S3 Object Storage - JSON Policy Grammar

Bucket Policy Overview

Bucket Policy is a resource-based policy option. It allows users to grant access to buckets to other Scaleway projects and organizations.

By default, all S3 resources in a project are private and can be accessed only by users of the project. To grant access to outside users, a policy file can be added to a bucket via an API call or the AWS-CLI.

Bucket policies use a JSON-based access policy language.

In this documentation, we show you the general details of the JSON policy grammar.

JSON Policy Grammar

Sample .json policy file:

{
    "Version": "2012-10-17",
    "Id": "Mybucketpolicy",
    "Statement": [
        {
            "Sid": "DelegateAccess",
            "Effect": "Allow",
            "Principal": {
                "SCW": "project_id:<PROJECT_ID>"
            },
            "Action": [
                "s3:ListBucket",
                "s3:GetObject"
            ],
            "Resource": [
                "<BUCKET_NAME>",
                "<BUCKET_NAME>/*"
            ]
        }
    ]
}

Policy Strings:

  • Version:

    Description: IAM syntax version

    Required: Yes

    Type: const

    Value: “2012-10-17”

    Sample:

{
    "Version": "2012-10-17",
    "Id": "MyBucketPolicy",
    "Statement": [
        {
            "Sid": "Delegate access",
            "Effect":"Allow",
            "Principal": {
                "SCW": "project_id:<PROJECT_ID>"
            },
            "Action": "s3:ListBucket",
            "Resource": "<BUCKET_NAME>"
        }
    ]
}
  • ID:

    Description: Information about the policy as a whole. The length is limited to 280 characters.

    Required: No

    Type: string

    Sample:

{
    "Version": "2012-10-17",
    "Id": "MyBucketPolicy",
    "Statement": [
        {
            "Sid": "Delegate access",
            "Effect":"Allow",
            "Principal":{
                "SCW":"project_id:<PROJECT_ID>"
            },
            "Action":[
                "s3:ListBucket",
                "s3:GetObject"
            ],
            "Resource":[
                "<BUCKET_NAME>",
                "<BUCKET_NAME>/*"
            ]
        }
    ]
}
  • Statement:

    Description: Statement defines rules to be respected by our policy engine.

    Child: Sid, Principal, Action, Effect and Resource

    Required: No

    Type: array

    Samples:

{
    "Version": "2012-10-17",
    "Id":"MyBucketPolicy",
    "Statement": [
        {
            "Sid": "Delegate access",
            "Effect":"Allow",
            "Principal":{
                "SCW":"project_id:<PROJECT_ID>"
            },
            "Action":[
                "s3:ListBucket",
                "s3:GetObject"
            ],
            "Resource":[
                "<BUCKET_NAME>",
                "<BUCKET_NAME>/*"
            ]
        }
    ]
}
{    
    "Version": "2012-10-17",
    "Id":"MyBucketPolicy",
    "Statement": [
        {
            "Sid": "Delegate access to project",
            "Effect":"Allow",
            "Principal":{
                "SCW":"project_id:<PROJECT_ID>"
            },
            "Action":[
                "s3:ListBucket",
                "s3:GetObject"
            ],
            "Resource":[
                "<BUCKET_NAME>",
                "<BUCKET_NAME>/*"
            ]
        },
        {
            "Sid": "Delegate PUT to project bis",
            "Effect":"Allow",
            "Principal":{
                "SCW":"project_id:<PROJECT_ID_BIS>"
            },
            "Action":"s3:PutObject",
            "Resource":"<BUCKET_NAME>/*"
        }
    ]
}
  • Sid:

    Description: Provides a way to include information about an individual statement.

    Required: No

    Parent: Statement

    Type: string

    Sample:

{
    "Version": "2012-10-17",
    "Id":"MyBucketPolicy",
    "Statement": [
        {
            "Sid": "Grant list to <PROJECT_ID>",
            "Effect":"Allow",
            "Principal":{
                "SCW":"project_id:<PROJECT_ID>"
            },
            "Action":"s3:ListBucket",
            "Resource":"<BUCKET_NAME>"
        }
    ]
}
  • Principal:

    Description: Provides a way to specify a principal using the ProjectID of a Scaleway Project. Note that you can use * to grant access to “everyone”.

    Required: Yes

    Parent: Statement

    Sample:

{
    "Version": "2012-10-17",
    "Id":"MyBucketPolicy",
    "Statement": [
        {
            "Sid": "Grant List and GET to everyone",
            "Effect":"Allow",
            "Principal":"*",
            "Action":[
                "s3:ListBucket",
                "s3:GetObject"
            ],
            "Resource":[
                "<BUCKET_NAME>",
                "<BUCKET_NAME>/*"
            ]
        }
    ]
}
{
    "Version": "2012-10-17",
    "Id":"MyBucketPolicy",
    "Statement": [
        {
            "Sid": "Grant List and GET to <PROJECT_ID>",
            "Effect":"Allow",
            "Principal":{
                "SCW":"project_id:<PROJECT_ID>"
            },
            "Action":[
                "s3:ListBucket",
                "s3:GetObject"
            ],
            "Resource":[
                "<BUCKET_NAME>",
                "<BUCKET_NAME>/*"
            ]
        }
    ]
}
{
    "Version": "2012-10-17",
    "Id":"MyBucketPolicy",
    "Statement": [
        {
            "Sid": "Grant List and GET to <PROJECT_ID>",
            "Effect":"Allow",
            "Principal":{
                "SCW":[
                    "project_id:<PROJECT_ID>",
                    "project_id:<PROJECT_ID_BIS>"
                ]
            },
            "Action":[
                "s3:ListBucket",
                "s3:GetObject"
            ],
            "Resource":[
                "<BUCKET_NAME>",
                "<BUCKET_NAME>/*"
            ]
        }
    ]
}
  • Action:

    Description: Consists of S3 namespace, a colon, and the name of an action. Action names can include wildcards represented by *.

