S3 Object Storage - Bucket Policy

Bucket Policy Overview

Bucket Policy is a resource-based policy option. It allows users to grant access to buckets to other Scaleway projects and organizations.

By default, all S3 resources in a project are private and can be accessed only by users of the project. To grant access to outside users, a policy file can be added to a bucket via an API call or the AWS-CLI.

Note: Bucket policies use a JSON-based access policy language.

The key elements of Bucket policy are Version, ID, Statement, Sid, Principal, Action, Effect, Resource and Condition. You can find out more about each element by clicking the links, or consulting the full documentation.

In this documentation, you will learn how to:

• Put Bucket Policy
• Get Bucket Policy
• Delete Bucket Policy
• Explore different use cases of the feature, such as:
  • Sharing buckets in read-only mode
  • Importing a copy of objects from a bucket in a different project

Requirements

You have:

• an account and are logged into console.scaleway.com
• configured your API Keys
• created an Object Storage bucket

PUT Bucket Policy

This operation applies an S3 bucket policy to an S3 bucket.

Sample API Request:

PUT /myBucket?policy HTTP/1.1
{
    "Version": "2012-10-17",
    "Id": "MyBucketPolicy",
    "Statement": [
        {
            "Sid": "DelegateAccess",
            "Effect": "Allow",
            "Principal":{
                "SCW": "project_id:<PROJECT_ID>"
            },
            "Action": [
                "s3:ListBucket",
                "s3:GetObject"
            ],
            "Resource": [
                "<BUCKET_NAME>",
                "<BUCKET_NAME>/*"
            ]
        }
    ]
}

AWS-CLI Command:

Create the file bucket-policy.json with the following content:

{
    "Version": "2012-10-17",
    "Id": "Mybucketpolicy",
    "Statement": [
        {
            "Sid": "DelegateAccess",
            "Effect": "Allow",
            "Principal": {
                "SCW": "project_id:<PROJECT_ID>"
            },
            "Action": [
                "s3:ListBucket",
                "s3:GetObject"
            ],
            "Resource": [
                "<BUCKET_NAME>",
                "<BUCKET_NAME>/*"
            ]
        }
    ]
}

Then run the following command:

$ aws s3api put-bucket-policy --bucket <BUCKET_NAME> --policy file://bucket-policy.json

GET Bucket Policy

This operation returns the policy of a specified bucket.

Sample API Request:

GET /myBucket?policy HTTP/1.1

Sample API Output:

{
    "Policy": "{\"Version\": \"2012-10-17\", \"Statement\": [{\"Action\": [\"s3:GetObject\"], \"Principal\": {\"SCW\": [\"<PROJECT_ID>\"]}, \"Resource\": [\"myBucket/*\"], \"Effect\": \"Allow\", \"Sid\": \"DelegateGetObject\"}]}"
}

AWS-CLI Command:

$ aws s3api get-bucket-policy --bucket myBucket

{
    "Policy": "{\"Version\": \"2012-10-17\", \"Statement\": [{\"Action\": [\"s3:GetObject\"], \"Principal\": {\"SCW\": [\"<PROJECT_ID>\"]}, \"Resource\": [\"myBucket/*\"], \"Effect\": \"Allow\", \"Sid\": \"DelegateGetObject\"}]}"
}

DELETE Bucket Policy

This operation deletes the Bucket Policy of a specified bucket.

If the operation is successful, no output will be returned.

Sample API Request:

DELETE /MyBucket?policy HTTP/1.1

AWS-CLI Command:

$ aws s3api delete-bucket-policy --bucket myBucket -> code block

How to share buckets in read-only mode

You can implement a Bucket Policy to grant a Scaleway organization or project viewing rights to a bucket in a different project.

For example, you are logged in to Organization A and you have a bucket (A1) inside Project A. You wish to share the bucket in read-only mode with users in Organization B, Project B.

To do so, you have to apply a policy to bucket A1 that grants access to Organization B or Project B and include which API calls they are allowed to make.

To guarantee that they can only view contents, include "s3:ListBucket" and "s3:GetObject" under Action in the bucket-policy.json file you create.

Specify which resources they can access under Resource:

• "<BUCKET_NAME>" - Grants access to the bucket, but not to the objects inside. If the s3:ListBucket action is applied, this resource specification is required.
• "<BUCKET_NAME>/*" - Grants access to all objects inside a bucket, but not to the bucket itself. If the s3:GetObject actions is applied, this resource specification is required.
• "<BUCKET_NAME>/<PREFIX>/*" - Grants access only to objects with the specified prefix inside a bucket, but not to the bucket itself. For example, if you apply a bucket policy that specifies "my_files/movie/*" under Resource, you would grant access to all objects with the movie/ prefix, but not to other objects in my_files/ bucket. If the s3:GetObject actions is applied, this resource specification is required.

{
    "Version": "2012-10-17",
    "Id": "Mybucketpolicy",
    "Statement": [
        {
            "Sid": "DelegateAccess",
            "Effect": "Allow",
            "Principal": {
                "SCW": "project_id:<PROJECT_ID>"
            },
            "Action": [
                "s3:ListBucket",
                "s3:GetObject"
            ],
            "Resource": [
                "<BUCKET_NAME>",
                "<BUCKET_NAME>/*"
            ]
        }
    ]
}

Apply the policy using the Put Bucket Policy API call or run the aws-cli command.

$ aws s3api put-bucket-policy --bucket <SOURCE_BUCKET> --profile default_project --policy file://bucket-policy.json

You can provide the user in Organization B the name of your bucket. If the policy is correctly applied, they will be able to see bucket A1 included in their bucket list when running List_Buckets. If they know the name of an object, they can view their details by running Get_Object.

How to import a copy of objects from a bucket in a different project

To import a copy of objects in a bucket to another bucket in a different project, you need to implement a Bucket Policy. Find the detailed step-by-step in this documentation page.