Bucket Policy is a resource-based policy option. It allows users to grant access to buckets to other Scaleway projects and organizations.
By default, all S3 resources in a project are private and can be accessed only by users of the project. To grant access to outside users, a policy file can be added to a bucket via an API call or the AWS-CLI.
Bucket policies use a JSON-based access policy language.
In this documentation, you will learn about the specifications of the JSON strings that compose a policy. These include:
Statement is an array that defines the rules that should be respected by our policy engine.Version:
Description: IAM syntax version
Required: Yes
Type: const
Value: “2012-10-17”
Sample:
{
"Version": "2012-10-17",
"Id": "MyBucketPolicy",
"Statement": [
{
"Sid": "Delegate access",
"Effect":"Allow",
"Principal": {
"SCW": "project_id:<PROJECT_ID>"
},
"Action": "s3:ListBucket",
"Resource": "<BUCKET_NAME>"
}
]
}
Id:
Description: Information about the policy as a whole. The length is limited to 280 characters.
Required: No
Type: string
Sample:
{
"Version": "2012-10-17",
"Id": "MyBucketPolicy",
"Statement": [
{
"Sid": "Delegate access",
"Effect":"Allow",
"Principal":{
"SCW":"project_id:<PROJECT_ID>"
},
"Action":[
"s3:ListBucket",
"s3:GetObject"
],
"Resource":[
"<BUCKET_NAME>",
"<BUCKET_NAME>/*"
]
}
]
}
Statement:
Description: Statement is an array that defines the rules that should be respected by our policy engine.
Children: Sid, Principal, Action, Effect and Resource
Required: No
Type: array
Samples:
{
"Version": "2012-10-17",
"Id":"MyBucketPolicy",
"Statement": [
{
"Sid": "Delegate access",
"Effect":"Allow",
"Principal":{
"SCW":"project_id:<PROJECT_ID>"
},
"Action":[
"s3:ListBucket",
"s3:GetObject"
],
"Resource":[
"<BUCKET_NAME>",
"<BUCKET_NAME>/*"
]
}
]
}
{
"Version": "2012-10-17",
"Id":"MyBucketPolicy",
"Statement": [
{
"Sid": "Delegate access to project",
"Effect":"Allow",
"Principal":{
"SCW":"project_id:<PROJECT_ID>"
},
"Action":[
"s3:ListBucket",
"s3:GetObject"
],
"Resource":[
"<BUCKET_NAME>",
"<BUCKET_NAME>/*"
]
},
{
"Sid": "Delegate PUT to project bis",
"Effect":"Allow",
"Principal":{
"SCW":"project_id:<PROJECT_ID_BIS>"
},
"Action":"s3:PutObject",
"Resource":"<BUCKET_NAME>/*"
}
]
}
Sid:
Description: Provides a way to include information about an individual statement.
Required: No
Parent: Statement
Type: string
Sample:
{
"Version": "2012-10-17",
"Id":"MyBucketPolicy",
"Statement": [
{
"Sid": "Grant list to <PROJECT_ID>",
"Effect":"Allow",
"Principal":{
"SCW":"project_id:<PROJECT_ID>"
},
"Action":"s3:ListBucket",
"Resource":"<BUCKET_NAME>"
}
]
}
Principal:
Description: Provides a way to specify a principal using the ProjectID of a Scaleway Project. Note that you can use * to grant access to “everyone”.
Required: Yes
Parent: Statement
Sample:
{
"Version": "2012-10-17",
"Id":"MyBucketPolicy",
"Statement": [
{
"Sid": "Grant List and GET to everyone",
"Effect":"Allow",
"Principal":"*",
"Action":[
"s3:ListBucket",
"s3:GetObject"
],
"Resource":[
"<BUCKET_NAME>",
"<BUCKET_NAME>/*"
]
}
]
}
{
"Version": "2012-10-17",
"Id":"MyBucketPolicy",
"Statement": [
{
"Sid": "Grant List and GET to <PROJECT_ID>",
"Effect":"Allow",
"Principal":{
"SCW":"project_id:<PROJECT_ID>"
},
"Action":[
"s3:ListBucket",
"s3:GetObject"
],
"Resource":[
"<BUCKET_NAME>",
"<BUCKET_NAME>/*"
]
}
]
}
{
"Version": "2012-10-17",
"Id":"MyBucketPolicy",
"Statement": [
{
"Sid": "Grant List and GET to <PROJECT_ID> and < PROJECT_ID_BIS>",
"Effect":"Allow",
"Principal":{
"SCW":[
"project_id:<PROJECT_ID>",
"project_id:<PROJECT_ID_BIS>"
]
},
"Action":[
"s3:ListBucket",
"s3:GetObject"
],
"Resource":[
"<BUCKET_NAME>",
"<BUCKET_NAME>/*"
]
}
]
}
Action:
Description: Consists of S3 namespace, a colon, and the name of an action. Action names can include wildcards represented by *.
