Controlling access to AIStor Tables

AIStor Tables uses standard AIStor policy-based access control (PBAC) to define authorized actions on warehouses, namespaces, and tables. For more information about PBAC in AIStor, see Access Control with Policy Management

Resource reference

ARN patterns

AIStor Tables uses ARN patterns to identify resources in policies:

ARN Pattern	Scope
`arn:aws:s3tables:::bucket/{warehouse}`	Specific warehouse
`arn:aws:s3tables:::bucket/*`	All warehouses
`arn:aws:s3tables:::bucket/{warehouse}/table/{uuid}`	Specific table in a warehouse
`arn:aws:s3tables:::bucket/{warehouse}/table/*`	All tables in a warehouse
`arn:aws:s3tables:::bucket/{warehouse}/view/{uuid}`	Specific view

Condition keys

Condition keys provide additional context for policy evaluation:

Key	Description
`s3tables:namespace`	Filter by namespace name.
`s3tables:tableName`	Filter by table name.
`s3tables:viewName`	Filter by view name.

You can use standard condition operators such as StringEquals, StringLike, or StringNotEquals.

If you anticipate a table or view name may change in the future, you may also reference a resource by its resource UUID in the ARN instead of the condition key. This ensures a policy is always applied to the correct resource even if its name changes.

Actions

Actions control access to specific API operations.

Warehouse actions:

# s3tables:CreateWarehouse action

POST: Create a new warehouse.

# s3tables:DeleteWarehouse action

DELETE: Delete a warehouse.

# s3tables:GetWarehouse action

GET: Get warehouse details.

# s3tables:ListWarehouses action

GET: List all warehouses.

Namespace actions:

# s3tables:CreateNamespace action

POST: Create a new namespace.

# s3tables:DeleteNamespace action

DELETE: Delete a namespace.

# s3tables:GetNamespace action

GET: Get namespace details.
HEAD: Check if namespace exists.

# s3tables:ListNamespaces action

GET: List namespaces in a warehouse.

# s3tables:UpdateNamespaceProperties action

POST: Update namespace properties.

Table actions:

# s3tables:CreateTable action

POST: Create a new table.

# s3tables:CreateTable action

POST: Register an existing table.

# s3tables:DeleteTable action

DELETE: Delete a table.

# s3tables:GetTable action

GET: Get table metadata.

# s3tables:GetTable action

HEAD: Check if table exists.

# s3tables:ListTables action

GET: List tables in a namespace.

# s3tables:RenameTable action

POST: Rename a table.

# s3tables:UpdateTable action

POST: Commit table updates (Iceberg commits) with /{warehouse}/namespaces/{namespace}/tables/{table}.
POST: Commit multi-table transaction with /{warehouse}/transactions/commit.

View actions

# s3tables:CreateView action

POST: Create a new view.

# s3tables:DeleteView action

DELETE: Delete a view.

# s3tables:GetView action

GET: Get view metadata.

# s3tables:GetView action

HEAD: Check if view exists.

# s3tables:ListViews action

GET: List views in a namespace.

# s3tables:RenameView action

GET: Rename a view.

# s3tables:UpdateView action

POST: Commit view updates.

Catalog actions

# s3tables:GetConfig action

GET: Get catalog configuration.

Wildcard action

The wildcard action allows specifying all actions without listing each individually.

# s3tables:* action

Wildcard for all AIStor Table actions.

Policy examples

These examples demonstrate common access control patterns for AIStor Tables.

Read-only access

Grants read-only access to a warehouse and its tables, allowing users to query table metadata and schemas without making modifications.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3tables:GetWarehouse",
        "s3tables:ListNamespaces",
        "s3tables:GetNamespace",
        "s3tables:ListTables",
        "s3tables:GetTable",
        "s3tables:GetTableData"
      ],
      "Resource": [
        "arn:aws:s3tables:::bucket/analytics",
        "arn:aws:s3tables:::bucket/analytics/table/*"
      ]
    }
  ]
}

Permissions granted:

View warehouse metadata.
List and view namespaces.
List and view table schemas.
Read table metadata and snapshots.

Read-write access

Grants full read-write access to a warehouse, allowing users to create, modify, and delete namespaces and tables.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3tables:GetWarehouse",
        "s3tables:ListNamespaces",
        "s3tables:CreateNamespace",
        "s3tables:GetNamespace",
        "s3tables:DeleteNamespace",
        "s3tables:ListTables",
        "s3tables:CreateTable",
        "s3tables:GetTable",
        "s3tables:GetTableData",
        "s3tables:PutTableData",
        "s3tables:UpdateTable",
        "s3tables:DeleteTable",
        "s3tables:RenameTable"
      ],
      "Resource": [
        "arn:aws:s3tables:::bucket/analytics",
        "arn:aws:s3tables:::bucket/analytics/table/*"
      ]
    }
  ]
}

Permissions granted:

All read-only permissions.
Create, update, and delete namespaces.
Create, update, delete, and rename tables.
Commit data changes to tables.

Namespace isolation

Restrict access to a single namespace within a warehouse, enabling multi-tenant scenarios where different teams share a warehouse.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3tables:*"
      ],
      "Resource": [
        "arn:aws:s3tables:::bucket/analytics",
        "arn:aws:s3tables:::bucket/analytics/table/*"
      ],
      "Condition": {
        "StringEquals": {
          "s3tables:namespace": "sales"
        }
      }
    }
  ]
}

Permissions granted:

Full access to only the sales namespace.
Create, read, update, and delete tables in the sales namespace.

Table data access (S3)

Grant S3 API access to read and write table data files in addition to catalog metadata operations. AIStor Tables stores both catalog metadata and table data in S3-compatible storage, requiring separate S3 permissions.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:PutObject",
        "s3:DeleteObject",
        "s3:ListBucket"
      ],
      "Resource": [
        "arn:aws:s3:::analytics/*",
        "arn:aws:s3:::analytics"
      ]
    }
  ]
}

Permissions granted:

Read objects (data files, metadata files).
Write new objects (data files, manifests).
Delete objects (for table maintenance).
List bucket contents.

Important considerations:

This policy is distinct from AIStor Tables catalog permissions.
Applications typically need both S3 permissions for data and s3tables: permissions for catalog operations.
The bucket name in the S3 ARN should match the warehouse name.
Data file paths follow the pattern: s3://{warehouse}/{namespace}/{table}/data/.
Metadata file paths follow: s3://{warehouse}/.aistor-tables/{namespace}/{table}/metadata/.

Combine policies

Most applications require both catalog and data permissions. You can combine multiple policy statements to provided the desired permissions:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "CatalogOperations",
      "Effect": "Allow",
      "Action": [
        "s3tables:GetWarehouse",
        "s3tables:ListNamespaces",
        "s3tables:GetNamespace",
        "s3tables:ListTables",
        "s3tables:GetTable",
        "s3tables:UpdateTable"
      ],
      "Resource": [
        "arn:aws:s3tables:::bucket/analytics",
        "arn:aws:s3tables:::bucket/analytics/table/*"
      ]
    },
    {
      "Sid": "DataPlaneAccess",
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:PutObject",
        "s3:ListBucket"
      ],
      "Resource": [
        "arn:aws:s3:::analytics/*",
        "arn:aws:s3:::analytics"
      ]
    }
  ]
}

This combined policy allows the following actions:

Read table metadata and schemas from the catalog.
Commit new snapshots after writes.
Read and write data files in S3 storage.