Rework IAM documentation for directory buckets#1455
Open
c-hagem wants to merge 6 commits intoawslabs:mainfrom
Open
Rework IAM documentation for directory buckets#1455c-hagem wants to merge 6 commits intoawslabs:mainfrom
c-hagem wants to merge 6 commits intoawslabs:mainfrom
Conversation
Signed-off-by: Christian Hagemeier <[email protected]>
c-hagem
had a problem deploying
to
PR integration tests
GitHub Actions
Failure
c-hagem
had a problem deploying
to
PR integration tests
GitHub Actions
Failure
c-hagem
had a problem deploying
to
PR integration tests
GitHub Actions
Failure
c-hagem
had a problem deploying
to
PR integration tests
GitHub Actions
Failure
c-hagem
had a problem deploying
to
PR integration tests
GitHub Actions
Failure
c-hagem
had a problem deploying
to
PR integration tests
GitHub Actions
Failure
c-hagem
had a problem deploying
to
PR integration tests
GitHub Actions
Failure
c-hagem
had a problem deploying
to
PR integration tests
GitHub Actions
Failure
c-hagem
had a problem deploying
to
PR integration tests
GitHub Actions
Failure
c-hagem
changed the title
dannycjones
previously requested changes
Jun 6, 2025
|
|
||
| Directory buckets, introduced with the S3 Express One Zone storage class, use a different authentication mechanism from general purpose buckets. Instead of using `s3:*` actions, you should allow the `s3express:CreateSession` action. Here is an example of least-privilege policy document. | ||
| ### Directory buckets | ||
| Directory buckets, introduced with the S3 Express One Zone storage class, use a different authentication mechanism from general purpose buckets. |
Contributor
There was a problem hiding this comment.
@c-hagem can you verify what type of auth Mountpoint (and CRT) tries to use when connecting to a local zone directory bucket? Does it try to create a session or use straight-forward IAM auth?
You don't need to be allowlisted to use the local zone, just know what a local zone access point looks like.
|
|
||
| Directory buckets, introduced with the S3 Express One Zone storage class, use a different authentication mechanism from general purpose buckets. Instead of using `s3:*` actions, you should allow the `s3express:CreateSession` action. Here is an example of least-privilege policy document. | ||
| ### Directory buckets | ||
| Directory buckets, introduced with the S3 Express One Zone storage class, use a different authentication mechanism from general purpose buckets. |
Contributor
There was a problem hiding this comment.
I think we should introduce XOZ in relation to the session-based auth, not directory buckets, since we now have Z-IA.
dannycjones
changed the title
c-hagem
had a problem deploying
to
PR integration tests
GitHub Actions
Failure
c-hagem
had a problem deploying
to
PR integration tests
GitHub Actions
Failure
c-hagem
had a problem deploying
to
PR integration tests
GitHub Actions
Failure
c-hagem
had a problem deploying
to
PR integration tests
GitHub Actions
Failure
c-hagem
had a problem deploying
to
PR integration tests
GitHub Actions
Failure
c-hagem
had a problem deploying
to
PR integration tests
GitHub Actions
Failure
c-hagem
had a problem deploying
to
PR integration tests
GitHub Actions
Failure
c-hagem
had a problem deploying
to
PR integration tests
GitHub Actions
Failure
c-hagem
had a problem deploying
to
PR integration tests
GitHub Actions
Failure
dannycjones
reviewed
Jun 9, 2025
dannycjones
had a problem deploying
to
PR integration tests
GitHub Actions
Failure
dannycjones
force-pushed
the
doc-update/ami
branch
from
a283cff to
ca8d2f3
Compare
dannycjones
had a problem deploying
to
PR integration tests
GitHub Actions
Failure
Co-authored-by: Daniel Carl Jones <[email protected]> Signed-off-by: Christian Hagemeier <[email protected]>
Signed-off-by: Daniel Carl Jones <[email protected]>
Signed-off-by: Daniel Carl Jones <[email protected]>
dannycjones
force-pushed
the
doc-update/ami
branch
from
ca8d2f3 to
e83f9b0
Compare
dannycjones
temporarily deployed
to
PR integration tests
GitHub Actions
Inactive
Signed-off-by: Daniel Carl Jones <[email protected]>
dannycjones
temporarily deployed
to
PR integration tests
GitHub Actions
Inactive
muddyfish
approved these changes
Oct 9, 2025
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Reworks the section on IAM permissions to be more clearly split between general purpose buckets and directory buckets.
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and I agree to the terms of the Developer Certificate of Origin (DCO).