Required Permissions for File Storage

Download PDF

Some services, such as Amazon S3 and Google Cloud Storage (GCS), require more permissive access to file storage.

Amazon S3

You can use the following list of Amazon S3 permissions to map the permissions required for your Amazon S3-like solution.

Table 11. Amazon S3 Permissions
Actions	Resources
s3:GetBucketLocation s3:ListAllMyBuckets	arn:aws:s3:::*
s3:ListBucket s3:PutObject s3:GetObject	<file-ingestion-service-arn> <file-ingestion-service-arn>/* <dataframe-service-bucket-arn> <dataframe-service-bucket-arn>/* <dataframe-service-cache-bucket-arn> <dataframe-service-cache-bucket-arn>/* <notebook-execution-service-arn> <notebook-execution-service-arn>/* <feed-service-arn> <feed-service-arn>/*
s3:DeleteObject	<dataframe-service-bucket-arn> <dataframe-service-bucket-arn>/* <dataframe-service-cache-bucket-arn> <dataframe-service-cache-bucket-arn>/* <notebook-execution-service-arn> <notebook-execution-service-arn>/* <feed-service-arn> <feed-service-arn>/*
s3:ListMultipartUploadParts s3:ListBucketMultipartUploads s3:AbortMultipartUpload	<dataframe-service-bucket-arn> <dataframe-service-bucket-arn>/* <dataframe-service-cache-bucket-arn> <dataframe-service-cache-bucket-arn>/*

The following table outlines the necessary permissions for various resources.

Note The Feed Service buckets require fine-grained access control.

Table 12. GCS Permissions
Permissions	Resources
storage.buckets.get storage.buckets.list	The buckets for the File Ingestion Service, the Feed Service, and the Notebook Execution Service.
storage.objects.list storage.objects.create storage.objects.get	The buckets and objects for the File Ingestion Service, the Feed Service, and the Notebook Execution Service.
storage.objects.delete	The buckets and objects of the Feed Service and the Notebook Execution Service.