Bucket Policy is a resource-based policy option. It allows users to grant access to buckets to other Scaleway projects and organizations.
By default, all S3 resources in a project are private and can be accessed only by users of the project. To grant access to outside users, a policy file can be added to a bucket via an API call or the AWS-CLI.
Note: Bucket policies use a JSON-based access policy language. You can find more details about the JSON policy grammar on this page.
In this documentation, you will learn how to:
Requirements
You have:
- an account and are logged into console.scaleway.com
- configured your API Keys
- created an Object Storage bucket
This operation applies an S3 bucket policy to an S3 bucket.
Sample API Request:
PUT /myBucket?policy HTTP/1.1
{
"Version": "2012-10-17",
"Id": "MyBucketPolicy",
"Statement": [
{
"Sid": "DelegateAccess",
"Effect": "Allow",
"Principal":{
"SCW": "project_id:<PROJECT_ID>"
},
"Action": [
"s3:ListBucket",
"s3:GetObject"
],
"Resource": [
"<BUCKET_NAME>",
"<BUCKET_NAME>/*"
]
}
]
}
AWS-CLI Command:
Create the file bucket-policy.json with the following content:
{
"Version": "2012-10-17",
"Id": "Mybucketpolicy",
"Statement": [
{
"Sid": "DelegateAccess",
"Effect": "Allow",
"Principal": {
"SCW": "project_id:<PROJECT_ID>"
},
"Action": [
"s3:ListBucket",
"s3:GetObject"
],
"Resource": [
"<BUCKET_NAME>",
"<BUCKET_NAME>/*"
]
}
]
}
Then run the following command:
$ aws s3api put-bucket-policy --bucket <BUCKET_NAME> --policy file://bucket-policy.json
This operation returns the policy of a specified bucket.
Sample API Request:
GET /myBucket?policy HTTP/1.1
Sample API Output:
{
"Policy": "{\"Version\": \"2012-10-17\", \"Statement\": [{\"Action\": [\"s3:GetObject\"], \"Principal\": {\"SCW\": [\"<PROJECT_ID>\"]}, \"Resource\": [\"myBucket/*\"], \"Effect\": \"Allow\", \"Sid\": \"DelegateGetObject\"}]}"
}
AWS-CLI Command:
$ aws s3api get-bucket-policy --bucket myBucket
{
"Policy": "{\"Version\": \"2012-10-17\", \"Statement\": [{\"Action\": [\"s3:GetObject\"], \"Principal\": {\"SCW\": [\"<PROJECT_ID>\"]}, \"Resource\": [\"myBucket/*\"], \"Effect\": \"Allow\", \"Sid\": \"DelegateGetObject\"}]}"
}
This operation deletes the Bucket Policy of a specified bucket.
If the operation is successful, no output will be returned.
Sample API Request:
DELETE /MyBucket?policy HTTP/1.1
AWS-CLI Command:
$ aws s3api delete-bucket-policy --bucket myBucket -> code block
You can implement a Bucket Policy to grant a Scaleway organization or project viewing rights to a bucket in a different project.
For example, you are logged in to Organization A and you have a bucket (A1) inside Project A. You wish to share the bucket in read-only mode with users in Organization B, Project B.
To do so, you have to apply a policy to bucket A1 that grants access to Organization B or Project B and include which API calls they are allowed to make.
To guarantee that they can only view contents, include "s3:ListBucket"
and "s3:GetObject"
under Action in the bucket-policy.json file you create.
Specify which resources they can access under Resource:
"<BUCKET_NAME>"
- Grants access to the bucket, but not to the objects inside. If the s3:ListBucket
action is applied, this resource specification is required."<BUCKET_NAME>/*"
- Grants access to all objects inside a bucket, but not to the bucket itself. If the s3:GetObject
actions is applied, this resource specification is required."<BUCKET_NAME>/<PREFIX>/*"
- Grants access only to objects with the specified prefix inside a bucket, but not to the bucket itself. For example, if you apply a bucket policy that specifies "my_files/movie/*"
under Resource, you would grant access to all objects with the movie/
prefix, but not to other objects in my_files/
bucket. If the s3:GetObject
actions is applied, this resource specification is required.{
"Version": "2012-10-17",
"Id": "Mybucketpolicy",
"Statement": [
{
"Sid": "DelegateAccess",
"Effect": "Allow",
"Principal": {
"SCW": "project_id:<PROJECT_ID>"
},
"Action": [
"s3:ListBucket",
"s3:GetObject"
],
"Resource": [
"<BUCKET_NAME>",
"<BUCKET_NAME>/*"
]
}
]
}
Apply the policy using the Put Bucket Policy API call or run the aws-cli command.
$ aws s3api put-bucket-policy --bucket <SOURCE_BUCKET> --profile default_project --policy file://bucket-policy.json
You can provide the user in Organization B the name of your bucket. If the policy is correctly applied, they will be able to see bucket A1 included in their bucket list when running List_Buckets
. If they know the name of an object, they can view their details by running Get_Object
.
To import a copy of objects in a bucket to another bucket in a different project, you need to implement a Bucket Policy. Find the detailed step-by-step in this documentation page.