Configuring required permissions for data extract storage

Configuring required permissions for data extract storage#

This guide explains which permissions are required for different data extract storage options.

For more information, see Setting up storage for data extracts.

Required permissions for data extract storage#

You need to configure a set of permissions to use each of the storage options.

Amazon S3 storage permissions#

The following permissions are required:

  • s3:DeleteObject - to remove data extracts

  • s3:GetObject - to retrieve data extracts

  • s3:PutObject - to create and update data extracts

  • s3:ListBucket - to list available data extracts

For an example of a full AWS policy, see Advanced AWS policy configuration.

Azure Blob Storage permissions#

The following permissions are required:

  • Read, write, and delete blobs

  • List containers and blobs

  • Get container properties

These permissions are included in the Storage Blob Data Contributor role, but you can also create a custom role with only these specific permissions.

Google Cloud Storage permissions#

The following specific permissions are required:

  • storage.buckets.get - to access bucket information

  • Read, write, delete, and list permissions for objects within the bucket

When using Google Cloud Storage, ensure the service account has both storage.buckets.get access and full access to the particular bucket containing your data extracts.

Troubleshooting storage permission issues#

If you encounter permission errors when accessing your data extracts:

  1. Verify that the authorization credentials have all required permissions listed above.

  2. Check if the storage container/bucket exists and is accessible.

  3. Ensure the service account or user has not been revoked or expired.

  4. For Google Cloud Storage errors like storage.buckets.get access denied, ensure the service account has both bucket-level access and object-level permissions.

You can often resolve permission issues by either:

  • Using predefined roles (like Storage Admin for GCP or Storage Blob Data Contributor for Azure)

  • Creating custom roles with the specific permissions listed above (following the principle of least privilege)

Contents