2

S3 Tables Security

Chris Lu edited this page 2026-02-16 14:04:56 -08:00

Table of Contents

• S3 Tables Security
• Permission Model
• Default Permission Behavior
• Policy Structure
• Supported Actions
• Table Bucket Operations
• Namespace Operations
• Table Operations
• Example Policies
• 1. Read-Only Access
• 2. Admin Access for Specific Namespace
• 3. Deny Deletion

S3 Tables Security

SeaweedFS S3 Tables implementation supports fine-grained access control using IAM-style policies. These policies can be attached to Table Buckets to control access to namespaces and tables.

Permission Model

Permissions are defined using JSON policy documents similar to AWS IAM. Policies are attached to the Table Bucket using the PutTableBucketPolicy API.

Default Permission Behavior

If no policy is attached to a Table Bucket:

• Zero Configuration: Access is Allowed by default (simplifies development).
• IAM Configured: Access is Denied by default (security best practice).

Policy Structure

A policy document consists of a list of statements:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3tables:CreateTable",
      "Resource": "*"
    }
  ]
}

• Effect: Allow or Deny. Deny always takes precedence.
• Principal: The user or role (e.g., *, arn:aws:iam::123456789012:user/admin).
• Action: The API operation to allow/deny (supports wildcards).
• Resource: The resource ARN (supports wildcards).
• Condition: (Optional) extra conditions for the rule.

---

Supported Actions

The following actions are supported in policies. Actions can be specified with the s3tables: prefix or without it (for some contexts).

Table Bucket Operations

• s3tables:CreateTableBucket
• s3tables:DeleteTableBucket
• s3tables:GetTableBucket
• s3tables:ListTableBuckets
• s3tables:PutTableBucketPolicy
• s3tables:GetTableBucketPolicy
• s3tables:DeleteTableBucketPolicy

Namespace Operations

• s3tables:CreateNamespace
• s3tables:DeleteNamespace
• s3tables:GetNamespace
• s3tables:ListNamespaces

Table Operations

• s3tables:CreateTable
• s3tables:DeleteTable
• s3tables:GetTable
• s3tables:ListTables
• s3tables:PutTablePolicy
• s3tables:GetTablePolicy
• s3tables:DeleteTablePolicy

---

Example Policies

1. Read-Only Access

Allow listing and getting tables, but no modifications.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": [
        "s3tables:Get*",
        "s3tables:List*"
      ],
      "Resource": "*"
    }
  ]
}

2. Admin Access for Specific Namespace

Allow full access only to tables within the finance namespace.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "arn:aws:iam::123456789012:user/finance-admin",
      "Action": "s3tables:*",
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "s3tables:namespace": "finance"
        }
      }
    }
  ]
}

3. Deny Deletion

Allow everything except deleting tables.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3tables:*",
      "Resource": "*"
    },
    {
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3tables:DeleteTable",
      "Resource": "*"
    }
  ]
}

Introduction

• Quick Start with weed mini
• Simplest S3 Bucket and User Setup
• Components
• Getting Started
• Production Setup
• A typical step‐by‐step example
• Benchmarks
• FAQ
• Applications

API

• Master Server API
• Volume Server API
• Filer Server API
• Client Libraries
• SeaweedFS Java Client

Configuration

• Replication
• Store file with a Time To Live
• Failover Master Server
• Erasure coding for warm storage
• EC Bitrot Detection
• Server Startup via Systemd
• Environment Variables

Filer

• Filer Setup
• Directories and Files
• File Operations Quick Reference
• Data Structure for Large Files
• Filer Data Encryption
• Filer Commands and Operations
• Filer JWT Use
• TUS Resumable Uploads

Filer Stores

• Filer Cassandra Setup
• Filer Redis Setup
• Super Large Directories
• Path-Specific Filer Store
• Choosing a Filer Store
• Customize Filer Store

Management

• Admin UI
• Admin UI OIDC
• Worker
• Plugin Worker Scheduling

Advanced Filer Configurations

• Migrate to Filer Store
• Add New Filer Store
• Filer Store Replication
• Filer Active Active cross cluster continuous synchronization
• Filer as a Key-Large-Value Store
• Path Specific Configuration
• Filer Change Data Capture
• Filer Operation Serialization

