Question about Tigris bucket access and IAM policies

nichtsam · September 13, 2025, 10:49pm

Hi Tigris community,

I have a question regarding IAM policies.

I currently have an access key that allows me to edit a specific bucket, and I can interact with all resources in that bucket.

Now, if I attach a policy that allows interaction only with a specific path within the bucket, does this policy stack with the existing permissions (and is therefore mostly redundant), or does the policy take precedence?

If the policy takes precedence, then is access to everything allowed by default?

I’m trying to understand the exact behavior so I can safely design workflows with minimal permissions.

Thanks!

jmj · September 14, 2025, 12:09am

Hello @nichtsam,

If the buckets<>role grants the access to the operation, it will be allowed. If this remains indecisive or deny, it will go for IAM policies evaluation.

we generally see user using either of these mechanism to form the access for their keys. I will update the documents on our side to cover this.

Thanks!
Jigar

nichtsam · September 14, 2025, 3:59pm

So just to confirm: if I want an access key that only has edit access to a certain path in a bucket, I don’t need to assign bucket roles at all, and should rely only on an IAM policy for that restriction, right?

jmj · September 14, 2025, 5:11pm

Right.