Concepts
Permissions
Permissions

Permissions

The interaction with S3 resources is categorized into distinct actions for clarity and control:

  • List: Grants the ability to list buckets and objects.
  • Write: Provides the permission to write into a bucket.
  • Read: Facilitates the reading of objects.
  • Delete: Allows the deletion of objects.

Users construct permissions by adding rules, which consist of <subject, actions>. This implies the capability to perform these specified "actions" on the designated "subject," where the subject can be either a bucket or an object.

Furthermore, users also have the ability to impose time constraints on the permissions. For instance, they can allow access to start at a specific time or only permit access within a certain time frame. This capability empowers users to manage and control their permission usage flexibly and effectively over time.

W3S permissions are encapsulated within macaroons, and the process of creating permissions transpires at the client-side. Leveraging the attenuation property of macaroons, users can further refine permissions by introducing caveats. These caveats enable users to flexibly restrict permissions, offering enhanced versatility when sharing permissions with others.

This way of handling permissions makes it easy for people to control what they can do with S3 resources. Macaroons make it safer and more organized by putting permissions in one place.