https://community.databricks.com/t5/get-started-discussions/s3-limited-bucket-permissions/m-p/120490#M10118 <P>Thanks, but no thanks, spam resides in JUNK folder</P> Thu, 29 May 2025 06:33:15 GMT arnas 2025-05-29T06:33:15Z https://community.databricks.com/t5/get-started-discussions/s3-limited-bucket-permissions/m-p/119926#M10062 <P>Hi,</P><P>can I run Databricks on limited/restricted S3 bucket folder, no access to bucket root level as it is restricted per project folder in IAM?<BR /><BR />i.e s3://mybucket/myproject_abc/<BR /><BR />Now I configured all permissions as per documentation<BR /><A href="https://docs.databricks.com/aws/en/connect/unity-catalog/cloud-storage/storage-credentials" target="_blank">https://docs.databricks.com/aws/en/connect/unity-catalog/cloud-storage/storage-credentials</A><BR /><BR /></P><TABLE border="1" width="100%"><TBODY><TR><TD width="100%">"Condition": {<BR />"StringLike": {<BR />"s3:prefix": "myproject_abc/*"<BR />}<BR />},<BR />"Effect": "Allow",<BR />"Resource": [<BR />"arn:aws:s3:::mybucket/myproject_abc/*",<BR />"arn:aws:s3:::mybucket"<BR />],<BR />"Sid": "AllowS3ActionsForProjectABC"<BR />}</TD></TR></TBODY></TABLE> Thu, 22 May 2025 05:37:39 GMT https://community.databricks.com/t5/get-started-discussions/s3-limited-bucket-permissions/m-p/119926#M10062 arnas 2025-05-22T05:37:39Z https://community.databricks.com/t5/get-started-discussions/s3-limited-bucket-permissions/m-p/119985#M10066 <P>Hi&nbsp;<a href="https://community.databricks.com/t5/user/viewprofilepage/user-id/165470">@arnas</a>&nbsp;</P><P>Yes, you can give Databricks access to just the S3 folder s3://mybucket/myproject_abc/ without exposing the whole bucket.</P><P>IAM Policy should include:</P><UL><LI>Bucket level: Allow s3:ListBucket on arn:aws:s3:::mybucket with a condition for the myproject_abc/ prefix.</LI><LI>Object level: Allow s3:GetObject, s3:PutObject, and s3:DeleteObject on arn:aws:s3:::mybucket/myproject_abc/*.</LI></UL> Thu, 22 May 2025 15:58:09 GMT https://community.databricks.com/t5/get-started-discussions/s3-limited-bucket-permissions/m-p/119985#M10066 SP_6721 2025-05-22T15:58:09Z https://community.databricks.com/t5/get-started-discussions/s3-limited-bucket-permissions/m-p/120429#M10112 <DIV><DIV><SPAN>aws cli works to list the folder, and I am able to download files from inside the folder</SPAN><SPAN><BR />aws s3 ls<BR />aws s3 cp<BR /><BR />here is my policy, anything I am missing ?<BR /><BR />{</SPAN></DIV><DIV><SPAN>"Version"</SPAN><SPAN>: </SPAN><SPAN>"2012-10-17"</SPAN><SPAN>,</SPAN></DIV><DIV><SPAN>"Statement"</SPAN><SPAN>: [</SPAN></DIV><DIV><SPAN>{</SPAN></DIV><DIV><SPAN>"Sid"</SPAN><SPAN>: </SPAN><SPAN>"AllowObjectActionsInCustomerPrefix"</SPAN><SPAN>,</SPAN></DIV><DIV><SPAN>"Effect"</SPAN><SPAN>: </SPAN><SPAN>"Allow"</SPAN><SPAN>,</SPAN></DIV><DIV><SPAN>"Action"</SPAN><SPAN>: [</SPAN></DIV><DIV><SPAN>"s3:GetObject"</SPAN><SPAN>,</SPAN></DIV><DIV><SPAN>"s3:PutObject"</SPAN><SPAN>,</SPAN></DIV><DIV><SPAN>"s3:DeleteObject"</SPAN><SPAN>,</SPAN></DIV><DIV><SPAN>"s3:AbortMultipartUpload"</SPAN><SPAN>,</SPAN></DIV><DIV><SPAN>"s3:ListMultipartUploadParts"</SPAN></DIV><DIV><SPAN>],</SPAN></DIV><DIV><SPAN>"Resource"</SPAN><SPAN>: </SPAN><SPAN>"arn:aws:s3:::mybucket/folder/*"</SPAN></DIV><DIV><SPAN>},</SPAN></DIV><DIV><SPAN>{</SPAN></DIV><DIV><SPAN>"Sid"</SPAN><SPAN>: </SPAN><SPAN>"AllowListBucketInCustomerPrefix"</SPAN><SPAN>,</SPAN></DIV><DIV><SPAN>"Effect"</SPAN><SPAN>: </SPAN><SPAN>"Allow"</SPAN><SPAN>,</SPAN></DIV><DIV><SPAN>"Action"</SPAN><SPAN>: [</SPAN></DIV><DIV><SPAN>"s3:ListBucket"</SPAN><SPAN>,</SPAN></DIV><DIV><SPAN>"s3:GetBucketLocation"</SPAN><SPAN>,</SPAN></DIV><DIV><SPAN>"s3:ListBucketMultipartUploads"</SPAN></DIV><DIV><SPAN>],</SPAN></DIV><DIV><SPAN>"Resource"</SPAN><SPAN>: </SPAN><SPAN>"arn:aws:s3:::mybucket"</SPAN><SPAN>,</SPAN></DIV><DIV><SPAN>"Condition"</SPAN><SPAN>: {</SPAN></DIV><DIV><SPAN>"StringLike"</SPAN><SPAN>: {</SPAN></DIV><DIV><SPAN>"s3:prefix"</SPAN><SPAN>: </SPAN><SPAN>"folder/*"</SPAN></DIV><DIV><SPAN>}</SPAN></DIV><DIV><SPAN>}</SPAN></DIV><DIV><SPAN>},</SPAN></DIV><DIV><SPAN>{</SPAN></DIV><DIV><SPAN>"Sid"</SPAN><SPAN>: </SPAN><SPAN>"AllowAssumeRole"</SPAN><SPAN>,</SPAN></DIV><DIV><SPAN>"Effect"</SPAN><SPAN>: </SPAN><SPAN>"Allow"</SPAN><SPAN>,</SPAN></DIV><DIV><SPAN>"Action"</SPAN><SPAN>: </SPAN><SPAN>"sts:AssumeRole"</SPAN><SPAN>,</SPAN></DIV><DIV><SPAN>"Resource"</SPAN><SPAN>: </SPAN><SPAN>"arn:aws:iam::MYACCOUNTID:role/mycustomer-databricks-access"</SPAN></DIV><DIV><SPAN>}</SPAN></DIV><DIV><SPAN>]</SPAN></DIV><DIV><SPAN>}<BR /><BR /></SPAN></DIV></DIV> Wed, 28 May 2025 13:56:14 GMT https://community.databricks.com/t5/get-started-discussions/s3-limited-bucket-permissions/m-p/120429#M10112 arnas 2025-05-28T13:56:14Z https://community.databricks.com/t5/get-started-discussions/s3-limited-bucket-permissions/m-p/120490#M10118 <P>Thanks, but no thanks, spam resides in JUNK folder</P> Thu, 29 May 2025 06:33:15 GMT https://community.databricks.com/t5/get-started-discussions/s3-limited-bucket-permissions/m-p/120490#M10118 arnas 2025-05-29T06:33:15Z