Setting up permissions for configuring metadata tables
To create a metadata table configuration, you must have the necessary AWS Identity and Access Management (IAM) permissions to both create and manage your metadata table configuration and to create and manage your metadata table and the table bucket where your metadata table is stored.
To create and manage your metadata table configuration, you must have these permissions:
-
s3:CreateBucketMetadataTableConfiguration– This permission allows you to create a metadata table configuration for your general purpose bucket. -
s3:GetBucketMetadataTableConfiguration– This permission allows you to retrieve information about your metadata table configuration. -
s3:DeleteBucketMetadataTableConfiguration– This permission allows you to delete your metadata table configuration.
To create and work with tables and table buckets, you must have certain
s3tables permissions. At a minimum, to create a metadata table configuration,
you must have the following s3tables permissions:
-
s3tables:CreateNamespace– This permission allows you to create a namespace in a table bucket. Metadata tables use the defaultaws_s3_metadatanamespace. -
s3tables:GetTable– This permission allows you to retrieve information about your metadata table. -
s3tables:CreateTable– This permission allows you to create your metadata table. -
s3tables:PutTablePolicy– This permission allows you to add or update your metadata table policy.
For detailed information about all table and table bucket permissions, see Access management for S3 Tables.
Important
If you also want to integrate your table bucket with AWS analytics services so that you can query your metadata table, you need additional permissions. For more information, see Integrating Amazon S3 Tables with AWS analytics services.
Permissions for SSE-KMS
To access S3 table buckets or S3 tables that are using server-side encryption with AWS Key Management Service (AWS KMS) keys (SSE-KMS), you need to include additional permissions.
-
The user or IAM role needs the following permissions. You can grant these permissions by using the IAM console - https://console.aws.amazon.com/iam/
. -
s3tables:PutTableEncryptionto configure table encryption -
s3tables:PutTableBucketEncryptionto configure table bucket encryption -
kms:DescribeKeyon the AWS KMS key used
-
-
On the resource policy for the KMS key, you need the following permissions. You can grant these permissions by using the KMS console - https://console.aws.amazon.com/kms
. -
kms:GenerateDataKeypermission tometadata.s3.amazonaws.comandmaintenance.s3tables.amazonaws.com -
kms:Decryptpermission tometadata.s3.amazonaws.comandmaintenance.s3tables.amazonaws.com -
kms:DescribeKeypermission to the invoking AWS principal
-
For more information on granting the necessary permissions to the S3 Metadata service, see the documentation on Granting the S3 Metadata service principal permissions to use your KMS key.
Example policy
To create and work with metadata tables and table buckets, you can use the following
example policy. In this policy, the general purpose bucket that you're applying the metadata
table configuration to is referred to as amzn-s3-demo-source-bucketamzn-s3-demo-bucketuser input placeholders
{ "Version":"2012-10-17", "Statement":[ { "Sid":"PermissionsToWorkWithMetadataTables", "Effect":"Allow", "Action":[ "s3:CreateBucketMetadataTableConfiguration", "s3:GetBucketMetadataTableConfiguration", "s3:DeleteBucketMetadataTableConfiguration", "s3tables:*" ], "Resource":[ "arn:aws:s3:::bucket/amzn-s3-demo-source-bucket", "arn:aws:s3tables:region:account_id:bucket/amzn-s3-demo-bucket", "arn:aws:s3tables:region:account_id:bucket/amzn-s3-demo-bucket/table/*" ] } ] }
