S3 Object Storage - JSON Policy Grammar

Bucket Policy Overview

Bucket Policy is a resource-based policy option. It allows users to grant access to buckets to other Scaleway projects and organizations.

By default, all S3 resources in a project are private and can be accessed only by users of the project. To grant access to outside users, a policy file can be added to a bucket via an API call or the AWS-CLI.

Bucket policies use a JSON-based access policy language.

In this documentation, you will learn about the specifications of the JSON strings that compose a policy. These include:

  • Version - The IAM syntax version
  • Id - A comment that identifies the policy and provides information on it.
  • Statement - Statement is an array that defines the rules that should be respected by our policy engine.
    • Sid - Provides a way to include information about an individual statement.
    • Principal - Provides a way to specify a principal using the ProjectID of a Scaleway Project.
    • Action - S3 actions that the policy allows.
    • Effect - Indicate whether a policy allows or denies access.
    • Resource - Consists of the S3 resource path.
    • Condition - Allows you specify conditions for when a Policy is in effect.

Policy Strings

Version

  • Version:

    Description: IAM syntax version

    Required: Yes

    Type: const

    Value: “2012-10-17”

    Sample:

{
    "Version": "2012-10-17",
    "Id": "MyBucketPolicy",
    "Statement": [
        {
            "Sid": "Delegate access",
            "Effect":"Allow",
            "Principal": {
                "SCW": "project_id:<PROJECT_ID>"
            },
            "Action": "s3:ListBucket",
            "Resource": "<BUCKET_NAME>"
        }
    ]
}

Id

  • Id:

    Description: Information about the policy as a whole. The length is limited to 280 characters.

    Required: No

    Type: string

    Sample:

{
    "Version": "2012-10-17",
    "Id": "MyBucketPolicy",
    "Statement": [
        {
            "Sid": "Delegate access",
            "Effect":"Allow",
            "Principal":{
                "SCW":"project_id:<PROJECT_ID>"
            },
            "Action":[
                "s3:ListBucket",
                "s3:GetObject"
            ],
            "Resource":[
                "<BUCKET_NAME>",
                "<BUCKET_NAME>/*"
            ]
        }
    ]
}

Statement

  • Statement:

    Description: Statement is an array that defines the rules that should be respected by our policy engine.

    Children: Sid, Principal, Action, Effect and Resource

    Required: No

    Type: array

    Samples:

{
    "Version": "2012-10-17",
    "Id":"MyBucketPolicy",
    "Statement": [
        {
            "Sid": "Delegate access",
            "Effect":"Allow",
            "Principal":{
                "SCW":"project_id:<PROJECT_ID>"
            },
            "Action":[
                "s3:ListBucket",
                "s3:GetObject"
            ],
            "Resource":[
                "<BUCKET_NAME>",
                "<BUCKET_NAME>/*"
            ]
        }
    ]
}
{    
    "Version": "2012-10-17",
    "Id":"MyBucketPolicy",
    "Statement": [
        {
            "Sid": "Delegate access to project",
            "Effect":"Allow",
            "Principal":{
                "SCW":"project_id:<PROJECT_ID>"
            },
            "Action":[
                "s3:ListBucket",
                "s3:GetObject"
            ],
            "Resource":[
                "<BUCKET_NAME>",
                "<BUCKET_NAME>/*"
            ]
        },
        {
            "Sid": "Delegate PUT to project bis",
            "Effect":"Allow",
            "Principal":{
                "SCW":"project_id:<PROJECT_ID_BIS>"
            },
            "Action":"s3:PutObject",
            "Resource":"<BUCKET_NAME>/*"
        }
    ]
}

Sid

  • Sid:

    Description: Provides a way to include information about an individual statement.

    Required: No

    Parent: Statement

    Type: string

    Sample:

{
    "Version": "2012-10-17",
    "Id":"MyBucketPolicy",
    "Statement": [
        {
            "Sid": "Grant list to <PROJECT_ID>",
            "Effect":"Allow",
            "Principal":{
                "SCW":"project_id:<PROJECT_ID>"
            },
            "Action":"s3:ListBucket",
            "Resource":"<BUCKET_NAME>"
        }
    ]
}

Principal

  • Principal:

    Description: Provides a way to specify a principal using the ProjectID of a Scaleway Project. Note that you can use * to grant access to “everyone”.

