S3 Object Storage - Bucket Policy

Bucket Policy Overview

Bucket Policy is a resource-based policy option. It allows users to grant access to buckets to other Scaleway projects and organizations.

By default, all S3 resources in a project are private and can be accessed only by users of the project. To grant access to outside users, a policy file can be added to a bucket via an API call or the AWS-CLI.

Note: Bucket policies use a JSON-based access policy language.

The key elements of Bucket policy are Version, ID, Statement, Sid, Principal, Action, Effect, Resource and Condition. You can find out more about each element by clicking the links, or consulting the full documentation.

In this documentation, you will learn how to:

Requirements

PUT Bucket Policy

This operation applies an S3 bucket policy to an S3 bucket.

Sample API Request:

PUT /myBucket?policy HTTP/1.1
{
    "Version": "2012-10-17",
    "Id": "MyBucketPolicy",
    "Statement": [
        {
            "Sid": "DelegateAccess",
            "Effect": "Allow",
            "Principal":{
                "SCW": "project_id:<PROJECT_ID>"
            },
            "Action": [
                "s3:ListBucket",
                "s3:GetObject"
            ],
            "Resource": [
                "<BUCKET_NAME>",
                "<BUCKET_NAME>/*"
            ]
        }
    ]
}

AWS-CLI Command:

Create the file bucket-policy.json with the following content:

{
    "Version": "2012-10-17",
    "Id": "Mybucketpolicy",
    "Statement": [
        {
            "Sid": "DelegateAccess",
            "Effect": "Allow",
            "Principal": {
                "SCW": "project_id:<PROJECT_ID>"
            },
            "Action": [
                "s3:ListBucket",
                "s3:GetObject"
            ],
            "Resource": [
                "<BUCKET_NAME>",
                "<BUCKET_NAME>/*"
            ]
        }
    ]
}

Then run the following command:

$ aws s3api put-bucket-policy --bucket <BUCKET_NAME> --policy file://bucket-policy.json

GET Bucket Policy

This operation returns the policy of a specified bucket.

Sample API Request:

GET /myBucket?policy HTTP/1.1

Sample API Output:

{
    "Policy": "{\"Version\": \"2012-10-17\", \"Statement\": [{\"Action\": [\"s3:GetObject\"], \"Principal\": {\"SCW\": [\"<PROJECT_ID>\"]}, \"Resource\": [\"myBucket/*\"], \"Effect\": \"Allow\", \"Sid\": \"DelegateGetObject\"}]}"
}

AWS-CLI Command:

$ aws s3api get-bucket-policy --bucket myBucket
{
    "Policy": "{\"Version\": \"2012-10-17\", \"Statement\": [{\"Action\": [\"s3:GetObject\"], \"Principal\": {\"SCW\": [\"<PROJECT_ID>\"]}, \"Resource\": [\"myBucket/*\"], \"Effect\": \"Allow\", \"Sid\": \"DelegateGetObject\"}]}"
}

DELETE Bucket Policy

This operation deletes the Bucket Policy of a specified bucket.

If the operation is successful, no output will be returned.

Sample API Request:

DELETE /MyBucket?policy HTTP/1.1

AWS-CLI Command:

$ aws s3api delete-bucket-policy --bucket myBucket -> code block

Bucket Policy Use Cases

You can combine the strings in your Bucket Policy in several ways to configure your bucket permissions for different purposes.

Find out more about each one in these tutorials:

Discover the Cloud That Makes Sense