Bucket Policy is a resource-based policy option. It allows users to grant access to buckets to other Scaleway projects and organizations.
By default, all S3 resources in a project are private and can be accessed only by users of the project. To grant access to outside users, a policy file can be added to a bucket via an API call or the AWS-CLI.
Note: Bucket policies use a JSON-based access policy language.
The key elements of Bucket policy are Version, ID, Statement, Sid, Principal, Action, Effect, Resource and Condition. You can find out more about each element by clicking the links, or consulting the full documentation.
In this documentation, you will learn how to:
Requirements
- You have an account and are logged into console.scaleway.com
- You have configured your API Keys
- You have created an Object Storage bucket
This operation applies an S3 bucket policy to an S3 bucket.
Sample API Request:
PUT /myBucket?policy HTTP/1.1
{
"Version": "2012-10-17",
"Id": "MyBucketPolicy",
"Statement": [
{
"Sid": "DelegateAccess",
"Effect": "Allow",
"Principal":{
"SCW": "project_id:<PROJECT_ID>"
},
"Action": [
"s3:ListBucket",
"s3:GetObject"
],
"Resource": [
"<BUCKET_NAME>",
"<BUCKET_NAME>/*"
]
}
]
}
AWS-CLI Command:
Create the file bucket-policy.json with the following content:
{
"Version": "2012-10-17",
"Id": "Mybucketpolicy",
"Statement": [
{
"Sid": "DelegateAccess",
"Effect": "Allow",
"Principal": {
"SCW": "project_id:<PROJECT_ID>"
},
"Action": [
"s3:ListBucket",
"s3:GetObject"
],
"Resource": [
"<BUCKET_NAME>",
"<BUCKET_NAME>/*"
]
}
]
}
Then run the following command:
$ aws s3api put-bucket-policy --bucket <BUCKET_NAME> --policy file://bucket-policy.json
This operation returns the policy of a specified bucket.
Sample API Request:
GET /myBucket?policy HTTP/1.1
Sample API Output:
{
"Policy": "{\"Version\": \"2012-10-17\", \"Statement\": [{\"Action\": [\"s3:GetObject\"], \"Principal\": {\"SCW\": [\"<PROJECT_ID>\"]}, \"Resource\": [\"myBucket/*\"], \"Effect\": \"Allow\", \"Sid\": \"DelegateGetObject\"}]}"
}
AWS-CLI Command:
$ aws s3api get-bucket-policy --bucket myBucket
{
"Policy": "{\"Version\": \"2012-10-17\", \"Statement\": [{\"Action\": [\"s3:GetObject\"], \"Principal\": {\"SCW\": [\"<PROJECT_ID>\"]}, \"Resource\": [\"myBucket/*\"], \"Effect\": \"Allow\", \"Sid\": \"DelegateGetObject\"}]}"
}
This operation deletes the Bucket Policy of a specified bucket.
If the operation is successful, no output will be returned.
Sample API Request:
DELETE /MyBucket?policy HTTP/1.1
AWS-CLI Command:
$ aws s3api delete-bucket-policy --bucket myBucket -> code block
You can combine the strings in your Bucket Policy in several ways to configure your bucket permissions for different purposes.
Find out more about each one in these tutorials: