Creating Groups with Single and Multiple Prefixes
Some examples of single-prefix and multiple-prefix groups
The RBAC group definitions support cases where multiple prefixes can be used for various conditions. When a group requires its users to access multiple prefixes, the RBAC permission definitions can be updated to refer to multiple bucket names or prefixes. Refer to the following examples.
NOTE:
While it is possible to specify multiple prefixes and/or buckets, use caution before configuring too many prefixes or buckets. In a practical sense, granting more than 5-10 prefixes or buckets could be difficult to maintain and manage.
{
"Actions": [
"s3:chaos:view:create"
],
"Effect": "Allow",
"Resources": [
"crn:view:::prefix1-*"
],
"Version": "1.0"
},
{
"Actions": [
"s3:chaos:view:create"
],
"Effect": "Allow",
"Resources": [
"crn:view:::prefix1-*",
"crn:view:::prefix2-*"
],
"Version": "1.0"
},
{
"Actions": [
"s3:aws:DeleteBucket"
],
"Condition": {
"Conditions": [
{
"StartsWith": {
"s3:bucket/attributes.name": "bucket1"
}
},
{
"StartsWith": {
"chaos:object_group/attributes.name": "prefix1-"
}
},
{
"StartsWith": {
"chaos:view/attributes.name": "prefix1-"
}
},
{
"StartsWith": {
"chaos:index/attributes.name": "_prefix1-"
}
}
]
},
"Effect": "Allow",
"Resources": [
"*"
],
"Version": "1.0"
}
{
"Actions": [
"s3:aws:DeleteBucket"
],
"Condition": {
"Conditions": [
{
"StartsWith": {
"s3:bucket/attributes.name": "bucket1"
}
},
{
"StartsWith": {
"s3:bucket/attributes.name": "bucket2"
}
},
{
"StartsWith": {
"chaos:object_group/attributes.name": "prefix1-"
}
},
{
"StartsWith": {
"chaos:object_group/attributes.name": "prefix2-"
}
},
{
"StartsWith": {
"chaos:view/attributes.name": "prefix1-"
}
},
{
"StartsWith": {
"chaos:view/attributes.name": "prefix2-"
}
},
{
"StartsWith": {
"chaos:index/attributes.name": "_prefix1-"
}
},
{
"StartsWith": {
"chaos:index/attributes.name": "_prefix2-"
}
}
]
},
"Effect": "Allow",
"Resources": [
"*"
],
"Version": "1.0"
}
Updated about 1 year ago