Required: Yes
Parent: Statement
| Supported Actions |
* |
s3:* |
s3:AbortMultipartUpload |
s3:DeleteBucketWebsite |
s3:DeleteObject |
s3:DeleteObjectTagging |
s3:DeleteObjectVersion |
s3:DeleteObjectVersionTagging |
s3:GetBucketTagging |
s3:GetBucketVersioning |
s3:GetBucketWebsite |
s3:GetLifecycleConfiguration |
s3:GetObject |
s3:GetObjectTagging |
s3:GetObjectVersion |
s3:GetObjectVersionTagging |
s3:ListBucket |
s3:ListBucketMultipartUploads |
s3:ListMultipartUploadParts |
s3:PutBucketTagging |
s3:PutBucketVersioning |
s3:PutBucketWebsite |
s3:PutLifecycleConfiguration |
s3:PutObject |
s3:PutObjectTagging |
s3:PutObjectVersionTagging |
Sample:
{
"Version": "2012-10-17",
"Id":"MyBucketPolicy",
"Statement": [
{
"Sid": "Grant List and GET to <PROJECT_ID> and < PROJECT_ID_BIS>",
"Effect":"Allow",
"Principal":{
"SCW":[
"project_id:<PROJECT_ID>",
"project_id:<PROJECT_ID_BIS>"
]
},
"Action":"*",
"Resource":[
"<BUCKET_NAME>",
"<BUCKET_NAME>/*"
]
}
]
}
{
"Version": "2012-10-17",
"Id":"MyBucketPolicy",
"Statement": [
{
"Sid": "Grant List and GET to <PROJECT_ID> and < PROJECT_ID_BIS>",
"Effect":"Allow",
"Principal":{
"SCW":[
"project_id:<PROJECT_ID>",
"project_id:<PROJECT_ID_BIS>"
]
},
"Action":"s3:*",
"Resource":[
"<BUCKET_NAME>",
"<BUCKET_NAME>/*"
]
}
]
}
{
"Version": "2012-10-17",
"Id":"MyBucketPolicy",
"Statement": [
{
"Sid": "Grant List and GET to <PROJECT_ID> and < PROJECT_ID_BIS>",
"Effect":"Allow",
"Principal":{
"SCW":[
"project_id:<PROJECT_ID>",
"project_id:<PROJECT_ID_BIS>"
]
},
"Action":"s3:ListBucket",
"Resource":"<BUCKET_NAME>"
}
]
}
{
"Version": "2012-10-17",
"Id":"MyBucketPolicy",
"Statement": [
{
"Sid": "Grant List and GET to <PROJECT_ID> and < PROJECT_ID_BIS>",
"Effect":"Allow",
"Principal":{
"SCW":[
"project_id:<PROJECT_ID>",
"project_id:<PROJECT_ID_BIS>"
]
},
"Action":[
"s3:ListBucket",
"s3:GetObject"
],
"Resource":[
"<BUCKET_NAME>",
"<BUCKET_NAME>/*"
]
}
]
}
Effect:
Description: Uses Allow or Deny to indicate whether the policy allows or denies access.
Required: Yes
Parent: Statement
Sample:
Allow
{
"Version": "2012-10-17",
"Id":"MyBucketPolicy",
"Statement": [
{
"Sid": "Grant List and GET to <PROJECT_ID> and <PROJECT_ID_BIS>",
"Effect":"Allow",
"Principal":{
"SCW":[
"project_id:<PROJECT_ID>",
"project_id:<PROJECT_ID_BIS>"
]
},
"Action":[
"s3:ListBucket",
"s3:GetObject"
],
"Resource":[
"<BUCKET_NAME>",
"<BUCKET_NAME>/*"
]
}
]
}
Deny
{
"Version": "2012-10-17",
"Id": "MyBucketPolicy",
"Statement": [
{
"Sid": "Deny DELETE to everyone",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:DeleteObject",
"Resource": "*"
}
]
}
Resource:
Description: Consists of the S3 resource path.
