Skip to main content

Object Storage Access Policy

JuiceFS saves data in user owned object storage. Normally it shall require some kind of credentials for access. It needs to be configured in JuiceFS client as accesskey and secretkey.

Configuration

Common steps to configure object storage access for JuiceFS are listed below:

  1. Create access policy for target object storage bucket.
  2. Attach policy to principals (user, role or service).
  3. Get access credentials (see How to Retrieve Access Key and Secret Key From Your Object Storage Provider <howto_get_key_pairs>{.interpreted-text role="doc"}).
  4. Authenticate and mount JuiceFS with the credentials. (see Mount a filesystem <mount_filesystem>{.interpreted-text role="ref"})

Access Policy

For regular read and write operations, JuiceFS requires just some basic permissions, i.e. GetObject, PutObject, DeleteObject and HeadObject. It is recommended to restrict resource scope to specifed bucket (default format juicefs-<fsname>) and prefix (the same as file system name).

Here are example access policies for various cloud providers:

Amazon S3

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "s3:DeleteObject",
                "s3:GetObject",
                "s3:HeadObject",
                "s3:PutObject"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::juicefs-example/example/*"
            ]
        }
    ]
}

Alibaba Cloud OSS

{
    "Statement": [
        {
            "Action": [
                "oss:DeleteObject",
                "oss:GetObject",
                "oss:HeadObject",
                "oss:PutObject"
            ],
            "Effect": "Allow",
            "Resource": [
                "acs:oss:*:*:juicefs-example/example/*"
            ]
        }
    ],
    "Version": "1"
}

Tencent Cloud COS

{
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "cos:DeleteObject",
                "cos:GetObject",
                "cos:HeadObject",
                "cos:PutObject"
            ],
            "Resource": [
                "qcs::cos:ap-guangzhou:uid/1250000000:juicefs-example-1250000000/example/*"
            ]
        }
    ],
    "Version": "2.0"
}

Additional Remarks

  1. JuiceFS client must be allowed all the four actions for background activities such as defragment.
  2. JuiceFS client will try to create bucket on first mount, CreateBucket permission is required if the bucket is not pre-created.
  3. ListObjects is required for importing and replication.
  4. Some old version JuiceFS client (\<= 4.4.4) shall require permissions to prefix testing/* for self test during mount.