| GetBucketAcl | Bucket | Read | Yes | -| GetBucketCors | Bucket | Read | Yes | -| GetBucketLifecycleConfiguration | Bucket | Read | Yes | -| GetBucketLocation | Bucket | Read | Yes | -| GetBucketTagging | Bucket | Read | Yes | -| GetBucketVersioning | Bucket | Read | Yes | -| GetBucketWebsite | Bucket | Read | Yes | -| HeadBucket | Bucket | Read | Yes | -| ListBuckets | Bucket | List | Yes | -| PutBucketAcl | Bucket | Write | Yes | -| PutBucketCors | Bucket | Write | Yes | -| PutBucketLifecycleConfiguration | Bucket | Write | Yes | -| PutBucketTagging | Bucket | Write | Yes | -| PutBucketVersioning | Bucket | Write | Yes | -| PutBucketWebsite | Bucket | Write | Yes | -| AbortMultipartUpload | Object | Delete | Yes | -| CompleteMultipartUpload | Object | Create | Yes | -| CopyObject | Object | Write | Yes | -| CreateMultipartUpload | Object | Create | Yes | -| DeleteObject | Object | Delete | Yes | -| DeleteObjects | Object | Delete | Yes | -| DeleteObjectTagging | Object | Write | Yes | -| GetObject | Object | Read | Yes | -| GetObjectAcl | Object | Read | Yes | -| GetObjectLegalHold | Object | Read | Yes | -| GetObjectLockConfiguration | Object | Read | Yes | -| GetObjectRetention | Object | Read | Yes | -| GetObjectTagging | Object | Read | Yes | -| HeadObject | Object | Read | Yes | -| ListMultipartUploads | Object | List | Yes | -| ListObjects | Object | List | Yes | -| ListObjectsV2 | Object | List | Yes | -| ListObjectVersions | Object | List | Yes | -| ListParts | Object | List | Yes | -| PutObject | Object | Create | Yes | -| PutObjectAcl | Object | Write | Yes | -| PutObjectLegalHold | Object | Write | Yes | -| PutObjectLockConfiguration | Object | Write | Yes | -| PutObjectRetention | Object | Write | Yes | -| PutObjectTagging | Object | Write | Yes | -| RestoreObject | Object | Write | Yes | -| UploadPart | Object | Write | Yes | -| UploadPartCopy | Object | Write | Yes | -| PostObject | Object | Create | Yes | +| Amazon S3 action | Bucket Policy Action | +|---------------------------------|------------------------------| +| AbortMultipartUpload | s3:AbortMultipartUpload | +| CompleteMultipartUpload | s3:PutObject | +| CopyObject | s3:CopyObject | +| CreateBucket | s3:CreateBucket | +| CreateMultipartUpload | s3:PutObject | +| DeleteBucket | s3:DeleteBucket | +| DeleteBucketCors | s3:PutBucketCors | +| DeleteBucketLifecycle | s3:PutLifecycleConfiguration | +| DeleteBucketPolicy | s3:DeleteBucketPolicy | +| DeleteBucketTagging | s3:PutBucketTagging | +| DeleteBucketWebsite | s3:DeleteBucketWebsite | +| DeleteObject | s3:DeleteObject | +| DeleteObjects | s3:DeleteObjects | +| DeleteObjectTagging | s3:DeleteObjectTagging | +| GetBucketAcl | s3:GetBucketAcl | +| GetBucketCors | s3:GetBucketCors | +| GetBucketLifecycleConfiguration | s3:GetBucketLifecycle | +| GetBucketLocation | s3:GetBucketLocation | +| GetBucketPolicy | s3:GetBucketPolicy | +| GetBucketPolicyStatus | s3:GetBucketPolicyStatus | +| GetBucketTagging | s3:GetBucketTagging | +| GetBucketVersioning | s3:GetBucketVersioning | +| GetBucketWebsite | s3:GetBucketWebsite | +| GetObject | s3:GetObject | +| GetObjectAcl | s3:GetObjectAcl | +| GetObjectLegalHold | s3:GetObjectLegalHold | +| GetObjectLockConfiguration | s3:GetObjectLockConfiguration| +| GetObjectRetention | s3:GetObjectRetention | +| GetObjectTagging | s3:GetObjectTagging | +| HeadBucket | s3:HeadBucket | +| HeadObject | s3:HeadObject | +| ListBuckets | s3:ListBucket | +| ListMultipartUploads | s3:ListMultipartUploads | +| ListObjects | s3:ListBucket | +| ListObjectsV2 | s3:ListBucket | +| ListObjectVersions | s3:ListBucket | +| ListParts | s3:ListMultipartUploadParts | +| PostObject | s3:PostObject | +| PutBucketAcl | s3:PutBucketAcl | +| PutBucketCors | s3:PutBucketCors | +| PutBucketLifecycleConfiguration | s3:PutBucketLifecycle | +| PutBucketPolicy | s3:PutBucketPolicy | +| PutBucketTagging | s3:PutBucketTagging | +| PutBucketVersioning | s3:PutBucketVersioning | +| PutBucketWebsite | s3:PutBucketWebsite | +| PutObject | s3:PutObject | +| PutObjectAcl | s3:PutObjectAcl | +| PutObjectLegalHold | s3:PutObjectLegalHold | +| PutObjectLockConfiguration | s3:PutObjectLockConfiguration| +| PutObjectRetention | s3:PutObjectRetention | +| PutObjectTagging | s3:PutObjectTagging | +| RestoreObject | s3:RestoreObject | +| UploadPart | s3:UploadPart | +| UploadPartCopy | s3:UploadPartCopy | ## ObjectStorageReadOnly -| Amazon S3 Action | IAM Resource | IAM Action | Authorized | -| ------------------------------- | ------------ | ---------- | -----------| -| AbortMultipartUpload | Object | Delete | No | -| CompleteMultipartUpload | Object | Create | No | -| CopyObject | Object | Write | No | -| CreateBucket | Bucket | Create | No | -| CreateMultipartUpload | Object | Create | No | -| DeleteBucket | Bucket | Delete | No | -| DeleteBucketCors | Bucket | Write | No | -| DeleteBucketLifecycle | Bucket | Write | No | -| DeleteBucketPolicy | Policy | Write | No | -| DeleteBucketTagging | Bucket | Write | No | -| DeleteBucketWebsite | Bucket | Write | No | -| DeleteObject | Object | Delete | No | -| DeleteObjects | Object | Delete | No | -| DeleteObjectTagging | Object | Write | No | -| GetBucketAcl | Bucket | Read | Yes | -| GetBucketCors | Bucket | Read | Yes | -| GetBucketLifecycleConfiguration | Bucket | Read | Yes | -| GetBucketLocation | Bucket | Read | Yes | -| GetBucketPolicy | Policy | Read | Yes | -| GetBucketPolicyStatus | Policy | Read | Yes | -| GetBucketTagging | Bucket | Read | Yes | -| GetBucketVersioning | Bucket | Read | Yes | -| GetBucketWebsite | Bucket | Read | Yes | -| GetObject | Object | Read | Yes | -| GetObjectAcl | Object | Read | Yes | -| GetObjectLegalHold | Object | Read | Yes | -| GetObjectLockConfiguration | Object | Read | Yes | -| GetObjectRetention | Object | Read | Yes | -| GetObjectTagging | Object | Read | Yes | -| HeadBucket | Bucket | Read | Yes | -| HeadObject | Object | Read | Yes | -| ListBuckets | Bucket | List | Yes | -| ListMultipartUploads | Object | List | Yes | -| ListObjects | Object | List | Yes | -| ListObjectsV2 | Object | List | Yes | -| ListObjectVersions | Object | List | Yes | -| ListParts | Object | List | Yes | -| PostObject | Object | Create | No | -| PutBucketAcl | Bucket | Write | No | -| PutBucketCors | Bucket | Write | No | -| PutBucketLifecycleConfiguration | Bucket | Write | No | -| PutBucketPolicy | Policy | Write | No | -| PutBucketTagging | Bucket | Write | No | -| PutBucketVersioning | Bucket | Write | No | -| PutBucketWebsite | Bucket | Write | No | -| PutObject | Object | Create | No | -| PutObjectAcl | Object | Write | No | -| PutObjectLegalHold | Object | Write | No | -| PutObjectLockConfiguration | Object | Write | No | -| PutObjectRetention | Object | Write | No | -| PutObjectTagging | Object | Write | No | -| RestoreObject | Object | Write | No | -| UploadPart | Object | Write | No | -| UploadPartCopy | Object | Write | No | +| Amazon S3 Action | Bucket Policy Action | +| ------------------------------- |-----------------------------| +| GetBucketAcl | s3:GetBucketAcl | +| GetBucketCors | s3:GetBucketCors | +| GetBucketLifecycleConfiguration | s3:GetBucketLifecycle | +| GetBucketLocation | s3:GetBucketLocation | +| GetBucketPolicy | s3:GetBucketPolicy | +| GetBucketPolicyStatus | s3:GetBucketPolicyStatus | +| GetBucketTagging | s3:GetBucketTagging | +| GetBucketVersioning | s3:GetBucketVersioning | +| GetBucketWebsite | s3:GetBucketWebsite | +| GetObject | s3:GetObject | +| GetObjectAcl | s3:GetObjectAcl | +| GetObjectLegalHold | s3:GetObjectLegalHold | +| GetObjectLockConfiguration | s3:GetObjectLockConfiguration| +| GetObjectRetention | s3:GetObjectRetention | +| GetObjectTagging | s3:GetObjectTagging | +| HeadBucket | s3:HeadBucket | +| HeadObject | s3:HeadObject | +| ListBuckets | s3:ListBucket | +| ListMultipartUploads | s3:ListMultipartUploads | +| ListObjects | s3:ListBucket | +| ListObjectsV2 | s3:ListBucket | +| ListObjectVersions | s3:ListBucket | +| ListParts | s3:ListMultipartUploadParts | ## ObjectStorageBucketsRead -| Amazon S3 Action | IAM Resource | IAM Action | Authorized | -|---------------------------------|--------------|------------|------------| -| AbortMultipartUpload | Object | Delete | No | -| CompleteMultipartUpload | Object | Create | No | -| CopyObject | Object | Write | No | -| CreateBucket | Bucket | Create | No | -| CreateMultipartUpload | Object | Create | No | -| DeleteBucket | Bucket | Delete | No | -| DeleteBucketCors | Bucket | Write | No | -| DeleteBucketLifecycle | Bucket | Write | No | -| DeleteBucketPolicy | Policy | Write | No | -| DeleteBucketTagging | Bucket | Write | No | -| DeleteBucketWebsite | Bucket | Write | No | -| DeleteObject | Object | Delete | No | -| DeleteObjects | Object | Delete | No | -| DeleteObjectTagging | Object | Write | No | -| GetBucketAcl | Bucket | Read | Yes | -| GetBucketCors | Bucket | Read | Yes | -| GetBucketLifecycleConfiguration | Bucket | Read | Yes | -| GetBucketLocation | Bucket | Read | Yes | -| GetBucketPolicy | Policy | Read | No | -| GetBucketPolicyStatus | Policy | Read | No | -| GetBucketTagging | Bucket | Read | Yes | -| GetBucketVersioning | Bucket | Read | Yes | -| GetBucketWebsite | Bucket | Read | Yes | -| GetObject | Object | Read | No | -| GetObjectAcl | Object | Read | No | -| GetObjectLegalHold | Object | Read | No | -| GetObjectLockConfiguration | Object | Read | No | -| GetObjectRetention | Object | Read | No | -| GetObjectTagging | Object | Read | No | -| HeadBucket | Bucket | Read | Yes | -| HeadObject | Object | Read | No | -| ListBuckets | Bucket | List | Yes | -| ListMultipartUploads | Object | List | No | -| ListObjects | Object | List | No | -| ListObjectsV2 | Object | List | No | -| ListObjectVersions | Object | List | No | -| ListParts | Object | List | No | -| PostObject | Object | Create | No | -| PutBucketAcl | Bucket | Write | No | -| PutBucketCors | Bucket | Write | No | -| PutBucketLifecycleConfiguration | Bucket | Write | No | -| PutBucketPolicy | Policy | Write | No | -| PutBucketTagging | Bucket | Write | No | -| PutBucketVersioning | Bucket | Write | No | -| PutBucketWebsite | Bucket | Write | No | -| PutObject | Object | Create | No | -| PutObjectAcl | Object | Write | No | -| PutObjectLegalHold | Object | Write | No | -| PutObjectLockConfiguration | Object | Write | No | -| PutObjectRetention | Object | Write | No | -| PutObjectTagging | Object | Write | No | -| RestoreObject | Object | Write | No | -| UploadPart | Object | Write | No | -| UploadPartCopy | Object | Write | No | +| Amazon S3 Action | Bucket Policy Action | +|---------------------------------|-----------------------------| +| GetBucketAcl | s3:GetBucketAcl | +| GetBucketCors | s3:GetBucketCors | +| GetBucketLifecycleConfiguration | s3:GetBucketLifecycle | +| GetBucketLocation | s3:GetBucketLocation | +| GetBucketTagging | s3:GetBucketTagging | +| GetBucketVersioning | s3:GetBucketVersioning | +| GetBucketWebsite | s3:GetBucketWebsite | +| HeadBucket | s3:HeadBucket | +| ListBuckets | s3:ListBucket | ## ObjectStorageBucketsWrite -| Amazon S3 Action | IAM Resource | IAM Action | Authorized | -|---------------------------------|--------------|------------|------------| -| AbortMultipartUpload | Object | Delete | No | -| CompleteMultipartUpload | Object | Create | No | -| CopyObject | Object | Write | No | -| CreateBucket | Bucket | Create | Yes | -| CreateMultipartUpload | Object | Create | No | -| DeleteBucket | Bucket | Delete | No | -| DeleteBucketCors | Bucket | Write | Yes | -| DeleteBucketLifecycle | Bucket | Write | Yes | -| DeleteBucketPolicy | Policy | Write | No | -| DeleteBucketTagging | Bucket | Write | Yes | -| DeleteBucketWebsite | Bucket | Write | Yes | -| DeleteObject | Object | Delete | No | -| DeleteObjects | Object | Delete | No | -| DeleteObjectTagging | Object | Write | No | -| GetBucketAcl | Bucket | Read | No | -| GetBucketCors | Bucket | Read | No | -| GetBucketLifecycleConfiguration | Bucket | Read | No | -| GetBucketLocation | Bucket | Read | No | -| GetBucketPolicy | Policy | Read | No | -| GetBucketPolicyStatus | Policy | Read | No | -| GetBucketTagging | Bucket | Read | No | -| GetBucketVersioning | Bucket | Read | No | -| GetBucketWebsite | Bucket | Read | No | -| GetObject | Object | Read | No | -| GetObjectAcl | Object | Read | No | -| GetObjectLegalHold | Object | Read | No | -| GetObjectLockConfiguration | Object | Read | No | -| GetObjectRetention | Object | Read | No | -| GetObjectTagging | Object | Read | No | -| HeadBucket | Bucket | Read | No | -| HeadObject | Object | Read | No | -| ListBuckets | Bucket | List | No | -| ListMultipartUploads | Object | List | No | -| ListObjects | Object | List | No | -| ListObjectsV2 | Object | List | No | -| ListObjectVersions | Object | List | No | -| ListParts | Object | List | No | -| PostObject | Object | Create | No | -| PutBucketAcl | Bucket | Write | Yes | -| PutBucketCors | Bucket | Write | Yes | -| PutBucketLifecycleConfiguration | Bucket | Write | Yes | -| PutBucketPolicy | Policy | Write | No | -| PutBucketTagging | Bucket | Write | Yes | -| PutBucketVersioning | Bucket | Write | Yes | -| PutBucketWebsite | Bucket | Write | Yes | -| PutObject | Object | Create | No | -| PutObjectAcl | Object | Write | No | -| PutObjectLegalHold | Object | Write | No | -| PutObjectLockConfiguration | Object | Write | No | -| PutObjectRetention | Object | Write | No | -| PutObjectTagging | Object | Write | No | -| RestoreObject | Object | Write | No | -| UploadPart | Object | Write | No | -| UploadPartCopy | Object | Write | No | +| Amazon S3 Action | Bucket Policy Action | +|---------------------------------|-----------------------------| +| CreateBucket | s3:CreateBucket | +| DeleteBucketCors | s3:DeleteBucketCors | +| DeleteBucketLifecycle | s3:DeleteBucketLifecycle | +| DeleteBucketTagging | s3:DeleteBucketTagging | +| DeleteBucketWebsite | s3:DeleteBucketWebsite | +| PutBucketAcl | s3:PutBucketAcl | +| PutBucketCors | s3:PutBucketCors | +| PutBucketLifecycleConfiguration | s3:PutBucketLifecycle | +| PutBucketTagging | s3:PutBucketTagging | +| PutBucketVersioning | s3:PutBucketVersioning | +| PutBucketWebsite | s3:PutBucketWebsite | ## ObjectStorageBucketsDelete -| Amazon S3 Action | IAM Resource | IAM Action | Authorized | -|---------------------------------|--------------|------------|------------| -| AbortMultipartUpload | Object | Delete | No | -| CompleteMultipartUpload | Object | Create | No | -| CopyObject | Object | Write | No | -| CreateBucket | Bucket | Create | No | -| CreateMultipartUpload | Object | Create | No | -| DeleteBucket | Bucket | Delete | Yes | -| DeleteBucketCors | Bucket | Write | No | -| DeleteBucketLifecycle | Bucket | Write | No | -| DeleteBucketPolicy | Policy | Write | No | -| DeleteBucketTagging | Bucket | Write | No | -| DeleteBucketWebsite | Bucket | Write | No | -| DeleteObject | Object | Delete | No | -| DeleteObjects | Object | Delete | No | -| DeleteObjectTagging | Object | Write | No | -| GetBucketAcl | Bucket | Read | No | -| GetBucketCors | Bucket | Read | No | -| GetBucketLifecycleConfiguration | Bucket | Read | No | -| GetBucketLocation | Bucket | Read | No | -| GetBucketPolicy | Policy | Read | No | -| GetBucketPolicyStatus | Policy | Read | No | -| GetBucketTagging | Bucket | Read | No | -| GetBucketVersioning | Bucket | Read | No | -| GetBucketWebsite | Bucket | Read | No | -| GetObject | Object | Read | No | -| GetObjectAcl | Object | Read | No | -| GetObjectLegalHold | Object | Read | No | -| GetObjectLockConfiguration | Object | Read | No | -| GetObjectRetention | Object | Read | No | -| GetObjectTagging | Object | Read | No | -| HeadBucket | Bucket | Read | No | -| HeadObject | Object | Read | No | -| ListBuckets | Bucket | List | No | -| ListMultipartUploads | Object | List | No | -| ListObjects | Object | List | No | -| ListObjectsV2 | Object | List | No | -| ListObjectVersions | Object | List | No | -| ListParts | Object | List | No | -| PostObject | Object | Create | No | -| PutBucketAcl | Bucket | Write | No | -| PutBucketCors | Bucket | Write | No | -| PutBucketLifecycleConfiguration | Bucket | Write | No | -| PutBucketPolicy | Policy | Write | No | -| PutBucketTagging | Bucket | Write | No | -| PutBucketVersioning | Bucket | Write | No | -| PutBucketWebsite | Bucket | Write | No | -| PutObject | Object | Create | No | -| PutObjectAcl | Object | Write | No | -| PutObjectLegalHold | Object | Write | No | -| PutObjectLockConfiguration | Object | Write | No | -| PutObjectRetention | Object | Write | No | -| PutObjectTagging | Object | Write | No | -| RestoreObject | Object | Write | No | -| UploadPart | Object | Write | No | -| UploadPartCopy | Object | Write | No | +| Amazon S3 Action | Bucket Policy Action | +|---------------------------------|-----------------------------| +| DeleteBucket | s3:DeleteBucket | ## ObjectStorageObjectsRead -| Amazon S3 Action | IAM Resource | IAM Action | Authorized | -|---------------------------------|--------------|------------|------------| -| AbortMultipartUpload | Object | Delete | No | -| CompleteMultipartUpload | Object | Create | No | -| CopyObject | Object | Write | No | -| CreateBucket | Bucket | Create | No | -| CreateMultipartUpload | Object | Create | No | -| DeleteBucket | Bucket | Delete | No | -| DeleteBucketCors | Bucket | Write | No | -| DeleteBucketLifecycle | Bucket | Write | No | -| DeleteBucketPolicy | Policy | Write | No | -| DeleteBucketTagging | Bucket | Write | No | -| DeleteBucketWebsite | Bucket | Write | No | -| DeleteObject | Object | Delete | No | -| DeleteObjects | Object | Delete | No | -| DeleteObjectTagging | Object | Write | No | -| GetBucketAcl | Bucket | Read | No | -| GetBucketCors | Bucket | Read | No | -| GetBucketLifecycleConfiguration | Bucket | Read | No | -| GetBucketLocation | Bucket | Read | No | -| GetBucketPolicy | Policy | Read | No | -| GetBucketPolicyStatus | Policy | Read | No | -| GetBucketTagging | Bucket | Read | No | -| GetBucketVersioning | Bucket | Read | No | -| GetBucketWebsite | Bucket | Read | No | -| GetObject | Object | Read | Yes | -| GetObjectAcl | Object | Read | Yes | -| GetObjectLegalHold | Object | Read | Yes | -| GetObjectLockConfiguration | Object | Read | Yes | -| GetObjectRetention | Object | Read | Yes | -| GetObjectTagging | Object | Read | Yes | -| HeadBucket | Bucket | Read | No | -| HeadObject | Object | Read | Yes | -| ListBuckets | Bucket | List | No | -| ListMultipartUploads | Object | List | Yes | -| ListObjects | Object | List | Yes | -| ListObjectsV2 | Object | List | Yes | -| ListObjectVersions | Object | List | Yes | -| ListParts | Object | List | Yes | -| PostObject | Object | Create | No | -| PutBucketAcl | Bucket | Write | No | -| PutBucketCors | Bucket | Write | No | -| PutBucketLifecycleConfiguration | Bucket | Write | No | -| PutBucketPolicy | Policy | Write | No | -| PutBucketTagging | Bucket | Write | No | -| PutBucketVersioning | Bucket | Write | No | -| PutBucketWebsite | Bucket | Write | No | -| PutObject | Object | Create | No | -| PutObjectAcl | Object | Write | No | -| PutObjectLegalHold | Object | Write | No | -| PutObjectLockConfiguration | Object | Write | No | -| PutObjectRetention | Object | Write | No | -| PutObjectTagging | Object | Write | No | -| RestoreObject | Object | Write | No | -| UploadPart | Object | Write | No | -| UploadPartCopy | Object | Write | No | +| Amazon S3 Action | Bucket Policy Action | +|---------------------------------|-----------------------------| +| GetObject | s3:GetObject | +| GetObjectAcl | s3:GetObjectAcl | +| GetObjectLegalHold | s3:GetObjectLegalHold | +| GetObjectLockConfiguration | s3:GetObjectLockConfiguration| +| GetObjectRetention | s3:GetObjectRetention | +| GetObjectTagging | s3:GetObjectTagging | +| HeadObject | s3:HeadObject | +| ListMultipartUploads | s3:ListMultipartUploads | +| ListObjects | s3:ListBucket | +| ListObjectsV2 | s3:ListBucket | +| ListObjectVersions | s3:ListBucket | +| ListParts | s3:ListMultipartUploadParts | ## ObjectStorageObjectsWrite -| Amazon S3 action | IAM resource | IAM action | Authorized | -|---------------------------------|--------------|------------|------------| -| AbortMultipartUpload | Object | Delete | No | -| CompleteMultipartUpload | Object | Create | Yes | -| CopyObject | Object | Write | Yes | -| CreateBucket | Bucket | Create | No | -| CreateMultipartUpload | Object | Create | Yes | -| DeleteBucket | Bucket | Delete | No | -| DeleteBucketCors | Bucket | Write | No | -| DeleteBucketLifecycle | Bucket | Write | No | -| DeleteBucketPolicy | Policy | Write | No | -| DeleteBucketTagging | Bucket | Write | No | -| DeleteBucketWebsite | Bucket | Write | No | -| DeleteObject | Object | Delete | No | -| DeleteObjects | Object | Delete | No | -| DeleteObjectTagging | Object | Write | Yes | -| GetBucketAcl | Bucket | Read | No | -| GetBucketCors | Bucket | Read | No | -| GetBucketLifecycleConfiguration | Bucket | Read | No | -| GetBucketLocation | Bucket | Read | No | -| GetBucketPolicy | Policy | Read | No | -| GetBucketPolicyStatus | Policy | Read | No | -| GetBucketTagging | Bucket | Read | No | -| GetBucketVersioning | Bucket | Read | No | -| GetBucketWebsite | Bucket | Read | No | -| GetObject | Object | Read | No | -| GetObjectAcl | Object | Read | No | -| GetObjectLegalHold | Object | Read | No | -| GetObjectLockConfiguration | Object | Read | No | -| GetObjectRetention | Object | Read | No | -| GetObjectTagging | Object | Read | No | -| HeadBucket | Bucket | Read | No | -| HeadObject | Object | Read | No | -| ListBuckets | Bucket | List | No | -| ListMultipartUploads | Object | List | No | -| ListObjects | Object | List | No | -| ListObjectsV2 | Object | List | No | -| ListObjectVersions | Object | List | No | -| ListParts | Object | List | No | -| PostObject | Object | Create | Yes | -| PutBucketAcl | Bucket | Write | No | -| PutBucketCors | Bucket | Write | No | -| PutBucketLifecycleConfiguration | Bucket | Write | No | -| PutBucketPolicy | Policy | Write | No | -| PutBucketTagging | Bucket | Write | No | -| PutBucketVersioning | Bucket | Write | No | -| PutBucketWebsite | Bucket | Write | No | -| PutObject | Object | Create | Yes | -| PutObjectAcl | Object | Write | Yes | -| PutObjectLegalHold | Object | Write | Yes | -| PutObjectLockConfiguration | Object | Write | Yes | -| PutObjectRetention | Object | Write | Yes | -| PutObjectTagging | Object | Write | Yes | -| RestoreObject | Object | Write | Yes | -| UploadPart | Object | Write | Yes | -| UploadPartCopy | Object | Write | Yes | +| Amazon S3 action | Bucket Policy Action | +|---------------------------------|-----------------------------| +| CompleteMultipartUpload | s3:PutObject | +| CopyObject | s3:CopyObject | +| CreateMultipartUpload | s3:PutObject | +| DeleteObjectTagging | s3:DeleteObjectTagging | +| PostObject | s3:PostObject | +| PutObject | s3:PutObject | +| PutObjectAcl | s3:PutObjectAcl | +| PutObjectLegalHold | s3:PutObjectLegalHold | +| PutObjectLockConfiguration | s3:PutObjectLockConfiguration| +| PutObjectRetention | s3:PutObjectRetention | +| PutObjectTagging | s3:PutObjectTagging | +| RestoreObject | s3:RestoreObject | +| UploadPart | s3:UploadPart | +| UploadPartCopy | s3:UploadPartCopy | ## ObjectStorageObjectsDelete -| Amazon S3 Action | IAM Resource | IAM Action | Authorized | -|---------------------------------|--------------|------------|------------| -| AbortMultipartUpload | Object | Delete | Yes | -| CompleteMultipartUpload | Object | Create | No | -| CopyObject | Object | Write | No | -| CreateBucket | Bucket | Create | No | -| CreateMultipartUpload | Object | Create | No | -| DeleteBucket | Bucket | Delete | No | -| DeleteBucketCors | Bucket | Write | No | -| DeleteBucketLifecycle | Bucket | Write | No | -| DeleteBucketPolicy | Policy | Write | No | -| DeleteBucketTagging | Bucket | Write | No | -| DeleteBucketWebsite | Bucket | Write | No | -| DeleteObject | Object | Delete | Yes | -| DeleteObjects | Object | Delete | Yes | -| DeleteObjectTagging | Object | Write | No | -| GetBucketAcl | Bucket | Read | No | -| GetBucketCors | Bucket | Read | No | -| GetBucketLifecycleConfiguration | Bucket | Read | No | -| GetBucketLocation | Bucket | Read | No | -| GetBucketPolicy | Policy | Read | No | -| GetBucketPolicyStatus | Policy | Read | No | -| GetBucketTagging | Bucket | Read | No | -| GetBucketVersioning | Bucket | Read | No | -| GetBucketWebsite | Bucket | Read | No | -| GetObject | Object | Read | No | -| GetObjectAcl | Object | Read | No | -| GetObjectLegalHold | Object | Read | No | -| GetObjectLockConfiguration | Object | Read | No | -| GetObjectRetention | Object | Read | No | -| GetObjectTagging | Object | Read | No | -| HeadBucket | Bucket | Read | No | -| HeadObject | Object | Read | No | -| ListBuckets | Bucket | List | No | -| ListMultipartUploads | Object | List | No | -| ListObjects | Object | List | No | -| ListObjectsV2 | Object | List | No | -| ListObjectVersions | Object | List | No | -| ListParts | Object | List | No | -| PostObject | Object | Create | No | -| PutBucketAcl | Bucket | Write | No | -| PutBucketCors | Bucket | Write | No | -| PutBucketLifecycleConfiguration | Bucket | Write | No | -| PutBucketPolicy | Policy | Write | No | -| PutBucketTagging | Bucket | Write | No | -| PutBucketVersioning | Bucket | Write | No | -| PutBucketWebsite | Bucket | Write | No | -| PutObject | Object | Create | No | -| PutObjectAcl | Object | Write | No | -| PutObjectLegalHold | Object | Write | No | -| PutObjectLockConfiguration | Object | Write | No | -| PutObjectRetention | Object | Write | No | -| PutObjectTagging | Object | Write | No | -| RestoreObject | Object | Write | No | -| UploadPart | Object | Write | No | -| UploadPartCopy | Object | Write | No | \ No newline at end of file +| Amazon S3 Action | Bucket Policy Action | +|---------------------------------|-----------------------------| +| AbortMultipartUpload | s3:AbortMultipartUpload | +| DeleteObject | s3:DeleteObject | +| DeleteObjects | s3:DeleteObjects | From 580b50293c794ff116f42fba6db962247ec3a51e Mon Sep 17 00:00:00 2001 From: Samy OUBOUAZIZ Date: Fri, 10 Oct 2025 13:40:10 +0200 Subject: [PATCH 2/6] docs(obj): update --- .../s3-iam-permissions-equivalence.mdx | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/pages/object-storage/reference-content/s3-iam-permissions-equivalence.mdx b/pages/object-storage/reference-content/s3-iam-permissions-equivalence.mdx index 60731ad432..f91b3c90b9 100644 --- a/pages/object-storage/reference-content/s3-iam-permissions-equivalence.mdx +++ b/pages/object-storage/reference-content/s3-iam-permissions-equivalence.mdx @@ -4,7 +4,7 @@ description: Understand how IAM permissions in Amazon S3 relate to Scaleway Obje tags: object-storage amazon-s3 aws action equivalent iam permission set --- -Below is a list of Object Storage API actions authorized for each [permission set](). +Below is a list of Object Storage API actions authorized for each [permission set](/iam/reference-content/permission-sets/). ## ObjectStorageFullAccess @@ -68,7 +68,7 @@ Below is a list of Object Storage API actions authorized for each [permission se ## ObjectStorageReadOnly | Amazon S3 Action | Bucket Policy Action | -| ------------------------------- |-----------------------------| +| ------------------------------- |------------------------------| | GetBucketAcl | s3:GetBucketAcl | | GetBucketCors | s3:GetBucketCors | | GetBucketLifecycleConfiguration | s3:GetBucketLifecycle | @@ -96,7 +96,7 @@ Below is a list of Object Storage API actions authorized for each [permission se ## ObjectStorageBucketsRead | Amazon S3 Action | Bucket Policy Action | -|---------------------------------|-----------------------------| +|---------------------------------|------------------------------| | GetBucketAcl | s3:GetBucketAcl | | GetBucketCors | s3:GetBucketCors | | GetBucketLifecycleConfiguration | s3:GetBucketLifecycle | @@ -110,7 +110,7 @@ Below is a list of Object Storage API actions authorized for each [permission se ## ObjectStorageBucketsWrite | Amazon S3 Action | Bucket Policy Action | -|---------------------------------|-----------------------------| +|---------------------------------|------------------------------| | CreateBucket | s3:CreateBucket | | DeleteBucketCors | s3:DeleteBucketCors | | DeleteBucketLifecycle | s3:DeleteBucketLifecycle | @@ -126,13 +126,13 @@ Below is a list of Object Storage API actions authorized for each [permission se ## ObjectStorageBucketsDelete | Amazon S3 Action | Bucket Policy Action | -|---------------------------------|-----------------------------| +|---------------------------------|------------------------------| | DeleteBucket | s3:DeleteBucket | ## ObjectStorageObjectsRead | Amazon S3 Action | Bucket Policy Action | -|---------------------------------|-----------------------------| +|---------------------------------|------------------------------| | GetObject | s3:GetObject | | GetObjectAcl | s3:GetObjectAcl | | GetObjectLegalHold | s3:GetObjectLegalHold | @@ -149,7 +149,7 @@ Below is a list of Object Storage API actions authorized for each [permission se ## ObjectStorageObjectsWrite | Amazon S3 action | Bucket Policy Action | -|---------------------------------|-----------------------------| +|---------------------------------|------------------------------| | CompleteMultipartUpload | s3:PutObject | | CopyObject | s3:CopyObject | | CreateMultipartUpload | s3:PutObject | @@ -168,7 +168,7 @@ Below is a list of Object Storage API actions authorized for each [permission se ## ObjectStorageObjectsDelete | Amazon S3 Action | Bucket Policy Action | -|---------------------------------|-----------------------------| +|---------------------------------|------------------------------| | AbortMultipartUpload | s3:AbortMultipartUpload | | DeleteObject | s3:DeleteObject | | DeleteObjects | s3:DeleteObjects | From 1076fa2e8e4c6091c3aee867547ff82912a341ed Mon Sep 17 00:00:00 2001 From: Samy OUBOUAZIZ Date: Fri, 10 Oct 2025 14:03:47 +0200 Subject: [PATCH 3/6] docs(obj): update - only full access is ok --- .../s3-iam-permissions-equivalence.mdx | 116 +++++++++--------- 1 file changed, 58 insertions(+), 58 deletions(-) diff --git a/pages/object-storage/reference-content/s3-iam-permissions-equivalence.mdx b/pages/object-storage/reference-content/s3-iam-permissions-equivalence.mdx index f91b3c90b9..b7ab0a3429 100644 --- a/pages/object-storage/reference-content/s3-iam-permissions-equivalence.mdx +++ b/pages/object-storage/reference-content/s3-iam-permissions-equivalence.mdx @@ -4,67 +4,67 @@ description: Understand how IAM permissions in Amazon S3 relate to Scaleway Obje tags: object-storage amazon-s3 aws action equivalent iam permission set --- -Below is a list of Object Storage API actions authorized for each [permission set](/iam/reference-content/permission-sets/). +Below is a list of Object Storage API actions authorized for each [permission set](/iam/reference-content/permission-sets/). Actions that are not explicitly authorized in a permission set are denied by default. ## ObjectStorageFullAccess -| Amazon S3 action | Bucket Policy Action | -|---------------------------------|------------------------------| -| AbortMultipartUpload | s3:AbortMultipartUpload | -| CompleteMultipartUpload | s3:PutObject | -| CopyObject | s3:CopyObject | -| CreateBucket | s3:CreateBucket | -| CreateMultipartUpload | s3:PutObject | -| DeleteBucket | s3:DeleteBucket | -| DeleteBucketCors | s3:PutBucketCors | -| DeleteBucketLifecycle | s3:PutLifecycleConfiguration | -| DeleteBucketPolicy | s3:DeleteBucketPolicy | -| DeleteBucketTagging | s3:PutBucketTagging | -| DeleteBucketWebsite | s3:DeleteBucketWebsite | -| DeleteObject | s3:DeleteObject | -| DeleteObjects | s3:DeleteObjects | -| DeleteObjectTagging | s3:DeleteObjectTagging | -| GetBucketAcl | s3:GetBucketAcl | -| GetBucketCors | s3:GetBucketCors | -| GetBucketLifecycleConfiguration | s3:GetBucketLifecycle | -| GetBucketLocation | s3:GetBucketLocation | -| GetBucketPolicy | s3:GetBucketPolicy | -| GetBucketPolicyStatus | s3:GetBucketPolicyStatus | -| GetBucketTagging | s3:GetBucketTagging | -| GetBucketVersioning | s3:GetBucketVersioning | -| GetBucketWebsite | s3:GetBucketWebsite | -| GetObject | s3:GetObject | -| GetObjectAcl | s3:GetObjectAcl | -| GetObjectLegalHold | s3:GetObjectLegalHold | -| GetObjectLockConfiguration | s3:GetObjectLockConfiguration| -| GetObjectRetention | s3:GetObjectRetention | -| GetObjectTagging | s3:GetObjectTagging | -| HeadBucket | s3:HeadBucket | -| HeadObject | s3:HeadObject | -| ListBuckets | s3:ListBucket | -| ListMultipartUploads | s3:ListMultipartUploads | -| ListObjects | s3:ListBucket | -| ListObjectsV2 | s3:ListBucket | -| ListObjectVersions | s3:ListBucket | -| ListParts | s3:ListMultipartUploadParts | -| PostObject | s3:PostObject | -| PutBucketAcl | s3:PutBucketAcl | -| PutBucketCors | s3:PutBucketCors | -| PutBucketLifecycleConfiguration | s3:PutBucketLifecycle | -| PutBucketPolicy | s3:PutBucketPolicy | -| PutBucketTagging | s3:PutBucketTagging | -| PutBucketVersioning | s3:PutBucketVersioning | -| PutBucketWebsite | s3:PutBucketWebsite | -| PutObject | s3:PutObject | -| PutObjectAcl | s3:PutObjectAcl | -| PutObjectLegalHold | s3:PutObjectLegalHold | -| PutObjectLockConfiguration | s3:PutObjectLockConfiguration| -| PutObjectRetention | s3:PutObjectRetention | -| PutObjectTagging | s3:PutObjectTagging | -| RestoreObject | s3:RestoreObject | -| UploadPart | s3:UploadPart | -| UploadPartCopy | s3:UploadPartCopy | - +| Amazon S3 action | Bucket policy action required | +|------------------------------------------------|------------------------------------| +| AbortMultipartUpload | s3:AbortMultipartUpload | +| CompleteMultipartUpload | s3:PutObject | +| CopyObject | s3:PutObject | +| CreateMultipartUpload | s3:PutObject | +| DeleteBucketCors | s3:PutBucketCORS | +| DeleteBucketLifecycleConfiguration | s3:PutLifecycleConfiguration | +| DeleteBucketTagging | s3:PutBucketTagging | +| DeleteBucketWebsite | s3:DeleteBucketWebsite | +| DeleteObject (versionId required) | s3:DeleteObjectVersion | +| DeleteObject | s3:DeleteObject | +| DeleteObjects (versionId required) | s3:DeleteObjectVersion | +| DeleteObjects | s3:DeleteObject | +| DeleteObjectTagging (versionId required) | s3:DeleteObjectVersionTagging | +| DeleteObjectTagging | s3:DeleteObjectTagging | +| GetBucketAcl | s3:GetBucketAcl | +| GetBucketCors | s3:GetBucketCORS | +| GetBucketLifecycleConfiguration | s3:GetLifecycleConfiguration | +| GetBucketLocation | s3:GetBucketLocation | +| GetBucketTagging | s3:GetBucketTagging | +| GetBucketVersioning | s3:GetBucketVersioning | +| GetBucketWebsite | s3:GetBucketWebsite | +| GetObject (versionId required) | s3:GetObjectVersion | +| GetObject | s3:GetObject | +| GetObjectAcl | s3:GetObjectAcl | +| GetObjectAttributes (versionId required) | s3:GetObjectVersionAttributes | +| GetObjectAttributes | s3:GetObjectAttributes | +| GetObjectLegalHold | s3:GetObjectLegalHold | +| GetObjectLockConfiguration | s3:GetBucketObjectLockConfiguration| +| GetObjectRetention | s3:GetObjectRetention | +| GetObjectTagging (versionId required) | s3:GetObjectVersionTagging | +| GetObjectTagging | s3:GetObjectTagging | +| HeadBucket | s3:ListBucket | +| HeadObject | s3:GetObject | +| ListMultipartUploads | s3:ListBucketMultipartUploads | +| ListObjects | s3:ListBucket | +| ListObjectsV2 | s3:ListBucket | +| ListObjectVersions | s3:ListBucketVersions | +| ListParts | s3:ListMultipartUploadParts | +| PostObject | s3:PutObject | +| PutBucketAcl | s3:PutBucketAcl | +| PutBucketCors | s3:PutBucketCORS | +| PutBucketLifecycleConfiguration | s3:PutLifecycleConfiguration | +| PutBucketTagging | s3:PutBucketTagging | +| PutBucketVersioning | s3:PutBucketVersioning | +| PutBucketWebsite | s3:PutBucketWebsite | +| PutObject | s3:PutObject | +| PutObjectAcl | s3:PutObjectAcl | +| PutObjectLegalHold | s3:PutObjectLegalHold | +| PutObjectLockConfiguration | s3:PutBucketObjectLockConfiguration| +| PutObjectRetention | s3:PutObjectRetention | +| PutObjectTagging (versionId required) | s3:PutObjectVersionTagging | +| PutObjectTagging | s3:PutObjectTagging | +| RestoreObject | s3:RestoreObject | +| UploadPart | s3:PutObject | +| UploadPartCopy | s3:PutObject | ## ObjectStorageReadOnly | Amazon S3 Action | Bucket Policy Action | From 591dff5b0b5f91956ad17447bb511c442b4415e8 Mon Sep 17 00:00:00 2001 From: Samy OUBOUAZIZ Date: Fri, 10 Oct 2025 14:48:34 +0200 Subject: [PATCH 4/6] docs(obj): update --- .../s3-iam-permissions-equivalence.mdx | 336 ++++++++++-------- 1 file changed, 184 insertions(+), 152 deletions(-) diff --git a/pages/object-storage/reference-content/s3-iam-permissions-equivalence.mdx b/pages/object-storage/reference-content/s3-iam-permissions-equivalence.mdx index b7ab0a3429..4b4f4422ac 100644 --- a/pages/object-storage/reference-content/s3-iam-permissions-equivalence.mdx +++ b/pages/object-storage/reference-content/s3-iam-permissions-equivalence.mdx @@ -3,172 +3,204 @@ title: Amazon S3 and IAM permissions equivalence description: Understand how IAM permissions in Amazon S3 relate to Scaleway Object Storage. tags: object-storage amazon-s3 aws