Not sure what's the root cause, do you mind to help fix it ? I am not sure
whether others in the community familiar with s3 and has environment to
test it.
Great Info <gubt...@gmail.com> 于2021年7月26日周一 上午12:06写道:
> I have deployed zeppelin 0.9.0 on AWS e2 and configured the s3 Notebook
> store. I have IAM role created, ec2 uses that role and defined right bucket
> permission for that role.
> Create Notebook, modify notebook works but delete is not working, getting
> 403 error.
>
> I have the right policy defined, below is my policy JSON(Camel case here
> last due to some content move). How to know which action is used during
> Delete notebooks
>
>
>
> {
> "version": "2012-10-17",
> "id": "bucket_policy",
> "statement": [{
> "sid": "denyreadaccess",
> "effect": "deny",
> "principal": "*",
> "action": ["s3:getobject", "s3:getobjectversion"],
> "resource": "arn:aws:s3:::zeppelin-tes/*",
> "condition": {
> "arnnotlike": {
> "aws:principalarn": "arn:aws:iam::985767567532:role/app/zeppelin-tes"
> }
> }
> }, {
> "sid": "denywriteaccess",
> "effect": "deny",
> "principal": "*",
> "action": ["s3:putobject", "s3:putobjectacl"],
> "resource": "arn:aws:s3:::zeppelin-tes/*",
> "condition": {
> "arnnotlike": {
> "aws:principalarn": "arn:aws:iam::985767567532:role/app/zeppelin-tes"
> }
> }
> }, {
> "sid": "denydeleteaccess",
> "effect": "deny",
> "principal": "*",
> "action": ["s3:deleteobject", "s3:deleteobjectversion",
> "s3:abortmultipartupload"],
> "resource": "arn:aws:s3:::zeppelin-tes/*",
> "condition": {
> "arnnotlike": {
> "aws:principalarn": "arn:aws:iam::985767567532:role/app/zeppelin-tes"
> }
> }
> }, {
> "sid": "denyreplicateaccessallexceptmasterroles",
> "effect": "deny",
> "principal": "*",
> "action": ["s3:replicateobject", "s3:replicatetags", "s3:replicatedelete"],
> "resource": "arn:aws:s3:::zeppelin-tes/*",
> "condition": {
> "arnlike": {
> "aws:principalarn": "arn:aws:iam::985767567532:role/app/zeppelin-tes"
> }
> }
> }, {
> "sid": "denyaccessexceptformasterroles",
> "effect": "deny",
> "principal": "*",
> "action": ["s3:deletebucket", "s3:deletebucketpolicy",
> "s3:deletebucketwebsite", "s3:putbucketacl", "s3:putbucketcors",
> "s3:putbucketpolicy", "s3:putbucketlogging", "s3:putbucketnotification",
> "s3:putbucketobjectlockconfiguration", "s3:putbucketpublicaccessblock",
> "s3:putbucketrequestpayment", "s3:putbucketwebsite", "s3:restoreobject*"],
> "resource": ["arn:aws:s3:::zeppelin-tes", "arn:aws:s3:::zeppelin-tes/*"],
> "condition": {
> "arnlike": {
> "aws:principalarn": "arn:aws:iam::985767567532:role/app/zeppelin-tes"
> }
> }
> }, {
> "sid": "denynonsecuretraffic",
> "effect": "deny",
> "principal": "*",
> "action": "s3:*",
> "resource": ["arn:aws:s3:::zeppelin-tes", "arn:aws:s3:::zeppelin-tes/*"],
> "condition": {
> "bool": {
> "aws:securetransport": "false"
> }
> }
> }]
> }
>
--
Best Regards
Jeff Zhang
