Sharing Object Storage buckets in read-only mode

Reviewed on February 11, 2025

Important

Bucket policy version 2012-10-17 is deprecated and its usage is not recommended. Refer to the dedicated documentation for more information on bucket policy versions.

Before you start

To complete the actions presented below, you must have:

Owner status or IAM permissions allowing you to perform actions in the intended Organization
Installed the AWS CLI
An Object Storage bucket

You can implement a bucket policy to grant a Scaleway Organization or Project Read rights to a bucket in a different Project.

Principle

For example, you are logged in to Organization A and you have a bucket (A1) inside Project A. You wish to share the bucket in read-only mode with users in Organization B, Project B.

To do so, you have to apply a policy to bucket A1 that grants access to Organization B or Project B and include which API calls they are allowed to make.

To guarantee that they can only view contents, include "s3:ListBucket" and "s3:GetObject" under Action in the bucket-policy.json file you create.

Specify which resources they can access under Resource:

"<BUCKET_NAME>": Grants access to the bucket, but not to the objects inside. If the s3:ListBucket action is applied, this resource specification is required.
"<BUCKET_NAME>/*": Grants access to all objects inside a bucket, but not to the bucket itself. If the s3:GetObject action is applied, this resource specification is required.
"<BUCKET_NAME>/<PREFIX>/*": Grants access only to objects with the specified prefix inside a bucket, but not to the bucket itself. For example, if you apply a bucket policy that specifies "my_files/movie/*" under Resource, you would grant access to all objects with the movie/ prefix, but not to other objects in my_files/ bucket. If the s3:GetObject action is applied, this resource specification is required.

Creating the bucket policy

Create a file named bucket-policy.json and add the following code to it:

{
    "Version": "2012-10-17",
    "Id": "Mybucketpolicy",
    "Statement": [
        {
            "Sid": "DelegateAccess",
            "Effect": "Allow",
            "Principal": {
                "SCW": "project_id:<PROJECT_ID>"
            },
            "Action": [
                "s3:ListBucket",
                "s3:GetObject"
            ],
            "Resource": [
                "<BUCKET_NAME>",
                "<BUCKET_NAME>/*"
            ]
        }
    ]
}

Apply the policy using the PutBucketPolicy API call or run the following aws-cli command:
```
aws s3api put-bucket-policy --bucket <SOURCE_BUCKET> --profile default_project --policy file://bucket-policy.json
```
Note
Refer to the dedicated documentation for more information on how to create bucket policies.

You can now provide the user in Organization B with the name of your bucket. If the policy is correctly applied, they will be able to see bucket A1 included in their bucket list when running List_Buckets. If they know the name of an object, they can view its details by running Get_Object.

Still need help?

Create a support ticket