▲ 1 r/hetzner
I am confused about how to make bucket policies for Hetzner S3 storage.
I have a project with 1 bucket and 2 "access key + secret key" pairs.
I want one of them to have read-only access, and the other full access.
By default, as designed by Hetzner, the access keys have full access to all possible actions on the bucket. https://docs.hetzner.com/storage/object-storage/faq/s3-credentials/#how-do-i-restrict-access-per-key
So my first thought was to make a policy that would:
- Deny all.
- Allow action A and action B.
"Close everything, and only open the permissions needed."
I have made some tests with a policy I pushed with s3cmd, and I have observed that:
- You need to explicitly
Denyan action for it to be blocked. If you make a policy that only hasAllowstatements, everything is still allowed. - If your principal gets a
Denyin any of the statements, that is what sticks in the end. So you can't do the "deny all and then open" strategy, everything will be denied.
My question then is: did I miss something or am I forced to enumerate all 100+ rules that need to be denied? https://docs.aws.amazon.com/AmazonS3/latest/API/API_Operations_Amazon_Simple_Storage_Service.html
u/K41eb — 3 days ago