Guild icon
S3Drive
Community / support / Question: API calls for permission settings
Avatar
pairg 11/2/2023 10:23 PM
Hi, I would like to setup the (minimum) permissions on my bucket for S3Drive, but I don't know which permissions are actually needed. I thought this info would be useful for others too, but every storage provider security control is different. I recommend to document the used S3 API calls per features what everybody can then translate to their storage provider's security settings. This is probably easy to reach with some search in the source code. Features that I think should be mapped to a list of S3 API calls (this is probably redundant):
  • "to local" sync
  • "to local without delete" sync
  • "to remote" sync
  • "to remote without delete" sync
  • "to remote, compatibility mode" sync
  • "two way" sync
  • media backup
  • versioning enabled
  • multipart upload
  • MD5 verification
  • default file listing
  • trash tab (listing)
  • recent tab (listing)
  • thumbnail generation
  • cache generation / refresh
  • offline files on mobile
 (edited)
👍 1
Avatar
Tom 11/3/2023 3:22 PM
We will aim to prepare documentation on this using references to: https://docs.aws.amazon.com/AmazonS3/latest/API/Welcome.html At the very basic we use V2 listing, HEAD/stat (Show info feature), GET/PUT (via Presigned URLs). For delete we use POST/delete. Copying/moving files uses PUT/copy within a bucket followed by delete (if it aims to emulate move) and version delete (if it's hard delete). On top of that we use Versioning API if available (for recent / trash and couple other features). Then there is Multipart API for uploads. This all is combined with additional parameters (e.g. version ID), prefix/delimter for recursive and non-recursive listings or range queries for video streaming... but as far I am concerned parameters are not part of the IAM / permission, so perhaps these are not necessary. In principle all file operations operate on presigned URLs, there are couple exceptions (e.g. creating a file or folder). Speaking of sync, we won't be able to publish it all exactly just yet, since there are couple edge cases we haven't solved. As you can imagine there are some challenges related to the fact that S3 was never designed with efficient syncing in mind... and we're not done on the final workflow for efficient sync. Just to give you an idea. The GET operation provides date in a lower precision (RFC7231) with no milliseconds, however listings have miliseconds included. In order to determine whether sync is needed, shall we use additional LIST (time and cost) to get the exact timestamp, use hashes (what about E2E encryption?) or support both depending on conditions and user configuration (pain to maintain)? (edited)
Amazon S3 REST API Introduction - Amazon Simple Storage Service
Explains the Amazon S3 API operations, related request and response structures, and error codes to enable you to store data in the cloud.
Exported 2 message(s)
Timezone: UTC+0