S3 connection

Solved!
piyushk
Level 4
S3 connection

how to provide bucket owner full control policy on an object uploaded to S3? by default it is having permission to owner only.

1 Solution
ATsao
Dataiker

Hi,

Unfortunately, DSS does not have control over setting the permissions of uploaded files or objects and this is something that needs to be managed at the S3 level. With that being said, the owner of the bucket should be able to grant permissions to any object in the bucket from the AWS console if there's a need to share it with other accounts. For further assistance or guidance on this matter, we suggest following up with your AWS administrator. 

Best,

Andrew

View solution in original post

3 Replies
ATsao
Dataiker

Hi,

Unfortunately, DSS does not have control over setting the permissions of uploaded files or objects and this is something that needs to be managed at the S3 level. With that being said, the owner of the bucket should be able to grant permissions to any object in the bucket from the AWS console if there's a need to share it with other accounts. For further assistance or guidance on this matter, we suggest following up with your AWS administrator. 

Best,

Andrew

tomas
Level 5

I dont think so. If the object owner (DSS) does not set the bucket owner ACL on the object, then the bucket owner cannot do anything. 

The only thing what the bucket owner can do is to add a policy to the bucket to prevent uploading items where owner ACL is not set.

And even if the object owner (DSS) would do a manual (i.e. boto3) object ACL set, it can be already late, in cases where the S3 bucket is watched by a Lambda function. So please Dataiku, implement this as a feature - because only the owner of the object is in full control - i.e. when you upload, you can set bucket owner full control ACL on the object. It is just a matter of one checkbox - maybe on Connection properties - where you allow to write into S3 connection, there could be an option "Always grant written object to the bucket owner"

 

0 Kudos
ATsao
Dataiker

Hi Tomas, 

We appreciate the additional feedback and this does make sense. Yes, I can go ahead and forward this feedback to our product team on your behalf for further review and consideration. 

Best,

Andrew

0 Kudos