    Required: Yes

    Parent: Statement

    Sample:

Important: Currently only the ListBucket, PutObject, GetObject and DeleteObject operations are supported.

{
    "Version": "2012-10-17",
    "Id":"MyBucketPolicy",
    "Statement": [
        {
            "Sid": "Grant List and GET to <PROJECT_ID>",
            "Effect":"Allow",
            "Principal":{
                "SCW":[
                    "project_id:<PROJECT_ID>",
                    "project_id:<PROJECT_ID_BIS>"
                ]
            },
            "Action":"*",
            "Resource":[
                "<BUCKET_NAME>",
                "<BUCKET_NAME>/*"
            ]
        }
    ]
}
{
    "Version": "2012-10-17",
    "Id":"MyBucketPolicy",
    "Statement": [
        {
            "Sid": "Grant List and GET to <PROJECT_ID>",
            "Effect":"Allow",
            "Principal":{
                "SCW":[
                    "project_id:<PROJECT_ID>",
                    "project_id:<PROJECT_ID_BIS>"
                ]
            },
            "Action":"s3:*",
            "Resource":[
                "<BUCKET_NAME>",
                "<BUCKET_NAME>/*"
            ]
        }
    ]
}
{
    "Version": "2012-10-17",
    "Id":"MyBucketPolicy",
    "Statement": [
        {
            "Sid": "Grant List and GET to <PROJECT_ID>",
            "Effect":"Allow",
            "Principal":{
                "SCW":[
                    "project_id:<PROJECT_ID>",
                    "project_id:<PROJECT_ID_BIS>"
                ]
            },
            "Action":"s3:ListBucket",
            "Resource":"<BUCKET_NAME>"
        }
    ]
}
{
    "Version": "2012-10-17",
    "Id":"MyBucketPolicy",
    "Statement": [
        {
            "Sid": "Grant List and GET to <PROJECT_ID>",
            "Effect":"Allow",
            "Principal":{
                "SCW":[
                    "project_id:<PROJECT_ID>",
                    "project_id:<PROJECT_ID_BIS>"
                ]
            },
            "Action":[
                "s3:ListBucket",
                "s3:GetObject"
            ],
            "Resource":[
                "<BUCKET_NAME>",
                "<BUCKET_NAME>/*"
            ]
        }
    ]
}
  • Effect:

    Description: Uses Allow or Deny to indicate whether the policy allows or denies access. Currently, only Allow is supported at Scaleway.

    Required: Yes

    Parent: Statement

    Sample:

{
    "Version": "2012-10-17",
    "Id":"MyBucketPolicy",
    "Statement": [
        {
            "Sid": "Grant List and GET to <PROJECT_ID>",
            "Effect":"Allow",
            "Principal":{
                "SCW":[
                    "project_id:<PROJECT_ID>",
                    "project_id:<PROJECT_ID_BIS>"
                ]
            },
            "Action":[
                "s3:ListBucket",
                "s3:GetObject"
            ],
            "Resource":[
                "<BUCKET_NAME>",
                "<BUCKET_NAME>/*"
            ]
        }
    ]
}
  • Resource:

    Description: Consists of the S3 resource path.

    Required: Yes

    Parent: Statement

    Sample:

  • "<BUCKET_NAME>" - Grants access to the bucket, but not to the objects inside. If the s3:ListBucket action is applied, this resource specification is required.
  • "<BUCKET_NAME>/*" - Grants access to all objects inside a bucket, but not to the bucket itself. If the s3:PutObject, s3:GetObject and s3:DeleteObject actions are applied, this resource specification is required.
  • "<BUCKET_NAME>/<PREFIX>/*" - Grants access only to objects with the specified prefix inside a bucket, but not to the bucket itself. For example, if you apply a bucket policy that specifies "my_files/movie/*" under Resource, you would grant access to all objects with the movie/ prefix, but not to other objects in my_files/ bucket. If the s3:PutObject, s3:GetObject and s3:DeleteObject actions are applied, this resource specification is required.
{
    "Version": "2012-10-17",
    "Id":"MyBucketPolicy",
    "Statement": [
        {
            "Sid": "Grant List and GET to <PROJECT_ID>",
            "Effect":"Allow",
            "Principal":{
                "SCW":[
                    "project_id:<PROJECT_ID>",
                    "project_id:<PROJECT_ID_BIS>"
                ]
            },
            "Action":[
                "s3:ListBucket",
                "s3:GetObject"
            ],
            "Resource":[
                "<BUCKET_NAME>",
                "<BUCKET_NAME>/*"
            ]
        }
    ]
}
{
    "Version": "2012-10-17",
    "Id":"MyBucketPolicy",
    "Statement": [
        {
            "Sid": "Grant List and GET to <PROJECT_ID>",
            "Effect":"Allow",
            "Principal":{
                "SCW":[
                    "project_id:<PROJECT_ID>",
                    "project_id:<PROJECT_ID_BIS>"
                ]
            },
            "Action":[
                "s3:ListBucket",
                "s3:GetObject"
            ],
            "Resource":[
                "<BUCKET_NAME>",
                "<BUCKET_NAME>/photos/*"
            ]
        }
    ]
}

Discover the Cloud That Makes Sense