To configure and use metadata table scan for Amazon S3, you must assign specific AWS permissions to the IAM user whose credentials are used to create the S3 object storage instance. These permissions enable Commvault to create and manage S3 metadata tables, integrate with AWS Lake Formation, and access metadata reports.
Required IAM Policy
Add the following IAM policy to the IAM user whose credentials are used to create the S3 object storage instance. This policy provides the necessary permissions for S3 metadata tables, S3 Tables, AWS Glue, Amazon Athena, and AWS Lake Formation.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "S3InventoryPermissions",
"Effect": "Allow",
"Action": [
"s3:GetInventoryConfiguration",
"s3:PutInventoryConfiguration",
"s3:CreateBucket",
"s3:PutBucketPolicy",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": "*"
},
{
"Sid": "S3MetadataTablePermissions",
"Effect": "Allow",
"Action": [
"s3:CreateBucketMetadataTableConfiguration",
"s3:DeleteBucketMetadataTableConfiguration",
"s3:GetBucketMetadataTableConfiguration",
"s3:UpdateBucketMetadataInventoryTableConfiguration",
"s3:UpdateBucketMetadataJournalTableConfiguration",
"s3:GetBucketLocation",
"s3:ListBucket"
],
"Resource": "*"
},
{
"Sid": "S3TablesPermissions",
"Effect": "Allow",
"Action": [
"s3tables:CreateNamespace",
"s3tables:CreateTable",
"s3tables:CreateTableBucket",
"s3tables:PutTablePolicy",
"s3tables:PutTableEncryption",
"s3tables:DeleteTableBucket",
"s3tables:GetTable",
"s3tables:ListTableBuckets",
"s3tables:ListNamespaces",
"s3tables:ListTables",
"s3tables:GetNamespace",
"s3tables:GetTableBucket",
"s3tables:GetTableMetadataLocation",
"s3tables:PutTableBucketPolicy",
"s3tables:DeleteNamespace",
"s3tables:DeleteTable",
"s3tables:RenameTable",
"s3tables:UpdateTableMetadataLocation",
"s3tables:GetTableData",
"s3tables:PutTableData"
],
"Resource": "*"
},
{
"Sid": "GluePermissions",
"Effect": "Allow",
"Action": [
"glue:PassConnection",
"glue:GetDatabase",
"glue:GetDatabases",
"glue:GetTable",
"glue:GetTables",
"glue:CreateCatalog",
"glue:CreateTable",
"glue:UpdateTable",
"glue:DeleteTable",
"glue:GetCatalog",
"glue:GetCatalogs",
"glue:GetPartition",
"glue:GetPartitions",
"glue:UpdateCatalog"
],
"Resource": "*"
},
{
"Sid": "AthenaPermissions",
"Effect": "Allow",
"Action": [
"athena:StartQueryExecution",
"athena:GetQueryExecution",
"athena:GetQueryResults",
"athena:StopQueryExecution",
"athena:ListWorkGroups",
"athena:GetWorkGroup"
],
"Resource": "*"
},
{
"Sid": "LakeFormationAndKMSPermissions",
"Effect": "Allow",
"Action": [
"kms:Decrypt",
"kms:DescribeKey",
"lakeformation:RegisterResource",
"lakeformation:RegisterResourceWithPrivilegedAccess",
"lakeformation:DescribeResource",
"lakeformation:GetDataLakeSettings",
"lakeformation:PutDataLakeSettings",
"lakeformation:BatchGrantPermissions",
"lakeformation:GetDataAccess",
"lakeformation:UpdateResource",
"lakeformation:DeregisterResource",
"lakeformation:GrantPermissions",
"lakeformation:RevokePermissions",
"lakeformation:ListPermissions",
"lakeformation:ListResources",
"lakeformation:GetResourceLFTags"
],
"Resource": "*"
}
]
}