Grant OSS Bucket Access to Other Keys

 Grant bucket Access to Other Keys

APS OSS API of Data Management allows granting bucket access to other Client IDs/keys in addition to the bucket owner. This operation is performed during bucket creation using  POST Bucket API.

{
    "bucketKey": "sample-bucket-with-allow",
    "policyKey": "transient",
    "allow": [
        {
            "authId": "NLelvoE39K36qcxz1nxg3S4bJuX*****HYafJfTxpZGY",
            "access": "full"
        }
    ]
}

In the payload of the request, using the allow attribute, the bucket owner can specify a list of keys; up to 60 keys, to which you want to grant bucket permissions, along with the level of access: full, read or write.

READ

This type of access is ‘download/read own data permission’, not write into bucket.’

The app is permitted to read or download objects on the bucket only where OSS allows. This means the app will only access objects that they own or upload into the bucket. The app cannot perform any upload or delete operations in either buckets or objects. The app also do not get to ‘see everything/anything’ any other app uploaded.

WRITE

This type of access is ‘upload and change own data permission’, not read from bucket.’
The app can create and change content (uploads / writes) into the bucket, but cannot read/download the content/objects it uploaded. Delete operation is also allowed only on the objects the app uploaded into the bucket. The app cannot delete the bucket; this operation is restricted only to the bucket owner app.

FULL

This is the strongest bucket access record for any other app apart from the owner app. It still does not make the other app the bucket owner, owner-only operations like bucket delete remain restricted to the creator. This type of access is ‘upload/write, download/read and change own data permission’, not admin of bucket.

Important limitations:

Even when a ClientID is granted full access to a bucket, access is still restricted :

• Cannot download objects uploaded by the bucket owner
• Cannot download objects uploaded by other granted keys
• Cannot perform most OSS API operations restricted to bucket owner; the APIs allowed are:
  
  • Generate S3 signed URL with which to upload an object
  • Upload the object to the S3 Signed URL
  • Complete the upload
• Currently, there is no supported API to revoke or modify access rights granted to other keys.

Owner-Only Operations

Most OSS APIs are restricted to the bucket owner. Granted keys attempting these operations will receive a 403 Forbidden response. These APIs include:

• GET Buckets
• POST Bucket
• GET Bucket Details
• GET Bucket Objects
• GET Bucket Object Details
• DELETE Bucket

Bucket owner application can access all objects uploaded by granted keys

If you have any questions, please don't hesitate to contact us through our APS support channel