Required: Yes
Parent: Statement
Sample:
"<BUCKET_NAME>" - Grants access to the bucket, but not to the objects inside. If the s3:ListBucket action is applied, this resource specification is required."<BUCKET_NAME>/*" - Grants access to all objects inside a bucket, but not to the bucket itself. If the s3:PutObject, s3:GetObject and s3:DeleteObject actions are applied, this resource specification is required."<BUCKET_NAME>/<PREFIX>/*" - Grants access only to objects with the specified prefix inside a bucket, but not to the bucket itself. For example, if you apply a bucket policy that specifies "my_files/movie/*" under Resource, you would grant access to all objects with the movie/ prefix, but not to other objects in my_files/ bucket. If the s3:PutObject, s3:GetObject and s3:DeleteObject actions are applied, this resource specification is required.{
"Version": "2012-10-17",
"Id":"MyBucketPolicy",
"Statement": [
{
"Sid": "Grant List and GET to <PROJECT_ID> and < PROJECT_ID_BIS>",
"Effect":"Allow",
"Principal":{
"SCW":[
"project_id:<PROJECT_ID>",
"project_id:<PROJECT_ID_BIS>"
]
},
"Action":[
"s3:ListBucket",
"s3:GetObject"
],
"Resource":[
"<BUCKET_NAME>",
"<BUCKET_NAME>/*"
]
}
]
}
{
"Version": "2012-10-17",
"Id":"MyBucketPolicy",
"Statement": [
{
"Sid": "Grant List and GET to <PROJECT_ID> and < PROJECT_ID_BIS>",
"Effect":"Allow",
"Principal":{
"SCW":[
"project_id:<PROJECT_ID>",
"project_id:<PROJECT_ID_BIS>"
]
},
"Action":[
"s3:ListBucket",
"s3:GetObject"
],
"Resource":[
"<BUCKET_NAME>",
"<BUCKET_NAME>/photos/*"
]
}
]
}
Condition:
Description: The Condition element allows you specify conditions for when a Policy is in effect.
Required: No
Parent: Statement
| Supported Conditions |
IpAddress |
NotIpAddress |
StringEquals |
StringNotEquals |
StringEqualsIgnoreCase |
StringNotEqualsIgnoreCase |
StringLike |
StringNotLike |
DateGreaterThan |
DateGreaterThanEquals |
DateLessThan |
DateLessThanEquals |
Condition Keys:
aws:SourceIpaws:Refereraws:CurrentTimeaws:EpochTimeExamples:
IpAddress condition to Allow actions for specific IP ranges or addresses.{
"Version": "2012-10-17",
"Id": "MyBucketPolicy",
"Statement": [
{
"Sid": "Grant List and GET from my instances",
"Effect": "Allow",
"Principal": "*",
"Action": ["s3:ListBucket", "s3:GetObject"],
"Resource": ["<BUCKET_NAME>", "<BUCKET_NAME>/*"],
"Condition": {
"IpAddress": {
"aws:SourceIp": "192.0.2.0/24"
}
}
}
]
}
DateGreaterThan and DateLessThan conditions.{
"Version": "2012-10-17",
"Id": "MyBucketPolicy",
"Statement": [
{
"Sid": "Grant List and GET to <PROJECT_ID> for 10 years",
"Effect": "Allow",
"Principal": {
"SCW": "project_id:<PROJECT_ID>"
},
"Action": ["s3:ListBucket", "s3:GetObject"],
"Resource": ["<BUCKET_NAME>", "<BUCKET_NAME>/photos/*"],
"Condition": {
"DateGreaterThan": {
"aws:CurrentTime": "2020-01-01T00:00:00Z"
},
"DateLessThan": {
"aws:CurrentTime": "2030-01-01T00:00:00Z"
}
}
}
]
}
HTTP referer.{
"Version": "2012-10-17",
"Id": "MyBucketPolicy",
"Statement": [
{
"Sid": "Allow access to assets from my website",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": ["<BUCKET_NAME>/assets/*"],
"Condition": {
"StringLike": {
"aws:Referer": "https://console.scaleway.com"
}
}
}
]
}