Resources Actions for S3 Tables Condition keys

Access management for S3 Tables

In S3 Tables resources include table buckets and the tables that they contain. The root user of the AWS account that created the resource (the resource owner) and AWS Identity and Access Management (IAM) users within that account that have the necessary permissions can access a resource that they created. The resource owner specifies who else can access the resource and the actions that they are allowed to perform on the resource. Amazon S3 has various access management tools that you can use to grant others access to your S3 resources. The following topics provide you with an overview of resources, IAM actions, and condition keys for S3 Tables. They also provide examples for both resource-based and identity-based policies for S3 Tables.

Topics

Resources

S3 Tables resources include table buckets and the tables that they contain.

Table buckets – Table buckets are specifically designed for tables and provider higher transactions per seconds (TPS) and better query throughput compared to self-managed tables in general purpose S3 buckets. Table buckets deliver the same durability, availability, scalability, and performance characteristics as Amazon S3 general purpose buckets.
Tables – Tables in your table buckets are stored in Apache Iceberg format. You can query these tables using standard SQL in query engines that support Iceberg.

Amazon Resource Names (ARNs) for tables and table buckets contain the s3tables namespace, the AWS Region, the AWS account ID, and the bucket name. To access and perform actions on your tables and table buckets, you must use the following ARN formats:

Table ARN format:

arn:aws:s3tables:us-west-2:111122223333:bucket/amzn-s3-demo-bucket/table/demo-tableID

Actions for S3 Tables

In an identity-based policy or resource-based policy, you define which S3 Tables actions are allowed or denied for specific IAM principals. Tables actions correspond to bucket and table-level API operations. All actions are part of a unique IAM namespace: s3tables.

When you use an action in a policy, you usually allow or deny access to the API operation with the same name. However, in some cases, a single action controls access to more than one API operation. For example, the s3tables:GetTableData actions includes permissions for the GetObject, ListParts, and ListMultiparts API operations.

The following are supported actions for table buckets. You can specify the following actions in the Action element of an IAM policy or resource policy policy.

Action	Description	Access level	Cross-account access
`s3tables:CreateTableBucket`	Grants permissions to create a table bucket	`Write`	No
`s3tables:GetTableBucket`	Grants permission to retrieve a table bucket ARN, table bucket name, and create date.	`Write`	Yes
`s3tables:ListTableBuckets`	Grants permission to list all table buckets in this account.	`Read`	No
`s3tables:CreateNamespace`	Grants permission to create a name space in a table bucket	`Read`	Yes
`s3tables:GetNamespace`	Grants permission to retrieve namespace details	`Read`	Yes
`s3tables:ListNamespace`	Grants permission to list all namespaces on the table bucket.	`Read`	Yes
`s3tables:DeleteNamespace`	Grants permission to delete a namespace in a table bucket	`Write`	Yes
`s3tables:DeleteTableBucket`	Grants permission to delete the bucket	`Write`	Yes
`s3tables:PutTableBucketPolicy`	Grants permission to add or replace a bucket policy	`Permissions Management`	No
`s3tables:GetTableBucketPolicy`	Grants permission to return the bucket policy	`Read`	No
`s3tables:DeleteTableBucketPolicy`	Grants permission to delete the bucket policy	`Permissions Management`	No
`s3tables:GetTableBucketMaintenanceConfiguration`	Grants permission to return the maintenance configuration for a table bucket	`Read`	Yes
`s3tables:PutTableBucketMaintenanceConfiguration`	Grants permission to add or replace the maintenance configuration for a table bucket	`Write`	Yes

The following actions are supported for tables:

Action	Description	Access level	Cross-account access
`s3tables:GetTableMaintenanceConfiguration`	Grants permission to return the maintenance configuration for a table	`Read`	Yes
`s3tables:PutTableMaintenanceConfiguration`	Grants permission to add or replace the maintenance configuration for a table	`Write`	Yes
`s3tables:PutTablePolicy`	Grants permission to add or replace a table policy	`Permissions Management`	No
`s3tables:GetTablePolicy`	Grants permission to return the table policy	`Read`	No
`s3tables:DeleteTablePolicy`	Grants permission to delete the table policy	`Permissions management`	No
`s3tables:CreateTable`	Grants permission to create a table in a table bucket	`Write`	Yes
`s3tables:GetTable`	Grants permission to retrieve a table information	`Read`	Yes
`s3tables:GetTableMetadataLocation`	Grants permission to retrieve the table root pointer (metadata file)	`Read`	Yes
`s3tables:ListTables`	Grants permission to list all tables in a table bucket	`Read`	Yes
`s3tables:RenameTable`	Grant permissions to change the name of a table.	`Write`	Yes
`s3tables:UpdateTableMetadataLocation`	Grants permission to update table root pointer (metadata file)	`Write`	Yes
`s3tables:GetTableMetadataLocationLocation`	Grants permission to read the table root pointer (metadata file)	`Read`	Yes
`s3tables:GetTableData`	Grants permission to read the table metadata and data objects stored in the table bucket	`Read`	Yes
`s3tables:PutTableData`	Grants permission to write the table metadata and data objects stored in the table bucket	`Write`	Yes

To perform table-level read and write actions, S3 Tables supports Amazon S3 API operations such as GetObject and PutObject. The following table provides a list of object-level actions. When granting read and write permissions to your tables, you use the following actions.

Action	S3 object APIs
`s3tables:GetTableData`	`GetObject, ListParts`, `HeadObject`
`s3tables:PutTableData`	`PutObject`, `CreateMultipartUpload`, `CompleteMultipartUpload`, `UploadPart`, `AbortMultipartUpload`

For example, if a user has GetTableData permissions, then they can read all the files associated with the table, such as its metadata file, manifest, manifest list files, and parquet data files.

Condition keys for S3 Tables

S3 Tables supports AWS global condition context keys.

Additionally, S3 Tables defines the following condition keys that you can use in an access policy.

Condition key Description Type

Condition key	Description	Type
`s3tables:tableName`	Filters access by the name of the tables in the table bucket. You can use the `s3tables:tableName` condition key to write IAM, or table bucket policies that restrict user or application access only the tables that meet this name condition. It's important to note that if you use the `s3tables:tableName` condition key to control access then changes in tables’ name could impact these policies. Example value: `"s3tables:tableName":"department*"`	`String`
`s3tables:namespace`	Filters access by the namespaces created in the table bucket. You can use the `s3tables:namespace` condition key to write IAM, table, or table bucket policies that restrict user or application access to tables that are part of a specific namespace. Example value: `"s3tables:namespace":"hr"` It's important to note that if you use the `s3tables:namespace` condition key to control access, then changes in namespaces could impact these policies.	`String`


                            s3tables:tableName

Filters access by the name of the tables in the table bucket.

You can use the s3tables:tableName condition key to write IAM, or table bucket policies that restrict user or application access only the tables that meet this name condition.

It's important to note that if you use the s3tables:tableName condition key to control access then changes in tables’ name could impact these policies.

Example value: "s3tables:tableName":"department*"

String


                            s3tables:namespace

Filters access by the namespaces created in the table bucket.

You can use the s3tables:namespace condition key to write IAM, table, or table bucket policies that restrict user or application access to tables that are part of a specific namespace. Example value: "s3tables:namespace":"hr"

It's important to note that if you use the s3tables:namespace condition key to control access, then changes in namespaces could impact these policies.

String

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Security for S3 Tables

IAM identity-based policies