    Required: Yes

    Parent: Statement

    Sample:

{
    "Version": "2012-10-17",
    "Id":"MyBucketPolicy",
    "Statement": [
        {
            "Sid": "Grant List and GET to everyone",
            "Effect":"Allow",
            "Principal":"*",
            "Action":[
                "s3:ListBucket",
                "s3:GetObject"
            ],
            "Resource":[
                "<BUCKET_NAME>",
                "<BUCKET_NAME>/*"
            ]
        }
    ]
}
{
    "Version": "2012-10-17",
    "Id":"MyBucketPolicy",
    "Statement": [
        {
            "Sid": "Grant List and GET to <PROJECT_ID>",
            "Effect":"Allow",
            "Principal":{
                "SCW":"project_id:<PROJECT_ID>"
            },
            "Action":[
                "s3:ListBucket",
                "s3:GetObject"
            ],
            "Resource":[
                "<BUCKET_NAME>",
                "<BUCKET_NAME>/*"
            ]
        }
    ]
}
{
    "Version": "2012-10-17",
    "Id":"MyBucketPolicy",
    "Statement": [
        {
            "Sid": "Grant List and GET to <PROJECT_ID> and < PROJECT_ID_BIS>",
            "Effect":"Allow",
            "Principal":{
                "SCW":[
                    "project_id:<PROJECT_ID>",
                    "project_id:<PROJECT_ID_BIS>"
                ]
            },
            "Action":[
                "s3:ListBucket",
                "s3:GetObject"
            ],
            "Resource":[
                "<BUCKET_NAME>",
                "<BUCKET_NAME>/*"
            ]
        }
    ]
}

Action

  • Action:

    Description: Consists of S3 namespace, a colon, and the name of an action. Action names can include wildcards represented by *.

    Required: Yes

    Parent: Statement

Supported Actions
*
s3:*
s3:AbortMultipartUpload
s3:DeleteBucketWebsite
s3:DeleteObject
s3:DeleteObjectTagging
s3:DeleteObjectVersion
s3:DeleteObjectVersionTagging
s3:GetBucketTagging
s3:GetBucketVersioning
s3:GetBucketWebsite
s3:GetLifecycleConfiguration
s3:GetObject
s3:GetObjectTagging
s3:GetObjectVersion
s3:GetObjectVersionTagging
s3:ListBucket
s3:ListBucketMultipartUploads
s3:ListMultipartUploadParts
s3:PutBucketTagging
s3:PutBucketVersioning
s3:PutBucketWebsite
s3:PutLifecycleConfiguration
s3:PutObject
s3:PutObjectTagging
s3:PutObjectVersionTagging

Sample:

{
    "Version": "2012-10-17",
    "Id":"MyBucketPolicy",
    "Statement": [
        {
            "Sid": "Grant List and GET to <PROJECT_ID> and < PROJECT_ID_BIS>",
            "Effect":"Allow",
            "Principal":{
                "SCW":[
                    "project_id:<PROJECT_ID>",
                    "project_id:<PROJECT_ID_BIS>"
                ]
            },
            "Action":"*",
            "Resource":[
                "<BUCKET_NAME>",
                "<BUCKET_NAME>/*"
            ]
        }
    ]
}
{
    "Version": "2012-10-17",
    "Id":"MyBucketPolicy",
    "Statement": [
        {
            "Sid": "Grant List and GET to <PROJECT_ID> and < PROJECT_ID_BIS>",
            "Effect":"Allow",
            "Principal":{
                "SCW":[
                    "project_id:<PROJECT_ID>",
                    "project_id:<PROJECT_ID_BIS>"
                ]
            },
            "Action":"s3:*",
            "Resource":[
                "<BUCKET_NAME>",
                "<BUCKET_NAME>/*"
            ]
        }
    ]
}
{
    "Version": "2012-10-17",
    "Id":"MyBucketPolicy",
    "Statement": [
        {
            "Sid": "Grant List and GET to <PROJECT_ID> and < PROJECT_ID_BIS>",
            "Effect":"Allow",
            "Principal":{
                "SCW":[
                    "project_id:<PROJECT_ID>",
                    "project_id:<PROJECT_ID_BIS>"
                ]
            },
            "Action":"s3:ListBucket",
            "Resource":"<BUCKET_NAME>"
        }
    ]
}
{
    "Version": "2012-10-17",
    "Id":"MyBucketPolicy",
    "Statement": [
        {
            "Sid": "Grant List and GET to <PROJECT_ID> and < PROJECT_ID_BIS>",
            "Effect":"Allow",
            "Principal":{
                "SCW":[
                    "project_id:<PROJECT_ID>",
                    "project_id:<PROJECT_ID_BIS>"
                ]
            },
            "Action":[
                "s3:ListBucket",
                "s3:GetObject"
            ],
            "Resource":[
                "<BUCKET_NAME>",
                "<BUCKET_NAME>/*"
            ]
        }
    ]
}

Effect

  • Effect:

    Description: Uses Allow or Deny to indicate whether the policy allows or denies access.

    Required: Yes

    Parent: Statement

    Sample:

Allow

{
    "Version": "2012-10-17",
    "Id":"MyBucketPolicy",
    "Statement": [
        {
            "Sid": "Grant List and GET to <PROJECT_ID> and <PROJECT_ID_BIS>",
            "Effect":"Allow",
            "Principal":{
                "SCW":[
                    "project_id:<PROJECT_ID>",
                    "project_id:<PROJECT_ID_BIS>"
                ]
            },
            "Action":[
                "s3:ListBucket",
                "s3:GetObject"
            ],
            "Resource":[
                "<BUCKET_NAME>",
                "<BUCKET_NAME>/*"
            ]
        }
    ]
}

Deny

{
  "Version": "2012-10-17",
  "Id": "MyBucketPolicy",
  "Statement": [
    {
      "Sid": "Deny DELETE to everyone",
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:DeleteObject",
      "Resource": "*"
    }
  ]
}

Resource

  • Resource:

    Description: Consists of the S3 resource path.

