AWS Storage Gateway User Guide
Overview of Managing Access
ID to lowercase to use it with the EC2 API. For example, in Storage Gateway the ID for a volume
might be
vol-1122AABB
. When you use this ID with the EC2 API, you must change it to
vol-1122aabb
. Otherwise, the EC2 API might not behave as expected.
ARNs for gateways activated prior to September 2, 2015, contain the gateway name instead of
the gateway ID. To obtain the ARN for your gateway, use the
DescribeGatewayInformation
API operation.
To grant permissions for specific API operations, such as creating a tape, Storage Gateway provides a set
of API actions for you to create and manage these resources and subresources. For a list of API actions,
in the
AWS Storage Gateway API Reference
.
To grant permissions for specific API operations, such as creating a tape, Storage Gateway defines a set
of actions that you can specify in a permissions policy to grant permissions for specific API operations.
An API operation can require permissions for more than one action. For a table showing all the Storage
Gateway API actions and the resources they apply to, see
Storage Gateway API Permissions: Actions,
Resources, and Conditions Reference (p. 309)
.
Understanding Resource Ownership
A
resource owner
is the AWS account that created the resource. That is, the resource owner is the AWS
account of the
principal entity
(the root account, an IAM user, or an IAM role) that authenticates the
request that creates the resource. The following examples illustrate how this works:
• If you use the root account credentials of your AWS account to activate a gateway, your AWS account is
the owner of the resource (in Storage Gateway, the resource is the gateway).
• If you create an IAM user in your AWS account and grant permissions to the
ActivateGateway
action
to that user, the user can activate a gateway. However, your AWS account, to which the user belongs,
owns the gateway resource.
• If you create an IAM role in your AWS account with permissions to activate a gateway, anyone who
can assume the role can activate a gateway. Your AWS account, to which the role belongs, owns the
gateway resource.
Managing Access to Resources
A permissions policy describes who has access to what. The following section explains the available
options for creating permissions policies.
Note
This section discusses using IAM in the context of Storage Gateway. It doesn't provide detailed
information about the IAM service. For complete IAM documentation, see
IAM User Guide.
For information about IAM policy syntax and descriptions, see
IAM User Guide.
Policies attached to an IAM identity are referred to as
identity-based
policies (IAM policies) and policies
attached to a resource are referred to as
resource-based
policies. Storage Gateway supports only identity-
based policies (IAM policies).
Topics
•
Identity-Based Policies (IAM Policies) (p. 297)
•
Resource-Based Policies (p. 298)
Identity-Based Policies (IAM Policies)
You can attach policies to IAM identities. For example, you can do the following:
API Version 2013-06-30
297