> For the complete documentation index, see [llms.txt](https://docs.glesys.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.glesys.com/products/storage/object-storage/how-tos/define-access-and-permissions-using-bucket-policies.md).

# Define access and permissions using bucket policies

***

Bucket policies are a mechanism for managing permissions and access to buckets and their content. Unlike ACLs, bucket policies are attached to an entire bucket, not directly to individual objects. However, within a bucket policy, you can still specify permissions for specific objects or prefixes inside that bucket, offering finer control over the types of permissions you grant.

### Components of a policy

Bucket policies are formatted using JSON with the following structure:

{% code title="bucket-policy.json" %}

```json
{
 "Version": "2012-10-17",
 "Statement": [{
   "Effect": ...,
   "Principal": ...,
   "Action": ...,
   "Resource": ...
 }]
}
```

{% endcode %}

This file consists of a **Version** string (set to 2012-10-17, the current version) and one or more **Statement** arrays that define the policies you wish to use. Each statement array contains the **Effect**, **Principal**, **Action**, **Resource**, and optional **Condition** elements. Each of these is discussed below.

#### Effect

The Effect section specifies whether access is allowed (`Allow`) or denied (`Deny`) to the specified resource. See [IAM JSON policy elements: Effect](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_effect.html).

```
"Effect":"Allow"
```

#### Principal

The Principal section defines the user or entity to which the policy applies. See [Amazon S3 principals](https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-bucket-user-policy-specifying-principal-intro.html).

* **Specific user:** Specify a canonical ID to apply the policy to that user. The canonical ID is the same as the name of an Object Storage instance, for example, `os-bab6e`. In other words, each Object Storage instance is also a user. Hence, an Object Storage instance can access buckets in other Object Storage instances, provided they have been granted access.

<figure><img src="/files/eRGZJRO29iCcPLlhqVbS" alt=""><figcaption></figcaption></figure>

If the canonical ID is `os-bab6e`, then the **Principal** part will look like this:

```
"Principal": {
  "AWS": [
    "arn:aws:iam:::user/os-bab6e"
  ]
}
```

* **Public/anonymous access**: Use a wildcard to grant access to everyone. This is commonly used to host publicly accessible assets, such as images and videos, for a website. Be aware that this makes the resource available to anyone on the internet.

```
"Principal":"*"
```

#### Action

**Actions** are the permissions granted (or removed) by the policy. These actions include the ability to list buckets, view objects, upload objects, and more:

* `s3:PutObject`: Upload objects
* `s3:GetObject`: Retrieve objects
* `s3:ListBucket`: List the contents of a bucket
* `s3:DeleteObject`: Delete objects

For a complete list of actions, refer to [Ceph > Bucket Policies](https://docs.ceph.com/en/latest/radosgw/bucketpolicy/#). You may also consult the[ Amazon S3 actions](https://docs.aws.amazon.com/AmazonS3/latest/userguide/using-with-s3-actions.html) guide.

#### Resource

A policy applies to Object Storage **resources**, such as buckets and objects. Bucket resources are formatted as `"arn:aws:s3:::[bucket]"`. To apply a policy to some or all objects within a bucket, use `"arn:aws:s3:::[bucket]/[object]"`. In both cases, substitute \[bucket] with the name of the bucket and \[object] with either the wildcard value (\*) that designates all objects or the path and name of the object. See [Amazon S3 resources](https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-arn-format.html).

* **All objects:** Apply the policy to all objects within the bucket labeled *example-bucket*.

```
"Resource": [
  "arn:aws:s3:::example-bucket/*"
]
```

* **All objects in a specific directory:** Apply the policy to all objects in the `assets` folder within the bucket named *example-bucket*.

```
"Resource": [
  "arn:aws:s3:::example-bucket/assets/*"
]
```

* **Specific object:** Apply the policy to the object `example-file.ext` within the bucket named *example-bucket*.

```
"Resource": [
  "arn:aws:s3:::example-bucket/example-file.ext"
]
```

{% hint style="danger" %}
While a resource can target the bucket itself (by removing the `/*` in the first example), this may cause the bucket to become inaccessible.
{% endhint %}

### Bucket policy examples

#### Allow public list and read access

If you want to allow anyone to list objects and download objects in a bucket, use the following policy:

{% code title="bucket\_policy.json" %}

```json
{
 "Version": "2012-10-17",
 "Statement": [{
   "Effect": "Allow",
   "Principal": "*",
   "Action": [
     "s3:GetObject",
     "s3:ListBucket"
   ],
   "Resource": [
     "arn:aws:s3:::bucket-example",
     "arn:aws:s3:::bucket-example/*"
   ]
 }]
}
```

{% endcode %}

#### Grant a user limited access to a directory

This policy file allows a user to list the contents of the bucket named `example-bucket` and view or download objects within the `test` directory. They cannot perform any other actions.

{% code title="bucket\_policy.json" %}

```json
{
 "Version": "2012-10-17",
 "Statement": [
   {
     "Effect": "Allow",
     "Principal": {
       "AWS": "arn:aws:iam:::user/os-bab6e"
     },
     "Action": [
       "s3:ListBucket"
     ],
     "Resource": [
       "arn:aws:s3:::example-bucket"
     ]
   },
   {
     "Effect": "Allow",
     "Principal": {
       "AWS": "arn:aws:iam:::user/os-bab6e"
     },
     "Action": [
       "s3:GetObject"
     ],
     "Resource": [
       "arn:aws:s3:::example-bucket/test/*"
     ]
   }
 ]
}
```

{% endcode %}

#### Allow or deny access from a specific IP address

By using the **Condition** section in conjunction with the **IpAddress** and **NotIpAddress** conditions, you can choose to allow or deny traffic from the specified IP address or range.

If the **Effect** is set to `Allow`, use the **IpAddress** condition to specify that *only* traffic from that IP address is allowed, and use **NotIpAddress** to allow all traffic *except* from that IP address.

If the **Effect** is set to `Deny`, use the **IpAddress** condition to deny traffic from that IP address, and use **NotIpAddress** to deny all traffic *except* from that IP address.

The example below allows all traffic from only the specified IP address:

{% code title="bucket\_policy.json" %}

```json
{
 "Version": "2012-10-17",
 "Statement": [
   {
     "Effect": "Allow",
     "Principal": "*",
     "Action": "s3:*",
     "Resource": "arn:aws:s3:::example-bucket/*",
     "Condition": {
       "IpAddress": {
         "aws:SourceIp": "192.0.2.1/32"
       }
     }
   }
 ]
}
```

{% endcode %}

### Apply bucket policies

After creating your bucket policy file and defining your policies, you need to use a third-party tool to apply those policies to a bucket.

#### Use s3cmd

**Command:** `s3cmd setpolicy [policy-file] s3://[bucket-name]`, replacing *\[bucket-name]* with the name of your bucket and *\[policy-file]* with the filename and path of your bucket policy file.

**Example:** Apply the bucket policies defined within the file *bucket\_policy.json* to the bucket called *example-bucket*:

{% code title="Command" %}

```
s3cmd setpolicy bucket_policy.json s3://example-bucket
```

{% endcode %}

See [Use s3cmd with Object Storage → Permissions and access controls](/products/storage/object-storage/how-tos/clients-and-tooling/use-s3cmd-with-object-storage.md#permissions-and-access-controls) for more details.


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://docs.glesys.com/products/storage/object-storage/how-tos/define-access-and-permissions-using-bucket-policies.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.