StorageGRID S3 bucket policy is not applied correctly when the account root is specified in the Principal element
Applies to
StorageGRID 11.3
Issue
StorageGRID S3 bucket policy is not applied correctly when the account root is specified in the Principal element.
Example:
Not only the account root but all users in the tenant account ID 01234567890123456789 are allowed full access to the bucket-test bucket by applying the following policy.
{
"Statement": [
{
"Effect": "Allow",
"Principal": {
"SGWS": [
"urn:sgws:identity::01234567890123456789:root"
]
},
"Action": [
"s3:*"
],
"Resource": [
"urn:sgws:s3:::bucket-test",
"urn:sgws:s3:::bucket-test/*"
]
}
]
}