|
|
|
|
|
|
by awithrow
1056 days ago
|
|
|
Keep in mind that S3 predates IAM by several years. So part of the reason that access to buckets/keys is special is because it was already in place by the time IAM came around. Its likely persisted since than largely since removing the old model would be a difficult taks without potentially breaking a lot of customer's setup |
|
|
I heard that AA is done via asics, but resource-level permissions implies that authorization is done at the local level for s3. To me that implies that the system extracts S3 permissions from IAM and sends them downstream s3, which get merged with stuff that s3 manages.
I guess that occurs when permissions are saved up in IAM world. At some point those need to be joined against a principal somewhere, as roles can exist without assignment.
Again, it's be so interesting to see how this is done IRL.