ADO.NET Provider for Amazon S3

Build 24.0.9060

Minimum IAM Requirements

We recommend using predefined roles for services rather than creating custom IAM policies, but it if you want to create custom polices, use the roles described in the table below. Note that the specific policies required by the Amazon S3 driver are subject to change in future releases.

Amazon S3 requires at a mininum the following permissions:


IAM RoleDescription
Tables: Buckets
SELECTListAllMyBuckets
INSERTCreateBucket
DELETEGetBucketLocation and DeleteBucket
Tables: Objects
SELECTGetBucketLocation and ListBucket
DELETEGetBucketLocation and DeleteObject
Views
(All views require GetBucketLocation
in addition to the permission listed below)
BucketsACLListBucket
BucketsAnalyticsGetAnalyticsConfiguration
BucketsCORSGetBucketCORS
BucketsInventoryGetInventoryConfiguration
BucketsLifeCycleGetLifecycleConfiguration
BucketsReplicationGetReplicationConfiguration
ObjectsACLGetObjectAcl
PublicAccessBlockGetBucketPublicAccessBlock
Stored Procedures
(All procedures require GetBucketLocation
in addition to the permission listed below)
CopyObjectGetObject at source bucket and PutObject at destination bucket
DownloadObjectTorrentGetObjectTorrent
DownloadObjectsGetObject
UploadObjects PutObject

JSON Example

A JSON version of a minimum permissions policy for full driver functionality is shown below. 
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "s3:GetBucketPublicAccessBlock",
                "s3:GetLifecycleConfiguration",
                "s3:GetInventoryConfiguration",
                "s3:CreateBucket",
                "s3:ListBucket",
                "s3:GetReplicationConfiguration",
                "s3:PutObject",
                "s3:GetObjectAcl",
                "s3:GetObject",
                "s3:GetObjectTorrent",
                "s3:ListAllMyBuckets",
                "s3:GetBucketCORS",
                "s3:GetAnalyticsConfiguration",
                "s3:DeleteObject",
                "s3:GetBucketLocation",
                "s3:DeleteBucket"
            ],
            "Resource": "*"
        }
    ]"
}
In the above example, "Resource" is set to * to allow access to all buckets, but you can limit access to only one specific bucket.

Copyright (c) 2024 CData Software, Inc. - All rights reserved.
Build 24.0.9060