View All Products
Compute
Storage
Networking
Databases
Services
Developer Tools
Industries
Pricing
Community
Engage With Us
Community Questions Write-only Object Storage access key?
Log in to Ask a Question

Write-only Object Storage access key?

My company has begun migrating from S3 to Object Storage for our ERP's system backup. However, we've hit a snag where OS's access key grants full access to every bucket and object in our account.

Previously in S3, I was able to configure the policy such that the backup script's access keypair can only WRITE to the bucket and not list/delete any other objects. This is critical to prevent ransomware.

AWS S3's granular per-access key policy that look's something like this:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "2173893894589",
      "Effect": "Allow",
      "Action": [
        "s3:ListAllMyBuckets",
        "s3:ListBucket",
        "s3:PutObject",
        "s3:PutObjectAcl",
        "s3:ListBucketMultipartUploads",
        "s3:ListMultipartUploadParts",
        "s3:AbortMultipartUpload"
      ],
      "Resource": [
        "arn:aws:s3:::BACKUP-BUCKET/*"
      ]
    }
  ]
}

Is this something that Linode has on the roadmap?

4 Replies

This may be possible using the APIs with s3cmd.

Does this article help at all? The bucket policies example looks very similar to your AWS one.

I’m wondering if you could set up a sub-user on your Linode account for the backup service, create an API key under that user, and assign the policy to that user’s ID?

Thought of that too, but there's no settings in user permissions at the moment to allow creating buckets/access keys:
https://imgur.com/a/wDSe9Mn#nvHtVWd

Is there any solution to this request? Is it possible to specify granular permissions on Access Keys instead of read_only and read_write?

Linode Staff

@salky - You should be able to do this using s3cmd. You can specify "PutObject", "GetObject", and "ListBucket" in any combination per user, per bucket. You can also set more granular permissions per directory. The caveat here is that the user you're granting permissions to must have their own canonical ID. Currently, only each Linode account as a whole has a canonical ID; if you have other users on your Linode account, they would need their own account entirely in order to have permissions granted. We have a guide that explains how to use s3cmd to set bucket policies available here.

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Log in to Reply
Community Code of Conduct