In S3 Tables resources include table buckets and the tables that they contain. The root user of the AWS account that created the resource (the resource owner) and AWS Identity and Access Management (IAM) users within that account that have the necessary permissions can access a resource that they created. The resource owner specifies who else can access the resource and the actions that they are allowed to perform on the resource. Amazon S3 has various access management tools that you can use to grant others access to your S3 resources. The following topics provide you with an overview of resources, IAM actions, and condition keys for S3 Tables. They also provide examples for both resource-based and identity-based policies for S3 Tables.
ResourcesS3 Tables resources include table buckets and the tables that they contain.
Table buckets â Table buckets are specifically designed for tables and provider higher transactions per seconds (TPS) and better query throughput compared to self-managed tables in general purpose S3 buckets. Table buckets deliver the same durability, availability, scalability, and performance characteristics as Amazon S3 general purpose buckets.
Tables â Tables in your table buckets are stored in Apache Iceberg format. You can query these tables using standard SQL in query engines that support Iceberg.
Amazon Resource Names (ARNs) for tables and table buckets contain the s3tables namespace, the AWS Region, the AWS account ID, and the bucket name. To access and perform actions on your tables and table buckets, you must use the following ARN formats:
Table ARN format:
arn:aws:s3tables:us-west-2:111122223333:bucket/amzn-s3-demo-bucket/table/demo-tableID
In an identity-based policy or resource-based policy, you define which S3 Tables actions are allowed or denied for specific IAM principals. Tables actions correspond to bucket and table-level API operations. All actions are part of a unique IAM namespace: s3tables.
When you use an action in a policy, you usually allow or deny access to the API operation with the same name. However, in some cases, a single action controls access to more than one API operation. For example, the s3tables:GetTableData actions includes permissions for the GetObject, ListParts, and ListMultiparts API operations.
The following are supported actions for table buckets. You can specify the following actions in the Action element of an IAM policy or resource policy.
s3tables:CreateTableBucket Grants permissions to create a table bucket Write No s3tables:GetTableBucket Grants permission to retrieve a table bucket ARN, table bucket name, and create date. Write Yes s3tables:ListTableBuckets Grants permission to list all table buckets in this account. Read No s3tables:CreateNamespace Grants permission to create a name space in a table bucket Write Yes s3tables:GetNamespace Grants permission to retrieve namespace details Read Yes s3tables:ListNamespaces Grants permission to list all namespaces on the table bucket. Read Yes s3tables:DeleteNamespace Grants permission to delete a namespace in a table bucket Write Yes s3tables:DeleteTableBucket Grants permission to delete the bucket Write Yes s3tables:PutTableBucketPolicy Grants permission to add or replace a bucket policy Permissions Management No s3tables:GetTableBucketPolicy Grants permission to retrieve the bucket policy Read No s3tables:DeleteTableBucketPolicy Grants permission to delete the bucket policy Permissions Management No s3tables:GetTableBucketMaintenanceConfiguration Grants permission to retrieve the maintenance configuration for a table bucket Read Yes s3tables:PutTableBucketMaintenanceConfiguration Grants permission to add or replace the maintenance configuration for a table bucket Write Yes s3tables:PutTableBucketEncryption Grants permission to add or replace the encryption configuration for a table bucket Write No s3tables:GetTableBucketEncryption Grants permission to retrieve the encryption configuration for a table bucket Read No s3tables:DeleteTableBucketEncryption Grants permission to delete the encryption configuration for a table bucket Write No
The following actions are supported for tables:
Action Description Access level Cross-account accesss3tables:GetTableMaintenanceConfiguration Grants permission to retrieve the maintenance configuration for a table Read Yes s3tables:PutTableMaintenanceConfiguration Grants permission to add or replace the maintenance configuration for a table Write Yes s3tables:PutTablePolicy Grants permission to add or replace a table policy Permissions Management No s3tables:GetTablePolicy Grants permission to retrieve the table policy Read No s3tables:DeleteTablePolicy Grants permission to delete the table policy Permissions management No s3tables:CreateTable Grants permission to create a table in a table bucket Write Yes s3tables:GetTable Grants permission to retrieve a table information Read Yes s3tables:GetTableMetadataLocation Grants permission to retrieve the table root pointer (metadata file) Read Yes s3tables:ListTables Grants permission to list all tables in a table bucket Read Yes s3tables:RenameTable Grant permissions to change the name of a table. Write Yes s3tables:UpdateTableMetadataLocation Grants permission to update table root pointer (metadata file) Write Yes s3tables:GetTableData Grants permission to read the table metadata and data objects stored in the table bucket Read Yes s3tables:PutTableData Grants permission to write the table metadata and data objects stored in the table bucket Write Yes s3tables:GetTableEncryption Grants permission to retrieve the encryption settings for a table Write No s3tables:PutTableEncryption Grants permission to add encryption to a table Write No
To perform table-level read and write actions, S3 Tables supports Amazon S3 API operations such as GetObject and PutObject. The following table provides a list of object-level actions. When granting read and write permissions to your tables, you use the following actions.
s3tables:GetTableData GetObject, ListParts, HeadObject s3tables:PutTableData PutObject, CreateMultipartUpload, CompleteMultipartUpload, UploadPart, AbortMultipartUpload
For example, if a user has GetTableData permissions, then they can read all the files associated with the table, such as its metadata file, manifest, manifest list files, and parquet data files.
S3 Tables supports AWS global condition context keys.
Additionally, S3 Tables defines the following condition keys that you can use in an access policy.
Condition key Description Type s3tables:tableName Filters access by the name of the tables in the table bucket.
You can use the s3tables:tableName condition key to write IAM, or table bucket policies that restrict user or application access to only the tables that meet this name condition.
It's important to note that if you use the s3tables:tableName condition key to control access then changes in tablesâ name could impact these policies.
"s3tables:tableName":"department*" String s3tables:namespace
Filters access by the namespaces created in the table bucket.
You can use the s3tables:namespace condition key to write IAM, table, or table bucket policies that restrict user or application access to tables that are part of a specific namespace. Example value: "s3tables:namespace":"hr"
It's important to note that if you use the s3tables:namespace condition key to control access, then changes in namespaces could impact these policies.
String s3tables:SSEAlgorithm
Filters access by the server-side encryption algorithm used to encrypt a table.
You can use the s3tables:SSEAlgorithm condition key to write IAM, table, or table bucket policies that restrict user or application access to tables that are encrypted with a certain encryption type. Example value: "s3tables:SSEAlgorithm":"aws:kms"
It's important to note that if you use the s3tables:SSEAlgorithm condition key to control access, then changes in encryption could impact these policies.
String s3tables:KMSKeyArn
Filters access by the AWS KMS key ARN for the key used to encrypt a table
You can use the s3tables:KMSKeyArn condition key to write IAM, table, or table bucket policies that restrict user or application access to tables that are encrypted with a specific KMS key.
It's important to note that if you use the s3tables:KMSKeyArn condition key to control access, then changing your KMS key could impact these policies.
ARN
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4