Using Identity-Based Policies for Amazon S3 Glacier (IAM Policies)
This topic provides examples of identity-based policies in which an account administrator can attach permissions policies to IAM identities (that is, users, groups, and roles).
We recommend that you first review the introductory topics that explain the basic concepts and options available for you to manage access to your Amazon S3 Glacier (S3 Glacier) resources. For more information, see Overview of Managing Access Permissions to Your Amazon S3 Glacier Resources.
The sections in this topic cover the following:
The following shows an example of a permissions policy.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "glacier:CreateVault", "glacier:DescribeVault", "glacier:ListVaults" ], "Resource": "arn:aws:glacier:us-west-2:123456789012:vaults/*" } ] }
The policy grants permissions for three S3 Glacier vault-related actions
(glacier:CreateVault
, glacier:DescribeVault
and
glacier:ListVaults
), on a resource using the Amazon Resource Name
(ARN) that identifies all of the vaults in the us-west-2
AWS Region.
The wildcard character (*) at the end of the ARN means that this statement can match
any vault name. The statement allows the glacier:DescribeVault
action on any
vault in the specified AWS Region, us-west-2
. If you want to limit permissions for
this action to a specific vault only, you replace the wildcard character (*) with a vault
name.
Permissions Required to Use the Amazon S3 Glacier Console
The S3 Glacier console provides an integrated environment for you to create and manage S3 Glacier
vaults. At a minimum IAM users that you create must be granted permissions for the
glacier:ListVaults
action to view the S3 Glacier console as shown in the
following example.
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "glacier:ListVaults" ], "Effect": "Allow", "Resource": "*" } ] }
Both of the S3 Glacier AWS Managed policies discussed in the next section grant permissions
for glacier:ListVaults
.
AWS Managed Policies (Predefined Policies) for Amazon S3 Glacier
AWS addresses many common use cases by providing standalone IAM policies that are created and administered by AWS. Managed policies grant necessary permissions for common use cases so you can avoid having to investigate what permissions are needed. For more information, see AWS Managed Policies in the IAM User Guide.
The following AWS managed policies, which you can attach to users in your account, are specific to S3 Glacier:
-
AmazonGlacierReadOnlyAccess – Grants read only access to S3 Glacier through the AWS Management Console.
-
AmazonGlacierFullAccess – Grants full access to S3 Glacier through the AWS Management Console.
You can review these permissions policies by signing in to the IAM console and searching for specific policies there.
You can also create your own custom IAM policies to allow permissions for S3 Glacier API actions and resources. You can attach these custom policies to the IAM users or groups that require those permissions or to custom execution roles (IAM roles) that you create for your S3 Glacier vaults.
Customer Managed Policy Examples
In this section, you can find example user policies that grant permissions for various S3 Glacier actions. These policies work when you are using S3 Glacier REST API, the Amazon SDKs, the AWS CLI, or, if applicable, the S3 Glacier management console.
All examples use the US West (Oregon) Region (us-west-2
) and contain
fictitious account IDs.
Examples
Example 1: Allow a User to Download Archives from a Vault
To download an archive, you first initiate a job to retrieve the archive. After the
retrieval job is complete, you can download the data. The following example policy
grants permissions for the glacier:InitiateJob
action to initiate a job
(which allows the user to retrieve an archive or a vault inventory from the vault), and
permissions for the glacier:GetJobOutput
action to download the retrieved
data. The policy also grants permissions to perform the glacier:DescribeJob
action
so that the user can get the job status. For more information, see Initiate Job (POST jobs).
The policy grants these permissions on a vault named examplevault
. You can get the
vault ARN from the Amazon S3 Glacier console
{ "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Resource": "arn:aws:glacier:us-west-2:123456789012:vaults/examplevault", "Action":["glacier:InitiateJob", "glacier:GetJobOutput", "glacier:DescribeJob"] } ] }
Example 2: Allow a User to Create a Vault and Configure Notifications
The following example policy grants permissions to create a vault in the
us-west-2 Region as specified in the Resource
element and configure
notifications. For more information about working with notifications, see Configuring Vault Notifications in Amazon S3 Glacier. The policy also grants permissions to
list vaults in the AWS Region and get a specific vault description.
When you grant permissions to create a vault using the
glacier:CreateVault
operation, you must specify a wildcard character (*)
in the Resource
value because you don't know the vault name until after you
create the vault.
{ "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Resource": "arn:aws:glacier:us-west-2:123456789012:vaults/*", "Action":["glacier:CreateVault", "glacier:SetVaultNotifications", "glacier:GetVaultNotifications", "glacier:DeleteVaultNotifications", "glacier:DescribeVault", "glacier:ListVaults"] } ] }
Example 3: Allow a User to Upload Archives to a Specific Vault
The following example policy grants permissions to upload archives to a specific vault in the us-west-2 Region. These permissions allow a user to upload an archive all at once using the Upload Archive (POST archive) API operation or in parts using the Initiate Multipart Upload (POST multipart-uploads) API operation.
{ "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Resource": "arn:aws:glacier:us-west-2:123456789012:vaults/examplevault", "Action":["glacier:UploadArchive", "glacier:InitiateMultipartUpload", "glacier:UploadMultipartPart", "glacier:ListParts", "glacier:ListMultipartUploads", "glacier:CompleteMultipartUpload"] } ] }
Example 4: Allow a User Full Permissions on a Specific Vault
The following example policy grants permissions for all S3 Glacier actions on a vault named
examplevault
.
{ "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Resource": "arn:aws:glacier:us-west-2:123456789012:vaults/examplevault", "Action":["glacier:*"] } ] }