] }
This additional permission is required because the Amazon EBS snapshots generated from Storage Gateway are managed as Amazon EC2 resources.
To set up the minimum permissions required to navigate the Storage Gateway console, see Example 2:
Allow read-only access to a gateway (p. 150).
AWS managed policies for Storage Gateway
Amazon Web Services addresses many common use cases by providing standalone IAM policies that are created and administered by AWS. Managed policies grant necessary permissions for common use cases so you can avoid having to investigate what permissions are needed. For more information about AWS managed policies, see AWS Managed Policies in the IAM User Guide.
The following AWS managed policies, which you can attach to users in your account, are specific to Storage Gateway:
• AWSStorageGatewayReadOnlyAccess – Grants read-only access to AWS Storage Gateway resources.
• AWSStorageGatewayFullAccess – Grants full access to AWS Storage Gateway resources.
Note
You can review these permissions policies by signing in to the IAM console and searching for specific policies there.
You can also create your own custom IAM policies to allow permissions for AWS Storage Gateway API actions. You can attach these custom policies to the IAM users or groups that require those permissions.
Customer managed policy examples
In this section, you can find example user policies that grant permissions for various Storage Gateway actions. These policies work when you are using AWS SDKs and the AWS CLI. When you are using the console, you need to grant additional permissions specific to the console, which is discussed in Permissions required to use the Storage Gateway console (p. 148).
Note
All examples use the US West (Oregon) Region (us-west-2) and contain fictitious account IDs.Topics
• Example 1: Allow any Storage Gateway actions on all gateways (p. 149)
• Example 2: Allow read-only access to a gateway (p. 150)
• Example 3: Allow access to a specific gateway (p. 151)
• Example 4: Allow a user to access a specific volume (p. 152)
• Example 5: Allow all actions on gateways with a specific prefix (p. 153)
Example 1: Allow any Storage Gateway actions on all gateways
The following policy allows a user to perform all the Storage Gateway actions. The policy also allows the user to perform Amazon EC2 actions (DescribeSnapshots and DeleteSnapshot) on the Amazon EBS snapshots generated from Storage Gateway.
{ "Version": "2012-10-17",
Using identity-based policies (IAM policies)
"Statement": [ {
"Sid": "AllowsAllAWSStorageGatewayActions", "Action": [
Example 2: Allow read-only access to a gateway
The following policy allows all List* and Describe* actions on all resources. Note that these actions are read-only actions. Thus, the policy doesn't allow the user to change the state of any resources—that is, the policy doesn't allow the user to perform actions such as DeleteGateway, ActivateGateway, and ShutdownGateway.
The policy also allows the DescribeSnapshots Amazon EC2 action. For more information, see DescribeSnapshots in the Amazon EC2 API Reference.
{
"Version": "2012-10-17", "Statement": [
{
"Sid": "AllowReadOnlyAccessToAllGateways", "Action": [
"Sid": "AllowsUserToDescribeSnapshotsOnAllGateways", "Action": [
In the preceding policy, instead of a using a wildcard character (*), you can scope resources covered by the policy to a specific gateway, as shown in the following example. The policy then allows the actions only on the specific gateway.
"Resource": [
"arn:aws:storagegateway:us-west-2:123456789012:gateway/gateway-id/",
Using identity-based policies (IAM policies)
"arn:aws:storagegateway:us-west-2:123456789012:gateway/gateway-id/*"
]
Within a gateway, you can further restrict the scope of the resources to only the gateway volumes, as shown in the following example:
"Resource": "arn:aws:storagegateway:us-west-2:123456789012:gateway/gateway-id/volume/*"
Example 3: Allow access to a specific gateway
The following policy allows all actions on a specific gateway. The user is restricted from accessing other gateways you might have deployed.
{
"Version": "2012-10-17", "Statement": [
{
"Sid": "AllowReadOnlyAccessToAllGateways", "Action": [
"Sid": "AllowsUserToDescribeSnapshotsOnAllGateways", "Action": [
"Sid": "AllowsAllActionsOnSpecificGateway", "Action": [
"storagegateway:*"
],
"Effect": "Allow", "Resource": [
"arn:aws:storagegateway:us-west-2:123456789012:gateway/gateway-id/", "arn:aws:storagegateway:us-west-2:123456789012:gateway/gateway-id/*"
] } ] }
The preceding policy works if the user to which the policy is attached uses either the API or an AWS SDK to access the gateway. However, if the user is going to use the Storage Gateway console, you must also grant permissions to allow the ListGateways action, as shown in the following example.
{ "Version": "2012-10-17", "Statement": [
{
"Sid": "AllowsAllActionsOnSpecificGateway", "Action": [
"storagegateway:*"
],
"Effect": "Allow",
Using identity-based policies (IAM policies)
"Resource": [
"arn:aws:storagegateway:us-west-2:123456789012:gateway/gateway-id/", "arn:aws:storagegateway:us-west-2:123456789012:gateway/gateway-id/*"
]
Example 4: Allow a user to access a specific volume
The following policy allows a user to perform all actions to a specific volume on a gateway. Because a user doesn't get any permissions by default, the policy restricts the user to accessing only a specific volume.
{
"Version": "2012-10-17", "Statement": [
{
"Sid": "GrantsPermissionsToSpecificVolume", "Action": [
"storagegateway:*"
],
"Effect": "Allow",
"Resource": "arn:aws:storagegateway:us-west-2:123456789012:gateway/gateway-id/
volume/volume-id"
}, {
"Sid": "GrantsPermissionsToUseStorageGatewayConsole", "Action": [
The preceding policy works if the user to whom the policy is attached uses either the API or an AWS SDK to access the volume. However, if this user is going to use the AWS Storage Gateway console, you must also grant permissions to allow the ListGateways action, as shown in the following example.
{
"Version": "2012-10-17", "Statement": [
{
"Sid": "GrantsPermissionsToSpecificVolume", "Action": [
"storagegateway:*"
],
"Effect": "Allow",
"Resource": "arn:aws:storagegateway:us-west-2:123456789012:gateway/gateway-id/
volume/volume-id"
}, {
Using tags to control access to resources
"Sid": "GrantsPermissionsToUseStorageGatewayConsole", "Action": [
Example 5: Allow all actions on gateways with a specific prefix
The following policy allows a user to perform all Storage Gateway actions on gateways with names that start with DeptX. The policy also allows the DescribeSnapshots Amazon EC2 action which is required if you plan to describe snapshots.
{
"Version": "2012-10-17", "Statement": [
{
"Sid": "AllowsActionsGatewayWithPrefixDeptX", "Action": [
"storagegateway:*"
],
"Effect": "Allow",
"Resource": "arn:aws:storagegateway:us-west-2:123456789012:gateway/DeptX"
}, {
"Sid": "GrantsPermissionsToSpecifiedAction", "Action": [
The preceding policy works if the user to whom the policy is attached uses either the API or an AWS SDK to access the gateway. However, if this user plans to use the AWS Storage Gateway console, you must grant additional permissions as described in Example 3: Allow access to a specific gateway (p. 151).