Access management for S3 Tables
In S3 Tables resources include table buckets and the tables that they contain. The root user of the AWS account that created the resource (the resource owner) and AWS Identity and Access Management (IAM) users within that account that have the necessary permissions can access a resource that they created. The resource owner specifies who else can access the resource and the actions that they are allowed to perform on the resource. Amazon S3 has various access management tools that you can use to grant others access to your S3 resources. The following topics provide you with an overview of resources, IAM actions, and condition keys for S3 Tables. They also provide examples for both resource-based and identity-based policies for S3 Tables.
Topics
Resources
S3 Tables resources include table buckets and the tables that they contain.
Table buckets – Table buckets are specifically designed for tables and provider higher transactions per seconds (TPS) and better query throughput compared to self-managed tables in general purpose S3 buckets. Table buckets deliver the same durability, availability, scalability, and performance characteristics as Amazon S3 general purpose buckets.
Tables – Tables in your table buckets are stored in Apache Iceberg format. You can query these tables using standard SQL in query engines that support Iceberg.
Amazon Resource Names (ARNs) for tables and table buckets contain the
s3tables
namespace, the AWS Region, the AWS account ID, and the
bucket name. To access and perform actions on your tables and table buckets, you must
use the following ARN formats:
-
Table ARN format:
arn:aws:s3tables:
us-west-2
:111122223333
:bucket/amzn-s3-demo-bucket
/table/demo-tableID
Actions for S3 Tables
In an identity-based policy or resource-based policy, you define which S3 Tables
actions are allowed or denied for specific IAM principals. Tables actions correspond
to bucket and table-level API operations. All actions are
part of a unique IAM namespace: s3tables
.
When you use an action in a policy, you usually allow or deny access to the API
operation with the same name. However, in some cases, a single action controls access to
more than one API operation. For example, the s3tables:GetTableData
actions includes permissions for
the GetObject
, ListParts
, and ListMultiparts
API
operations.
The following are supported actions for table buckets. You can specify the following
actions in the Action
element of an IAM policy or resource policy.
Action | Description | Access level | Cross-account access |
---|---|---|---|
s3tables:CreateTableBucket |
Grants permissions to create a table bucket | Write |
No |
s3tables:GetTableBucket |
Grants permission to retrieve a table bucket ARN, table bucket name, and create date. | Write |
Yes |
s3tables:ListTableBuckets |
Grants permission to list all table buckets in this account. | Read |
No |
s3tables:CreateNamespace |
Grants permission to create a name space in a table bucket | Read |
Yes |
s3tables:GetNamespace |
Grants permission to retrieve namespace details | Read |
Yes |
s3tables:ListNamespace |
Grants permission to list all namespaces on the table bucket. | Read |
Yes |
s3tables:DeleteNamespace |
Grants permission to delete a namespace in a table bucket | Write |
Yes |
s3tables:DeleteTableBucket |
Grants permission to delete the bucket | Write |
Yes |
s3tables:PutTableBucketPolicy |
Grants permission to add or replace a bucket policy | Permissions Management |
No |
s3tables:GetTableBucketPolicy |
Grants permission to return the bucket policy | Read |
No |
s3tables:DeleteTableBucketPolicy |
Grants permission to delete the bucket policy | Permissions Management |
No |
s3tables:GetTableBucketMaintenanceConfiguration |
Grants permission to return the maintenance configuration for a table bucket | Read |
Yes |
s3tables:PutTableBucketMaintenanceConfiguration |
Grants permission to add or replace the maintenance configuration for a table bucket | Write |
Yes |
The following actions are supported for tables:
Action | Description | Access level | Cross-account access |
---|---|---|---|
s3tables:GetTableMaintenanceConfiguration |
Grants permission to return the maintenance configuration for a table | Read |
Yes |
s3tables:PutTableMaintenanceConfiguration |
Grants permission to add or replace the maintenance configuration for a table | Write |
Yes |
s3tables:PutTablePolicy |
Grants permission to add or replace a table policy | Permissions Management |
No |
s3tables:GetTablePolicy |
Grants permission to return the table policy | Read |
No |
s3tables:DeleteTablePolicy |
Grants permission to delete the table policy | Permissions management |
No |
s3tables:CreateTable |
Grants permission to create a table in a table bucket | Write |
Yes |
s3tables:GetTable |
Grants permission to retrieve a table information | Read |
Yes |
s3tables:GetTableMetadataLocation |
Grants permission to retrieve the table root pointer (metadata file) | Read |
Yes |
s3tables:ListTables |
Grants permission to list all tables in a table bucket | Read |
Yes |
s3tables:RenameTable |
Grant permissions to change the name of a table. | Write |
Yes |
s3tables:UpdateTableMetadataLocation |
Grants permission to update table root pointer (metadata file) | Write |
Yes |
s3tables:GetTableMetadataLocationLocation |
Grants permission to read the table root pointer (metadata file) | Read |
Yes |
s3tables:GetTableData |
Grants permission to read the table metadata and data objects stored in the table bucket | Read |
Yes |
s3tables:PutTableData |
Grants permission to write the table metadata and data objects stored in the table bucket | Write |
Yes |
To perform table-level read and write actions, S3 Tables supports Amazon S3 API
operations such as GetObject
and PutObject
. The following
table provides a list of object-level actions. When
granting read and write permissions to your tables, you use the following actions.
Action | S3 object APIs |
---|---|
s3tables:GetTableData |
GetObject , ListParts ,
HeadObject |
s3tables:PutTableData |
PutObject , CreateMultipartUpload ,
CompleteMultipartUpload , UploadPart ,
AbortMultipartUpload |
For example, if a user has GetTableData
permissions, then they can read
all the files associated with the table, such as its metadata file, manifest, manifest
list files, and parquet data files.
Condition keys for S3 Tables
S3 Tables supports AWS global condition context keys.
Additionally, S3 Tables defines the following condition keys that you can use in an access policy.
Condition key | Description | Type |
---|---|---|
s3tables:tableName |
Filters access by the name of the tables in the table bucket.
You can use the It's important to note that if you use the
"s3tables:tableName":"department*"
|
String |
s3tables:namespace |
Filters access by the namespaces created in the table bucket. You can use the It's important to note that if you use the |
String |