Skip to main content

Object Storage Access Policy

For JuiceFS, actual file data is uploaded to user owned object storage. Thus JuiceFS Client require object storage credentials (accesskey and secretkey) for bucket access. Access policy for common cloud services are listed here.

Configuration

Common steps to configure object storage access for JuiceFS:

  1. Create access policy for target object storage bucket.
  2. Attach policy to principals (user, role or service).
  3. Get access credentials (see How to Retrieve Access Key and Secret Key From Your Object Storage Provider).
  4. Authenticate and mount JuiceFS with the credentials (see Mount a filesystem).

Access Policy

For regular read and write operations, JuiceFS require just some basic permissions, i.e. GetObject, PutObject, DeleteObject and HeadObject. It is recommended to restrict resource scope to specified bucket (default format juicefs-<VOL_NAME>) and prefix (the same as file system name).

Here are example access policies for various cloud providers:

Amazon S3

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "s3:DeleteObject",
                "s3:GetObject",
                "s3:HeadObject",
                "s3:PutObject"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::juicefs-example/example/*"
            ]
        }
    ]
}

Alibaba Cloud OSS

{
    "Statement": [
        {
            "Action": [
                "oss:DeleteObject",
                "oss:GetObject",
                "oss:HeadObject",
                "oss:PutObject"
            ],
            "Effect": "Allow",
            "Resource": [
                "acs:oss:*:*:juicefs-example/example/*"
            ]
        }
    ],
    "Version": "1"
}

Tencent Cloud COS

{
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "cos:DeleteObject",
                "cos:GetObject",
                "cos:HeadObject",
                "cos:PutObject"
            ],
            "Resource": [
                "qcs::cos:ap-guangzhou:uid/1250000000:juicefs-example-1250000000/example/*"
            ]
        }
    ],
    "Version": "2.0"
}

Additional Remarks

  1. Even if mounted in read-only mode, JuiceFS Client still needs full permission listed above, because client will asynchronously execute jobs in the background, doing things like compaction, or replication synchronization. To disable background jobs for clients, see Client Access Control.
  2. JuiceFS client will try to create bucket on first mount, CreateBucket permission is required if the bucket doesn't exist.
  3. ListObjects is required for importing and replication.
  4. Older versions of JuiceFS Client (<= 4.4.4) require permissions to prefix testing/* for self check during mount.
Last updated on
Follow us on Twitter
Let's chat on Slack