FUSE Mount

• FIO benchmark
• fstab and systemd mount
• POSIX Compliance
• Distributed POSIX Locks
• P2P reading in weed mount

WebDAV

SFTP Server

Cloud Drive

• Cloud Drive Benefits
• Cloud Drive Architecture
• Configure Remote Storage
• Mount Remote Storage
• Cache Remote Storage
• Cloud Drive Quick Setup
• Gateway to Remote Object Storage

AWS S3 API

• Amazon S3 API
• Supported APIs vs Minio
• S3 Lifecycle
• S3 Lifecycle vs Volume TTL
• S3 Conditional Operations
• S3 CORS
• S3 Object Lock and Retention
• S3 Object Versioning
• S3 API Benchmark
• S3 API FAQ
• S3 Bucket Quota
• S3 Rate Limiting
• S3 API Audit log
• S3 Nginx Proxy
• Docker Compose for S3

S3 Table Bucket

• S3 Table Bucket
• S3 Table Bucket Commands
• S3 Tables Security
• SeaweedFS Iceberg Catalog
• Iceberg Table Maintenance

Iceberg Integrations

• Spark Iceberg Integration
• Trino Iceberg Integration
• Dremio Iceberg Integration
• DuckDB Iceberg Integration
• Doris Iceberg Integration
• RisingWave Iceberg Integration
• Lakekeeper Iceberg Integration

S3 Authentication & IAM

• S3 Configuration - Start Here
• S3 Credentials (-s3.config)
• OIDC Integration (-s3.iam.config)
• Kubernetes ServiceAccount Authentication (IRSA-style)
• S3 Policy Variables
• S3 Policy Conditions
• S3 Bucket Policies
• Amazon IAM API
• AWS IAM CLI
• weed shell - Shell IAM Commands

Server-Side Encryption

• Server-Side Encryption
• Server-Side Encryption SSE-KMS
• Server-Side Encryption SSE-C

S3 Client Tools

• AWS CLI with SeaweedFS
• s3cmd with SeaweedFS
• rclone with SeaweedFS
• restic with SeaweedFS
• nodejs with Seaweed S3

Machine Learning

• TensorFlow with SeaweedFS
• Distributing AI Model Files for Multi-GPU Loading

HDFS

• Hadoop Compatible File System
• run Spark on SeaweedFS
• run HBase on SeaweedFS
• run Presto on SeaweedFS
• Hadoop Benchmark
• HDFS via S3 connector

Replication and Backup

• Async Replication to another Filer [Deprecated]
• Async Backup
• Async Filer Metadata Backup
• Async Replication to Cloud [Deprecated]
• Kubernetes Backups and Recovery with K8up

Metadata Change Events

• Filer Metadata Events
• Filer Notification Webhook

Messaging

• Structured Data Lake with SMQ and SQL
• Seaweed Message Queue
• SQL Queries on Message Queue
• SQL Quick Reference
• PostgreSQL-compatible Server weed db
• Pub-Sub to SMQ to SQL
• Kafka to Kafka Gateway to SMQ to SQL

Use Cases

• Use Cases
• Actual Users

Operations

• System Metrics
• weed shell
• Data Backup
• Deployment to Kubernetes and Minikube
• Deployment with seaweed-up
  • Cluster Plan Workflow
  • Cluster Plan Inventory Reference
  • Cluster Plan Day 2 Operations

Rust Volume Server

• Rust Volume Server

Advanced

• Large File Handling
• Optimization
• Optimization for Many Small Buckets
• Volume Management
• Tiered Storage
• Cloud Tier
• Cloud Monitoring
• Load Command Line Options from a file
• SRV Service Discovery
• Volume Files Structure

Security

• Security Overview
• Security Configuration
• Cryptography and FIPS Compliance
• Run Blob Storage on Public Internet

Misc Use Case Examples

• UrBackup with SeaweedFS
• Docker Image Registry with SeaweedFS
• SeaweedFS in Docker Swarm
• Words from SeaweedFS Users
• Independent Benchmarks
• Hardware