Connect to S3

Setting up S3 permissions for Saturn users

S3

The credentials section goes over adding IAM credentials to Saturn. IAM user credentials can be added on a per-user basis, or for everyone in the Saturn installation.

If your IAM user already has access to an S3 bucket, you should immediately be able to access S3 data using boto3 or s3fs. Note, we’re referring to s3fs which is an open source library for working with S3 files as python file objects, not s3fs-fuse which mounts an s3 directory as files on your machine (nice concept but poor performance).

S3 Permissions

This section is about AWS services and nothing here in this section is specific to Saturn. The following AWS IAM permission can be added to a user to give them access to read a specific directory in an S3 bucket. Make sure you replace bucket-name and directory-name with your actual bucket and directory name.

Access to an entire S3 Bucket

The simplest case is to grant read/write access to an entire bucket.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "readf",
            "Effect": "Allow",
            "Action": [
                "s3:*"
            ],
            "Resource": [
                "arn:aws:s3:::{bucket-name}",
                "arn:aws:s3:::{bucket-name}/*"
            ]
        }
    ]
}

If you want to give read only access, you can enumerate permissions explicitly

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "readf",
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:GetObjectVersion",
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::{bucket-name}",
                "arn:aws:s3:::{bucket-name}/*"
            ]
        }
    ]
}

Access to a specific directory of an S3 Bucket

Sometimes you need to segment an S3 bucket by directory. If so you have to grant explicit read access to individual directories, and allow directory listing for that directory.

read-write access:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "readf",
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:GetObjectVersion",
                "s3:PutObject",
                "s3:DeleteObject",
                "s3:DeleteObjectVersion"
            ],
            "Resource": [
                "arn:aws:s3:::{bucket-name}/{directory-name}/*"
            ]
        },
        {
            "Sid": "listf",
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket"
            ],
            "Resource": "arn:aws:s3:::{bucket-name}",
            "Condition": {
                "StringLike": {
                    "s3:prefix": [
                        "{directory-name}/*"
                    ]
                }
            }
        }
    ]
}

For read-only access, remove PutObject, DeleteObject, and DeleteObjectVersion