Permissions for querying metadata tables

Before you can query your S3 Metadata journal and live inventory tables, you must have certain S3 Tables permissions. If your metadata tables have been encrypted with server-side encryption using Amazon Key Management Service (Amazon KMS) keys (SSE-KMS), you must also have the kms:Decrypt permission to decrypt the table data.

When you create your metadata table configuration, your metadata tables are stored in an Amazon managed table bucket. All metadata table configurations in your account and in the same Region are stored in a single Amazon managed table bucket named aws-s3.

To query metadata tables, you can use the following example policy. To use this policy, replace the user input placeholders with your own information.


{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Sid":"PermissionsToQueryMetadataTables",
         "Effect":"Allow",
         "Action":[
             "s3tables:GetTable",
             "s3tables:GetTableData",
             "s3tables:GetTableMetadataLocation",
             "kms:Decrypt"
         ],
         "Resource":[
            "arn:aws-cn:s3tables:region:account_id:bucket/aws-s3",
            "arn:aws-cn:s3tables:region:account_id:bucket/aws-s3/table/*"
         ]
       }
    ]
}

Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Querying metadata tables

Querying metadata tables with Amazon analytics services