Object Storage Access Policy
For JuiceFS, actual file data is uploaded to user owned object storage. Thus JuiceFS Client require object storage credentials (accesskey
and secretkey
) for bucket access. Access policy for common cloud services are listed here.
Configuration
Common steps to configure object storage access for JuiceFS:
- Create access policy for target object storage bucket.
- Attach policy to principals (user, role or service).
- Get access credentials (see How to Retrieve Access Key and Secret Key From Your Object Storage Provider).
- Authenticate and mount JuiceFS with the credentials (see Mount a filesystem).
Access Policy
For regular read and write operations, JuiceFS require just some basic permissions, i.e. GetObject
, PutObject
, DeleteObject
and HeadObject
. It is recommended to restrict resource scope to specified bucket (default format juicefs-<VOL_NAME>
) and prefix (the same as file system name).
Here are example access policies for various cloud providers:
Amazon S3
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:DeleteObject",
"s3:GetObject",
"s3:HeadObject",
"s3:PutObject"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::juicefs-example/example/*"
]
}
]
}
Alibaba Cloud OSS
{
"Statement": [
{
"Action": [
"oss:DeleteObject",
"oss:GetObject",
"oss:HeadObject",
"oss:PutObject"
],
"Effect": "Allow",
"Resource": [
"acs:oss:*:*:juicefs-example/example/*"
]
}
],
"Version": "1"
}
Tencent Cloud COS
{
"Statement": [
{
"Effect": "Allow",
"Action": [
"cos:DeleteObject",
"cos:GetObject",
"cos:HeadObject",
"cos:PutObject"
],
"Resource": [
"qcs::cos:ap-guangzhou:uid/1250000000:juicefs-example-1250000000/example/*"
]
}
],
"Version": "2.0"
}
Additional Remarks
- Even if mounted in read-only mode, JuiceFS Client still needs full permission listed above, because client will asynchronously execute jobs in the background, doing things like compaction, or replication synchronization. To disable background jobs for clients, see Client Access Control.
- JuiceFS client will try to create bucket on first mount,
CreateBucket
permission is required if the bucket doesn't exist. ListObjects
is required for importing and replication.- Older versions of JuiceFS Client (<= 4.4.4) require permissions to prefix
testing/*
for self check during mount.