action equivalent iam permission set --- - Below is a list of Object Storage API actions authorized for each [permission set](/iam/reference-content/permission-sets/). Actions that are not explicitly authorized in a permission set are denied by default. ## ObjectStorageFullAccess +| Object Storage action | Bucket policy action required | +|------------------------------------------------|-------------------------------------------------| +| CreateBucket | - | +| AbortMultipartUpload | s3:AbortMultipartUpload | +| CompleteMultipartUpload | s3:PutObject | +| CopyObject | s3:PutObject | +| CreateMultipartUpload | s3:PutObject | +| DeleteBucketCors | s3:PutBucketCORS | +| DeleteBucketLifecycleConfiguration | s3:PutLifecycleConfiguration | +| DeleteBucketTagging | s3:PutBucketTagging | +| DeleteBucketWebsite | s3:DeleteBucketWebsite | +| DeleteObject (with a `versionId` specified) | s3:DeleteObjectVersion | +| DeleteObject | s3:DeleteObject | +| DeleteObjects (with a `versionId` specified) | s3:DeleteObjectVersion | +| DeleteObjects | s3:DeleteObject | +| DeleteObjectTagging (with a `versionId` specified) | s3:DeleteObjectVersionTagging | +| DeleteObjectTagging | s3:DeleteObjectTagging | +| GetBucketAcl | s3:GetBucketAcl | +| GetBucketCors | s3:GetBucketCORS | +| GetBucketLifecycleConfiguration | s3:GetLifecycleConfiguration | +| GetBucketLocation | s3:GetBucketLocation | +| GetBucketTagging | s3:GetBucketTagging | +| GetBucketVersioning | s3:GetBucketVersioning | +| GetBucketWebsite | s3:GetBucketWebsite | +| GetObject (with a `versionId` specified) | s3:GetObjectVersion | +| GetObject | s3:GetObject | +| GetObjectAcl | s3:GetObjectAcl | +| GetObjectAttributes (with a `versionId` specified) | s3:GetObjectVersionAttributes | +| GetObjectAttributes | s3:GetObjectAttributes | +| GetObjectLegalHold | s3:GetObjectLegalHold | +| GetObjectLockConfiguration | s3:GetBucketObjectLockConfiguration | +| GetObjectRetention | s3:GetObjectRetention | +| GetObjectTagging (with a `versionId` specified)| s3:GetObjectVersionTagging | +| GetObjectTagging | s3:GetObjectTagging | +| HeadBucket | s3:ListBucket | +| HeadObject | s3:GetObject | +| ListMultipartUploads | s3:ListBucketMultipartUploads | +| ListObjects | s3:ListBucket | +| ListObjectsV2 | s3:ListBucket | +| ListObjectVersions | s3:ListBucketVersions | +| ListParts | s3:ListMultipartUploadParts | +| PostObject | s3:PutObject | +| PutBucketAcl | s3:PutBucketAcl | +| PutBucketCors | s3:PutBucketCORS | +| PutBucketLifecycleConfiguration | s3:PutLifecycleConfiguration | +| PutBucketTagging | s3:PutBucketTagging | +| PutBucketVersioning | s3:PutBucketVersioning | +| PutBucketWebsite | s3:PutBucketWebsite | +| PutObject | s3:PutObject | +| PutObjectAcl | s3:PutObjectAcl | +| PutObjectLegalHold | s3:PutObjectLegalHold | +| PutObjectLockConfiguration | s3:PutBucketObjectLockConfiguration | +| PutObjectRetention | s3:PutObjectRetention | +| PutObjectTagging (with a `versionId` specified)| s3:PutObjectVersionTagging | +| PutObjectTagging | s3:PutObjectTagging | +| RestoreObject | s3:RestoreObject | +| UploadPart | s3:PutObject | +| UploadPartCopy | s3:PutObject | -| Amazon S3 action | Bucket policy action required | -|------------------------------------------------|------------------------------------| -| AbortMultipartUpload | s3:AbortMultipartUpload | -| CompleteMultipartUpload | s3:PutObject | -| CopyObject | s3:PutObject | -| CreateMultipartUpload | s3:PutObject | -| DeleteBucketCors | s3:PutBucketCORS | -| DeleteBucketLifecycleConfiguration | s3:PutLifecycleConfiguration | -| DeleteBucketTagging | s3:PutBucketTagging | -| DeleteBucketWebsite | s3:DeleteBucketWebsite | -| DeleteObject (versionId required) | s3:DeleteObjectVersion | -| DeleteObject | s3:DeleteObject | -| DeleteObjects (versionId required) | s3:DeleteObjectVersion | -| DeleteObjects | s3:DeleteObject | -| DeleteObjectTagging (versionId required) | s3:DeleteObjectVersionTagging | -| DeleteObjectTagging | s3:DeleteObjectTagging | -| GetBucketAcl | s3:GetBucketAcl | -| GetBucketCors | s3:GetBucketCORS | -| GetBucketLifecycleConfiguration | s3:GetLifecycleConfiguration | -| GetBucketLocation | s3:GetBucketLocation | -| GetBucketTagging | s3:GetBucketTagging | -| GetBucketVersioning | s3:GetBucketVersioning | -| GetBucketWebsite | s3:GetBucketWebsite | -| GetObject (versionId required) | s3:GetObjectVersion | -| GetObject | s3:GetObject | -| GetObjectAcl | s3:GetObjectAcl | -| GetObjectAttributes (versionId required) | s3:GetObjectVersionAttributes | -| GetObjectAttributes | s3:GetObjectAttributes | -| GetObjectLegalHold | s3:GetObjectLegalHold | -| GetObjectLockConfiguration | s3:GetBucketObjectLockConfiguration| -| GetObjectRetention | s3:GetObjectRetention | -| GetObjectTagging (versionId required) | s3:GetObjectVersionTagging | -| GetObjectTagging | s3:GetObjectTagging | -| HeadBucket | s3:ListBucket | -| HeadObject | s3:GetObject | -| ListMultipartUploads | s3:ListBucketMultipartUploads | -| ListObjects | s3:ListBucket | -| ListObjectsV2 | s3:ListBucket | -| ListObjectVersions | s3:ListBucketVersions | -| ListParts | s3:ListMultipartUploadParts | -| PostObject | s3:PutObject | -| PutBucketAcl | s3:PutBucketAcl | -| PutBucketCors | s3:PutBucketCORS | -| PutBucketLifecycleConfiguration | s3:PutLifecycleConfiguration | -| PutBucketTagging | s3:PutBucketTagging | -| PutBucketVersioning | s3:PutBucketVersioning | -| PutBucketWebsite | s3:PutBucketWebsite | -| PutObject | s3:PutObject | -| PutObjectAcl | s3:PutObjectAcl | -| PutObjectLegalHold | s3:PutObjectLegalHold | -| PutObjectLockConfiguration | s3:PutBucketObjectLockConfiguration| -| PutObjectRetention | s3:PutObjectRetention | -| PutObjectTagging (versionId required) | s3:PutObjectVersionTagging | -| PutObjectTagging | s3:PutObjectTagging | -| RestoreObject | s3:RestoreObject | -| UploadPart | s3:PutObject | -| UploadPartCopy | s3:PutObject | ## ObjectStorageReadOnly - -| Amazon S3 Action | Bucket Policy Action | -| ------------------------------- |------------------------------| -| GetBucketAcl | s3:GetBucketAcl | -| GetBucketCors | s3:GetBucketCors | -| GetBucketLifecycleConfiguration | s3:GetBucketLifecycle | -| GetBucketLocation | s3:GetBucketLocation | -| GetBucketPolicy | s3:GetBucketPolicy | -| GetBucketPolicyStatus | s3:GetBucketPolicyStatus | -| GetBucketTagging | s3:GetBucketTagging | -| GetBucketVersioning | s3:GetBucketVersioning | -| GetBucketWebsite | s3:GetBucketWebsite | -| GetObject | s3:GetObject | -| GetObjectAcl | s3:GetObjectAcl | -| GetObjectLegalHold | s3:GetObjectLegalHold | -| GetObjectLockConfiguration | s3:GetObjectLockConfiguration| -| GetObjectRetention | s3:GetObjectRetention | -| GetObjectTagging | s3:GetObjectTagging | -| HeadBucket | s3:HeadBucket | -| HeadObject | s3:HeadObject | -| ListBuckets | s3:ListBucket | -| ListMultipartUploads | s3:ListMultipartUploads | -| ListObjects | s3:ListBucket | -| ListObjectsV2 | s3:ListBucket | -| ListObjectVersions | s3:ListBucket | -| ListParts | s3:ListMultipartUploadParts | +| Object Storage action | Bucket policy action required | +|------------------------------------------------|-------------------------------------------------| +| GetBucketAcl | s3:GetBucketAcl | +| GetBucketCors | s3:GetBucketCORS | +| GetBucketLifecycleConfiguration | s3:GetLifecycleConfiguration | +| GetBucketLocation | s3:GetBucketLocation | +| GetBucketTagging | s3:GetBucketTagging | +| GetBucketVersioning | s3:GetBucketVersioning | +| GetBucketWebsite | s3:GetBucketWebsite | +| GetObject (with a `versionId` specified) | s3:GetObjectVersion | +| GetObject | s3:GetObject | +| GetObjectAcl | s3:GetObjectAcl | +| GetObjectAttributes (with a `versionId` specified) | s3:GetObjectVersionAttributes | +| GetObjectAttributes | s3:GetObjectAttributes | +| GetObjectLegalHold | s3:GetObjectLegalHold | +| GetObjectLockConfiguration | s3:GetBucketObjectLockConfiguration | +| GetObjectRetention | s3:GetObjectRetention | +| GetObjectTagging (with a `versionId` specified)| s3:GetObjectVersionTagging | +| GetObjectTagging | s3:GetObjectTagging | +| HeadBucket | s3:ListBucket | +| HeadObject | s3:GetObject | +| ListBuckets | s3:ListBucket | +| ListMultipartUploads | s3:ListBucketMultipartUploads | +| ListObjects | s3:ListBucket | +| ListObjectsV2 | s3:ListBucket | +| ListObjectVersions | s3:ListBucketVersions | +| ListParts | s3:ListMultipartUploadParts | ## ObjectStorageBucketsRead - -| Amazon S3 Action | Bucket Policy Action | -|---------------------------------|------------------------------| -| GetBucketAcl | s3:GetBucketAcl | -| GetBucketCors | s3:GetBucketCors | -| GetBucketLifecycleConfiguration | s3:GetBucketLifecycle | -| GetBucketLocation | s3:GetBucketLocation | -| GetBucketTagging | s3:GetBucketTagging | -| GetBucketVersioning | s3:GetBucketVersioning | -| GetBucketWebsite | s3:GetBucketWebsite | -| HeadBucket | s3:HeadBucket | -| ListBuckets | s3:ListBucket | +| Object Storage action | Bucket policy action required | +|------------------------------------------------|-------------------------------------------------| +| GetBucketAcl | s3:GetBucketAcl | +| GetBucketCors | s3:GetBucketCORS | +| GetBucketLifecycleConfiguration | s3:GetLifecycleConfiguration | +| GetBucketLocation | s3:GetBucketLocation | +| GetBucketTagging | s3:GetBucketTagging | +| GetBucketVersioning | s3:GetBucketVersioning | +| GetBucketWebsite | s3:GetBucketWebsite | +| HeadBucket | s3:ListBucket | +| ListBuckets | s3:ListBucket | ## ObjectStorageBucketsWrite - -| Amazon S3 Action | Bucket Policy Action | -|---------------------------------|------------------------------| -| CreateBucket | s3:CreateBucket | -| DeleteBucketCors | s3:DeleteBucketCors | -| DeleteBucketLifecycle | s3:DeleteBucketLifecycle | -| DeleteBucketTagging | s3:DeleteBucketTagging | -| DeleteBucketWebsite | s3:DeleteBucketWebsite | -| PutBucketAcl | s3:PutBucketAcl | -| PutBucketCors | s3:PutBucketCors | -| PutBucketLifecycleConfiguration | s3:PutBucketLifecycle | -| PutBucketTagging | s3:PutBucketTagging | -| PutBucketVersioning | s3:PutBucketVersioning | -| PutBucketWebsite | s3:PutBucketWebsite | +| Object Storage action | Bucket policy action required | +|------------------------------------------------|-------------------------------------------------| +| CreateBucket | - | +| DeleteBucketCors | s3:PutBucketCORS | +| DeleteBucketLifecycleConfiguration | s3:PutLifecycleConfiguration | +| DeleteBucketTagging | s3:PutBucketTagging | +| DeleteBucketWebsite | s3:DeleteBucketWebsite | +| PutBucketAcl | s3:PutBucketAcl | +| PutBucketCors | s3:PutBucketCORS | +| PutBucketLifecycleConfiguration | s3:PutLifecycleConfiguration | +| PutBucketTagging | s3:PutBucketTagging | +| PutBucketVersioning | s3:PutBucketVersioning | +| PutBucketWebsite | s3:PutBucketWebsite | ## ObjectStorageBucketsDelete - -| Amazon S3 Action | Bucket Policy Action | -|---------------------------------|------------------------------| -| DeleteBucket | s3:DeleteBucket | +| Object Storage action | Bucket policy action required | +|---------------------------|-------------------------------| +| DeleteBucket | s3:DeleteBucket | ## ObjectStorageObjectsRead - -| Amazon S3 Action | Bucket Policy Action | -|---------------------------------|------------------------------| -| GetObject | s3:GetObject | -| GetObjectAcl | s3:GetObjectAcl | -| GetObjectLegalHold | s3:GetObjectLegalHold | -| GetObjectLockConfiguration | s3:GetObjectLockConfiguration| -| GetObjectRetention | s3:GetObjectRetention | -| GetObjectTagging | s3:GetObjectTagging | -| HeadObject | s3:HeadObject | -| ListMultipartUploads | s3:ListMultipartUploads | -| ListObjects | s3:ListBucket | -| ListObjectsV2 | s3:ListBucket | -| ListObjectVersions | s3:ListBucket | -| ListParts | s3:ListMultipartUploadParts | +| Object Storage action | Bucket policy action required | +|------------------------------------------------|-------------------------------------------------| +| GetObject | s3:GetObject | +| GetObjectAcl | s3:GetObjectAcl | +| GetObjectLegalHold | s3:GetObjectLegalHold | +| GetObjectLockConfiguration | s3:GetObjectLockConfiguration | +| GetObjectRetention | s3:GetObjectRetention | +| GetObjectTagging | s3:GetObjectTagging | +| HeadObject | s3:HeadObject | +| ListMultipartUploads | s3:ListMultipartUploads | +| ListObjects | s3:ListBucket | +| ListObjectsV2 | s3:ListBucket | +| ListObjectVersions | s3:ListBucket | +| ListParts | s3:ListMultipartUploadParts | +| GetObject (with a `versionId` specified) | s3:GetObjectVersion | +| GetObject | s3:GetObject | +| GetObjectAcl | s3:GetObjectAcl | +| GetObjectAttributes (with a `versionId` specified) | s3:GetObjectVersionAttributes | +| GetObjectAttributes | s3:GetObjectAttributes | +| GetObjectLegalHold | s3:GetObjectLegalHold | +| GetObjectLockConfiguration | s3:GetBucketObjectLockConfiguration | +| GetObjectRetention | s3:GetObjectRetention | +| GetObjectTagging (with a `versionId` specified)| s3:GetObjectVersionTagging | +| GetObjectTagging | s3:GetObjectTagging | +| HeadObject | s3:GetObject | +| ListMultipartUploads | s3:ListBucketMultipartUploads | +| ListObjects | s3:ListBucket | +| ListObjectsV2 | s3:ListBucket | +| ListObjectVersions | s3:ListBucketVersions | +| ListParts | s3:ListMultipartUploadParts | ## ObjectStorageObjectsWrite - -| Amazon S3 action | Bucket Policy Action | -|---------------------------------|------------------------------| -| CompleteMultipartUpload | s3:PutObject | -| CopyObject | s3:CopyObject | -| CreateMultipartUpload | s3:PutObject | -| DeleteObjectTagging | s3:DeleteObjectTagging | -| PostObject | s3:PostObject | -| PutObject | s3:PutObject | -| PutObjectAcl | s3:PutObjectAcl | -| PutObjectLegalHold | s3:PutObjectLegalHold | -| PutObjectLockConfiguration | s3:PutObjectLockConfiguration| -| PutObjectRetention | s3:PutObjectRetention | -| PutObjectTagging | s3:PutObjectTagging | -| RestoreObject | s3:RestoreObject | -| UploadPart | s3:UploadPart | -| UploadPartCopy | s3:UploadPartCopy | +| Object Storage action | Bucket policy action required | +|------------------------------------------------|-------------------------------------------------| +| CompleteMultipartUpload | s3:PutObject | +| CopyObject | s3:CopyObject | +| CreateMultipartUpload | s3:PutObject | +| DeleteObjectTagging | s3:DeleteObjectTagging | +| PostObject | s3:PostObject | +| PutObject | s3:PutObject | +| PutObjectAcl | s3:PutObjectAcl | +| PutObjectLegalHold | s3:PutObjectLegalHold | +| PutObjectLockConfiguration | s3:PutObjectLockConfiguration | +| PutObjectRetention | s3:PutObjectRetention | +| PutObjectTagging | s3:PutObjectTagging | +| RestoreObject | s3:RestoreObject | +| UploadPart | s3:UploadPart | +| UploadPartCopy | s3:UploadPartCopy | +| CompleteMultipartUpload | s3:PutObject | +| CopyObject | s3:PutObject | +| CreateMultipartUpload | s3:PutObject | +| DeleteObjectTagging (with a `versionId` specified) | s3:DeleteObjectVersionTagging | +| DeleteObjectTagging | s3:DeleteObjectTagging | +| PostObject | s3:PutObject | +| PutObject | s3:PutObject | +| PutObjectAcl | s3:PutObjectAcl | +| PutObjectLegalHold | s3:PutObjectLegalHold | +| PutObjectLockConfiguration | s3:PutBucketObjectLockConfiguration | +| PutObjectRetention | s3:PutObjectRetention | +| PutObjectTagging (with a `versionId` specified) | s3:PutObjectVersionTagging | +| PutObjectTagging | s3:PutObjectTagging | +| RestoreObject | s3:RestoreObject | +| UploadPart | s3:PutObject | +| UploadPartCopy | s3:PutObject | ## ObjectStorageObjectsDelete - -| Amazon S3 Action | Bucket Policy Action | -|---------------------------------|------------------------------| -| AbortMultipartUpload | s3:AbortMultipartUpload | -| DeleteObject | s3:DeleteObject | -| DeleteObjects | s3:DeleteObjects | +| Object Storage action | Bucket policy action required | +|------------------------------------------------|-------------------------------------------------| +| AbortMultipartUpload | s3:AbortMultipartUpload | +| DeleteObject | s3:DeleteObject | +| DeleteObjects | s3:DeleteObjects | +| AbortMultipartUpload | s3:AbortMultipartUpload | +| DeleteObject (with a `versionId` specified) | s3:DeleteObjectVersion | +| DeleteObject | s3:DeleteObject | +| DeleteObjects (with a `versionId` specified) | s3:DeleteObjectVersion | +| DeleteObjects | s3:DeleteObject | \ No newline at end of file From 29e14b9f8de0dd468962f410f611d802f0813ec6 Mon Sep 17 00:00:00 2001 From: Samy OUBOUAZIZ Date: Fri, 10 Oct 2025 14:50:27 +0200 Subject: [PATCH 5/6] docs(obj): update --- .../s3-iam-permissions-equivalence.mdx | 37 ++++--------------- 1 file changed, 8 insertions(+), 29 deletions(-) diff --git a/pages/object-storage/reference-content/s3-iam-permissions-equivalence.mdx b/pages/object-storage/reference-content/s3-iam-permissions-equivalence.mdx index 4b4f4422ac..2249cb7e41 100644 --- a/pages/object-storage/reference-content/s3-iam-permissions-equivalence.mdx +++ b/pages/object-storage/reference-content/s3-iam-permissions-equivalence.mdx @@ -6,6 +6,7 @@ tags: object-storage amazon-s3 aws action equivalent iam permission set Below is a list of Object Storage API actions authorized for each [permission set](/iam/reference-content/permission-sets/). Actions that are not explicitly authorized in a permission set are denied by default. ## ObjectStorageFullAccess + | Object Storage action | Bucket policy action required | |------------------------------------------------|-------------------------------------------------| | CreateBucket | - | @@ -66,6 +67,7 @@ Below is a list of Object Storage API actions authorized for each [permission se | UploadPartCopy | s3:PutObject | ## ObjectStorageReadOnly + | Object Storage action | Bucket policy action required | |------------------------------------------------|-------------------------------------------------| | GetBucketAcl | s3:GetBucketAcl | @@ -95,6 +97,7 @@ Below is a list of Object Storage API actions authorized for each [permission se | ListParts | s3:ListMultipartUploadParts | ## ObjectStorageBucketsRead + | Object Storage action | Bucket policy action required | |------------------------------------------------|-------------------------------------------------| | GetBucketAcl | s3:GetBucketAcl | @@ -108,6 +111,7 @@ Below is a list of Object Storage API actions authorized for each [permission se | ListBuckets | s3:ListBucket | ## ObjectStorageBucketsWrite + | Object Storage action | Bucket policy action required | |------------------------------------------------|-------------------------------------------------| | CreateBucket | - | @@ -123,25 +127,15 @@ Below is a list of Object Storage API actions authorized for each [permission se | PutBucketWebsite | s3:PutBucketWebsite | ## ObjectStorageBucketsDelete + | Object Storage action | Bucket policy action required | |---------------------------|-------------------------------| | DeleteBucket | s3:DeleteBucket | ## ObjectStorageObjectsRead + | Object Storage action | Bucket policy action required | |------------------------------------------------|-------------------------------------------------| -| GetObject | s3:GetObject | -| GetObjectAcl | s3:GetObjectAcl | -| GetObjectLegalHold | s3:GetObjectLegalHold | -| GetObjectLockConfiguration | s3:GetObjectLockConfiguration | -| GetObjectRetention | s3:GetObjectRetention | -| GetObjectTagging | s3:GetObjectTagging | -| HeadObject | s3:HeadObject | -| ListMultipartUploads | s3:ListMultipartUploads | -| ListObjects | s3:ListBucket | -| ListObjectsV2 | s3:ListBucket | -| ListObjectVersions | s3:ListBucket | -| ListParts | s3:ListMultipartUploadParts | | GetObject (with a `versionId` specified) | s3:GetObjectVersion | | GetObject | s3:GetObject | | GetObjectAcl | s3:GetObjectAcl | @@ -160,23 +154,10 @@ Below is a list of Object Storage API actions authorized for each [permission se | ListParts | s3:ListMultipartUploadParts | ## ObjectStorageObjectsWrite + | Object Storage action | Bucket policy action required | |------------------------------------------------|-------------------------------------------------| | CompleteMultipartUpload | s3:PutObject | -| CopyObject | s3:CopyObject | -| CreateMultipartUpload | s3:PutObject | -| DeleteObjectTagging | s3:DeleteObjectTagging | -| PostObject | s3:PostObject | -| PutObject | s3:PutObject | -| PutObjectAcl | s3:PutObjectAcl | -| PutObjectLegalHold | s3:PutObjectLegalHold | -| PutObjectLockConfiguration | s3:PutObjectLockConfiguration | -| PutObjectRetention | s3:PutObjectRetention | -| PutObjectTagging | s3:PutObjectTagging | -| RestoreObject | s3:RestoreObject | -| UploadPart | s3:UploadPart | -| UploadPartCopy | s3:UploadPartCopy | -| CompleteMultipartUpload | s3:PutObject | | CopyObject | s3:PutObject | | CreateMultipartUpload | s3:PutObject | | DeleteObjectTagging (with a `versionId` specified) | s3:DeleteObjectVersionTagging | @@ -194,12 +175,10 @@ Below is a list of Object Storage API actions authorized for each [permission se | UploadPartCopy | s3:PutObject | ## ObjectStorageObjectsDelete + | Object Storage action | Bucket policy action required | |------------------------------------------------|-------------------------------------------------| | AbortMultipartUpload | s3:AbortMultipartUpload | -| DeleteObject | s3:DeleteObject | -| DeleteObjects | s3:DeleteObjects | -| AbortMultipartUpload | s3:AbortMultipartUpload | | DeleteObject (with a `versionId` specified) | s3:DeleteObjectVersion | | DeleteObject | s3:DeleteObject | | DeleteObjects (with a `versionId` specified) | s3:DeleteObjectVersion | From c2e2bc86eba6d4543b8b1aa85a65cf14c09b163d Mon Sep 17 00:00:00 2001 From: Samy OUBOUAZIZ Date: Tue, 14 Oct 2025 17:20:12 +0200 Subject: [PATCH 6/6] docs(blk): update --- pages/object-storage/api-cli/bucket-policy.mdx | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pages/object-storage/api-cli/bucket-policy.mdx b/pages/object-storage/api-cli/bucket-policy.mdx index bf56e4fde8..ad091c7d61 100644 --- a/pages/object-storage/api-cli/bucket-policy.mdx +++ b/pages/object-storage/api-cli/bucket-policy.mdx @@ -396,6 +396,8 @@ Bucket policies use a JSON-based access policy language, and are composed of str #### Supported actions +To view the bucket policy action corresponding to each Object Storage API operation, refer to the [dedicated documentation](/object-storage/reference-content/s3-iam-permissions-equivalence/). + ##### Supported global actions - `*`