    Required: Yes

    Parent: Statement

    Sample:

  • "<BUCKET_NAME>" - Grants access to the bucket, but not to the objects inside. If the s3:ListBucket action is applied, this resource specification is required.
  • "<BUCKET_NAME>/*" - Grants access to all objects inside a bucket, but not to the bucket itself. If the s3:PutObject, s3:GetObject and s3:DeleteObject actions are applied, this resource specification is required.
  • "<BUCKET_NAME>/<PREFIX>/*" - Grants access only to objects with the specified prefix inside a bucket, but not to the bucket itself. For example, if you apply a bucket policy that specifies "my_files/movie/*" under Resource, you would grant access to all objects with the movie/ prefix, but not to other objects in my_files/ bucket. If the s3:PutObject, s3:GetObject and s3:DeleteObject actions are applied, this resource specification is required.
{
    "Version": "2012-10-17",
    "Id":"MyBucketPolicy",
    "Statement": [
        {
            "Sid": "Grant List and GET to <PROJECT_ID> and < PROJECT_ID_BIS>",
            "Effect":"Allow",
            "Principal":{
                "SCW":[
                    "project_id:<PROJECT_ID>",
                    "project_id:<PROJECT_ID_BIS>"
                ]
            },
            "Action":[
                "s3:ListBucket",
                "s3:GetObject"
            ],
            "Resource":[
                "<BUCKET_NAME>",
                "<BUCKET_NAME>/*"
            ]
        }
    ]
}
{
    "Version": "2012-10-17",
    "Id":"MyBucketPolicy",
    "Statement": [
        {
            "Sid": "Grant List and GET to <PROJECT_ID> and < PROJECT_ID_BIS>",
            "Effect":"Allow",
            "Principal":{
                "SCW":[
                    "project_id:<PROJECT_ID>",
                    "project_id:<PROJECT_ID_BIS>"
                ]
            },
            "Action":[
                "s3:ListBucket",
                "s3:GetObject"
            ],
            "Resource":[
                "<BUCKET_NAME>",
                "<BUCKET_NAME>/photos/*"
            ]
        }
    ]
}

Condition

  • Condition:

    Description: The Condition element allows you specify conditions for when a Policy is in effect.

    Required: No

    Parent: Statement

Supported Conditions
IpAddress
NotIpAddress
StringEquals
StringNotEquals
StringEqualsIgnoreCase
StringNotEqualsIgnoreCase
StringLike
StringNotLike
DateGreaterThan
DateGreaterThanEquals
DateLessThan
DateLessThanEquals

Condition Keys:

  • aws:SourceIp
  • aws:Referer
  • aws:CurrentTime
  • aws:EpochTime

Examples:

  • You can use the IpAddress condition to Allow actions for specific IP ranges or addresses.
{
  "Version": "2012-10-17",
  "Id": "MyBucketPolicy",
  "Statement": [
    {
      "Sid": "Grant List and GET from my instances",
      "Effect": "Allow",
      "Principal": "*",
      "Action": ["s3:ListBucket", "s3:GetObject"],
      "Resource": ["<BUCKET_NAME>", "<BUCKET_NAME>/*"],
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "192.0.2.0/24"
        }
      }
    }
  ]
}
  • You can allow access only within a set timeframe, by implementing the DateGreaterThan and DateLessThan conditions.
{
  "Version": "2012-10-17",
  "Id": "MyBucketPolicy",
  "Statement": [
    {
      "Sid": "Grant List and GET to <PROJECT_ID> for 10 years",
      "Effect": "Allow",
      "Principal": {
        "SCW": "project_id:<PROJECT_ID>"
      },
      "Action": ["s3:ListBucket", "s3:GetObject"],
      "Resource": ["<BUCKET_NAME>", "<BUCKET_NAME>/photos/*"],
      "Condition": {
        "DateGreaterThan": {
          "aws:CurrentTime": "2020-01-01T00:00:00Z"
        },
        "DateLessThan": {
          "aws:CurrentTime": "2030-01-01T00:00:00Z"
        }
      }
    }
  ]
}
  • You can also allow access according to the HTTP referer.
{
  "Version": "2012-10-17",
  "Id": "MyBucketPolicy",
  "Statement": [
    {
      "Sid": "Allow access to assets from my website",
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": ["<BUCKET_NAME>/assets/*"],
      "Condition": {
        "StringLike": {
          "aws:Referer": "https://console.scaleway.com"
        }
      }
    }
  ]
}

Discover the Cloud That Makes Sense