Using Identity-Based Policies for Amazon S3 Glacier (IAM Policies)

This topic provides examples of identity-based policies in which an account administrator can attach permissions policies to IAM identities (that is, users, groups, and roles).

Important

We recommend that you first review the introductory topics that explain the basic concepts and options available for you to manage access to your Amazon S3 Glacier (Glacier) resources. For more information, see Overview of Managing Access Permissions to Your Amazon S3 Glacier Resources.

The sections in this topic cover the following:

The following shows an example of a permissions policy.


{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "glacier:CreateVault",
        "glacier:DescribeVault",
        "glacier:ListVaults"
      ],
      "Resource": "arn:aws:glacier:us-west-2:123456789012:vaults/*"
    }
  ]
}

The policy grants permissions for three Glacier vault-related actions (glacier:CreateVault, glacier:DescribeVault and glacier:ListVaults), on a resource using the Amazon Resource Name (ARN) that identifies all of the vaults in the us-west-2 AWS Region.

The wildcard character (*) at the end of the ARN means that this statement can match any vault name. The statement allows the glacier:DescribeVault action on any vault in the specified region, us-west-2. If you want to limit permissions for this action to a specific vault only, you replace the wildcard character (*) with a vault name.

Permissions Required to Use the Amazon S3 Glacier Console

The Glacier console provides an integrated environment for you to create and manage Glacier vaults. At a minimum IAM users that you create must be granted permissions for the glacier:ListVaults action to view the Glacier console as shown in the following example.


{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "glacier:ListVaults"     
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}

Both of the Glacier AWS Managed policies discussed in the next section grant permissions for glacier:ListVaults.

AWS Managed Policies (Predefined Policies) for Amazon S3 Glacier

AWS addresses many common use cases by providing standalone IAM policies that are created and administered by AWS. Managed policies grant necessary permissions for common use cases so you can avoid having to investigate what permissions are needed. For more information, see AWS Managed Policies in the IAM User Guide.

The following AWS managed policies, which you can attach to users in your account, are specific to Glacier:

AmazonGlacierReadOnlyAccess – Grants read only access to Glacier through the AWS Management Console.
AmazonGlacierFullAccess – Grants full access to Glacier through the AWS Management Console.

Note

You can review these permissions policies by signing in to the IAM console and searching for specific policies there.

You can also create your own custom IAM policies to allow permissions for Glacier API actions and resources. You can attach these custom policies to the IAM users or groups that require those permissions or to custom execution roles (IAM roles) that you create for your Glacier vaults.

Customer Managed Policy Examples

In this section, you can find example user policies that grant permissions for various Glacier actions. These policies work when you are using Glacier REST API, the AWS SDKs, the AWS CLI, or, if applicable, the Glacier management console.

Note

All examples use the US West (Oregon) Region (us-west-2) and contain fictitious account IDs.

Examples

Example 1: Allow a User to Download Archives from a Vault
Example 2: Allow a User to Create a Vault and Configure Notifications
Example 3: Allow a User to Upload Archives to a Specific Vault
Example 4: Allow a User Full Permissions on a Specific Vault

Example 1: Allow a User to Download Archives from a Vault

To download an archive, you first initiate a job to retrieve the archive. After the retrieval job is complete, you can download the data. The following example policy grants permissions for the glacier:InitiateJob action to initiate a job (which allows the user to retrieve an archive or a vault inventory from the vault), and permissions for the glacier:GetJobOutput action to download the retrieved data. The policy also grants permissions to perform the glacier:DescribeJob action so that the user can get the job status. For more information, see Initiate Job (POST jobs).

The policy grants these permissions on a vault named examplevault. You can get the vault ARN from the Amazon S3 Glacier console, or programmatically by calling either the Describe Vault (GET vault) or the List Vaults (GET vaults) API actions.


{
  "Version":"2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Resource": "arn:aws:glacier:us-west-2:123456789012:vaults/examplevault",
      "Action":["glacier:InitiateJob",
                "glacier:GetJobOutput",
                "glacier:DescribeJob"] 
    }
  ]
}

Example 2: Allow a User to Create a Vault and Configure Notifications

The following example policy grants permissions to create a vault in the us-west-2 region as specified in the Resource element and configure notifications. For more information about working with notifications, see Configuring Vault Notifications in Amazon S3 Glacier. The policy also grants permissions to list vaults in the region and get a specific vault description.

Important

When you grant permissions to create a vault using the glacier:CreateVault operation, you must specify a wildcard character (*) in the Resource value because you don't know the vault name until after you create the vault.


{
  "Version":"2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Resource": "arn:aws:glacier:us-west-2:123456789012:vaults/*",
      "Action":["glacier:CreateVault",
                "glacier:SetVaultNotifications",
                "glacier:GetVaultNotifications",
                "glacier:DeleteVaultNotifications",
                "glacier:DescribeVault",
                "glacier:ListVaults"] 
    }
  ]
}

Example 3: Allow a User to Upload Archives to a Specific Vault

The following example policy grants permissions to upload archives to a specific vault in the us-west-2 region. These permissions allow a user to upload an archive all at once using the Upload Archive (POST archive) API operation or in parts using the Initiate Multipart Upload (POST multipart-uploads) API operation.


{
  "Version":"2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Resource": "arn:aws:glacier:us-west-2:123456789012:vaults/examplevault",
      "Action":["glacier:UploadArchive",
                "glacier:InitiateMultipartUpload",
                "glacier:UploadMultipartPart",
                "glacier:ListParts",
                "glacier:ListMultipartUploads",
                "glacier:CompleteMultipartUpload"] 
    }
  ]
}

Example 4: Allow a User Full Permissions on a Specific Vault

The following example policy grants permissions for all Glacier actions on a vault named examplevault.


{
  "Version":"2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Resource": "arn:aws:glacier:us-west-2:123456789012:vaults/examplevault",
      "Action":["glacier:*"] 
    }
  ]
}

Warning Javascript is disabled or is unavailable in your browser.

To use the AWS Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

« Previous Next »