Access Control

Some applications may require setting different levels of access, both for uploading and downloading files. Harvest Files supports defining file access permissions based on Soracom Access Management (SAM) Role permissions.

When configuring Harvest Files, you can select the Role ID of the SAM role you would like to attach to the group by using the Assumed Role option. All subscribers within the group will inherit the permissions specified in the SAM role.

SAM role permissions for Harvest Files include the following API actions:

When defining the role permissions, a condition should also be specified, which defines the path where the permitted action applies. The path specified in the condition parameter can include the following placeholders:

Each permission statement should use the following format:

{
  "effect": "allow",
  "api": "FileEntry:*",
  "condition": "pathVariable('path') matches 'uploads/:imsi/.*'"
}

Example

Given that we have created a SAM role called my-test-role, and in its permissions we have defined the following Harvest Files permissions:

{
  "statements": [
    {
      "effect":"allow",
      "api": "FileEntry:listFiles",
      "condition": "pathVariable('path') matches 'firmware/versions/'"
    },
    {
      "effect":"allow",
      "api": "FileEntry:getFile",
      "condition": "pathVariable('path') matches 'firmware/versions/.*'"
    },
    {
      "effect":"allow",
      "api": "FileEntry:putFile",
      "condition": "pathVariable('path') matches 'logs/:imsi/.*'"
    }
  ]
}

When we set the Harvest Files Assumed Role option as my-test-role, the subcsribers within the group will then have the following permissions: