S3 Buckets access

lusamino · 5 September 2025 09:58

Dear Renkuers,

I am really confused with the configuration of s3 buckets in Renku v2 projects. This is what I would like to have:

I am the one who owns the buckets, and have added it using my own Access_key_id and Secret_access_key
The project is Private.
But I want everyone added to the project to have read&write rights to the bucket when using is from a Renku session.

Currently, my project is configured as:

Visibility: Private
Data connector: visibility private
Access mode: allow read-write

I am pretty sure this was working before. But now, when another user is accessing it, at the time of creating the Session, it asks for the access_key_id and `secret_access_key`.

Do I have to grant access to the bucket to all users also in AWS such that they can create their own access keys? How can I do this more easily?

Thank you very very much

rrrrrok · 5 September 2025 10:00

Hi @lusamino - yes, the credentials are saved per user and not distributed with the data connector. So you need to hand your collaborators the access key / secret access key. If possible, I would recommend that you create a separate one for them so you can easily revoke it if needed.

lusamino · 5 September 2025 10:02

Great!!! All clear then! Just out of curiosity, was it always like this? Thank you!!!

rrrrrok · 5 September 2025 10:03

yes, it has been like this from the start

cramakri · 5 September 2025 10:06

What I have done on AWS is to create an IAM user and give it read-write access to the S3 bucket. It’s probably sufficient to have just one IAM user that is used by all collaborators, but you could create more than one if that seems necessary.

lusamino · 5 September 2025 11:36

Wonderful! Yes, this sounds as the best option. I will just share the keys from this IAM user with all collabs, and that it is.

Thank you!

cramakri · 5 September 2025 13:12

To fill in a few details. I do the following:

Create an IAM user group

For the data connector, I create a user group using the naming pattern [data-connector-name]-writers, e.g., my-awesome-data-writers. (In this case, it sounds like you don’t, but in general, you may also have a group for readers.)

This group has the following policy:

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "AllowS3ReadWrite",
			"Effect": "Allow",
			"Action": [
				"s3:Get*",
				"s3:PutObject",
				"s3:Describe*",
				"s3:List*",
				"s3:DeleteObject",
				"s3:AbortMultipartUpload"
			],
			"Resource": [
				"arn:aws:s3:::[bucket-name]",
				"arn:aws:s3:::[bucket-name]/*"
			]
		}
	]
}

(Replace [bucket name] with the name of your bucket.)

Create user(s)

Then create a user, associating it with the user group above when you make it. You can repeat this step if you want multiple users.

Topic		Replies	Views
:cloud: Improving Access to Cloud Storage Announcements	0	169	13 July 2023
My On-Premise instance of RenkuLab does not support mounting cloud storage in sessions Renku Admin	3	102	15 November 2023
Renkulab Update: Universal Cloud storage and managing sessions	0	83	15 February 2024
API authentification Renku (CLI)	27	1198	11 October 2024
Adding team members	5	323	12 October 2021

S3 Buckets access

Related topics