Ctrlk
Sign up

Define access and permissions using bucket policies

With bucket policies, you can set up fine-grained control over your objects stored within them.

Bucket policies are a mechanism for managing permissions and access to buckets and their content. Unlike ACLs, bucket policies are attached to an entire bucket, not directly to individual objects. However, within a bucket policy, you can still specify permissions for specific objects or prefixes inside that bucket, offering finer control over the types of permissions you grant.

Components of a policy

Bucket policies are formatted using JSON with the following structure:

bucket-policy.json
{
 "Version": "2012-10-17",
 "Statement": [{
   "Effect": ...,
   "Principal": ...,
   "Action": ...,
   "Resource": ...
 }]
}

This file consists of a Version string (set to 2012-10-17, the current version) and one or more Statement arrays that define the policies you wish to use. Each statement array contains the Effect, Principal, Action, Resource, and optional Condition elements. Each of these is discussed below.

Effect

The Effect section specifies whether access is allowed (Allow) or denied (Deny) to the specified resource. See IAM JSON policy elements: Effect.

"Effect":"Allow"

Principal

The Principal section defines the user or entity to which the policy applies. See Amazon S3 principals.

  • Specific user: Specify a canonical ID to apply the policy to that user. The canonical ID is the same as the name of an Object Storage instance, for example, os-bab6e. In other words, each Object Storage instance is also a user. Hence, an Object Storage instance can access buckets in other Object Storage instances, provided they have been granted access.

If the canonical ID is os-bab6e, then the Principal part will look like this:

  • Public/anonymous access: Use a wildcard to grant access to everyone. This is commonly used to host publicly accessible assets, such as images and videos, for a website. Be aware that this makes the resource available to anyone on the internet.

Action

Actions are the permissions granted (or removed) by the policy. These actions include the ability to list buckets, view objects, upload objects, and more:

  • s3:PutObject: Upload objects

  • s3:GetObject: Retrieve objects

  • s3:ListBucket: List the contents of a bucket

  • s3:DeleteObject: Delete objects

For a complete list of actions, refer to Ceph > Bucket Policies. You may also consult the Amazon S3 actions guide.

Resource

A policy applies to Object Storage resources, such as buckets and objects. Bucket resources are formatted as "arn:aws:s3:::[bucket]". To apply a policy to some or all objects within a bucket, use "arn:aws:s3:::[bucket]/[object]". In both cases, substitute [bucket] with the name of the bucket and [object] with either the wildcard value (*) that designates all objects or the path and name of the object. See Amazon S3 resources.

  • All objects: Apply the policy to all objects within the bucket labeled example-bucket.

  • All objects in a specific directory: Apply the policy to all objects in the assets folder within the bucket named example-bucket.

  • Specific object: Apply the policy to the object example-file.ext within the bucket named example-bucket.

While a resource can target the bucket itself (by removing the /* in the first example), this may cause the bucket to become inaccessible.

Bucket policy examples

Allow public list and read access

If you want to allow anyone to list objects and download objects in a bucket, use the following policy:

Grant a user limited access to a directory

This policy file allows a user to list the contents of the bucket named example-bucket and view or download objects within the test directory. They cannot perform any other actions.

Allow or deny access from a specific IP address

By using the Condition section in conjunction with the IpAddress and NotIpAddress conditions, you can choose to allow or deny traffic from the specified IP address or range.

If the Effect is set to Allow, use the IpAddress condition to specify that only traffic from that IP address is allowed, and use NotIpAddress to allow all traffic except from that IP address.

If the Effect is set to Deny, use the IpAddress condition to deny traffic from that IP address, and use NotIpAddress to deny all traffic except from that IP address.

The example below allows all traffic from only the specified IP address:

Apply bucket policies

After creating your bucket policy file and defining your policies, you need to use a third-party tool to apply those policies to a bucket.

Use s3cmd

Command: s3cmd setpolicy [policy-file] s3://[bucket-name], replacing [bucket-name] with the name of your bucket and [policy-file] with the filename and path of your bucket policy file.

Example: Apply the bucket policies defined within the file bucket_policy.json to the bucket called example-bucket:

See Use s3cmd with Object Storage → Permissions and access controls for more details.

PreviousDelete an instanceNextAccess buckets and files through URLs

Last updated

Was this helpful?