Mountpoint-s3 with minimal IAM Permissions

[bartdenotte]

Tell us more about this new feature.

Hi,

When trying to expose a multi tenant bucket (different users have different locations they should be able to access) via mountpoint-S3 it seems that I need to grant more permissions than needed.

Given following structure:

bucket

• project1
• project2
  • folder0
  • folder1
    • dummy
      • files
        • file1
        • file2

A User needs access to prefix project1/ and project2/folder1/dummy/files/
From a Least Privilege principle I need to provide GetObject and ListBucket Permissions to
project1/* and project2/folder1/dummy/files/*

Using the above described policy when using aws s3 client it does seem to work, i'm able to list files/folders in both paths and don't have access to any of the parent folders or siblings.

When using mountpoint-s3 i'm unable to use the above described policy as the OS tries to access project2/ before transversing to project2/folder1/ , and so on until it tries to list in project2/folder1/dummy/files/.
From a confidentiality point of view, the end user cannot list anything besides the two path specified.

Is there a possibility for mountpoint to cope with this Linux OS/Fuse specific behaviour to ensure we as a client don't need to provide more permissions than needed. This will allow us to use a single mount for an entire subtree structure and a single limited IAM policy. Using separate mounts cannot be done as it will potentially entail having 1K mounts on a OS.

The above described capability in combination with subPath expression in kubernetes/eks allows to only expose what is needed to the user.

[dannycjones]

Thanks for sharing the use case, @bartdenotte.

I don't have any workaround I can share today (other than using separate mounts which as you mentioned wouldn't be feasible in this case). I'll take this to the team so we can investigate ways to allow this type of mount without needing to grant the broad permissions.