Bucket Policy is a resource-based policy option. It allows users to grant access to buckets to other Scaleway projects and organizations.
By default, all S3 resources in a project are private and can be accessed only by users of the project. To grant access to outside users, a policy file can be added to a bucket via an API call or the AWS-CLI.
Bucket policies use a JSON-based access policy language.
In this documentation, we show you the general details of the JSON policy grammar.
Sample .json policy file:
{
"Version": "2012-10-17",
"Id": "Mybucketpolicy",
"Statement": [
{
"Sid": "DelegateAccess",
"Effect": "Allow",
"Principal": {
"SCW": "project_id:<PROJECT_ID>"
},
"Action": [
"s3:ListBucket",
"s3:GetObject"
],
"Resource": [
"<BUCKET_NAME>",
"<BUCKET_NAME>/*"
]
}
]
}
Policy Strings:
Version
:
Description: IAM syntax version
Required: Yes
Type: const
Value: “2012-10-17”
Sample:
{
"Version": "2012-10-17",
"Id": "MyBucketPolicy",
"Statement": [
{
"Sid": "Delegate access",
"Effect":"Allow",
"Principal": {
"SCW": "project_id:<PROJECT_ID>"
},
"Action": "s3:ListBucket",
"Resource": "<BUCKET_NAME>"
}
]
}
ID
:
Description: Information about the policy as a whole. The length is limited to 280 characters.
Required: No
Type: string
Sample:
{
"Version": "2012-10-17",
"Id": "MyBucketPolicy",
"Statement": [
{
"Sid": "Delegate access",
"Effect":"Allow",
"Principal":{
"SCW":"project_id:<PROJECT_ID>"
},
"Action":[
"s3:ListBucket",
"s3:GetObject"
],
"Resource":[
"<BUCKET_NAME>",
"<BUCKET_NAME>/*"
]
}
]
}
Statement
:
Description: Statement defines rules to be respected by our policy engine.
Child: Sid
, Principal
, Action
, Effect
and Resource
Required: No
Type: array
Samples:
{
"Version": "2012-10-17",
"Id":"MyBucketPolicy",
"Statement": [
{
"Sid": "Delegate access",
"Effect":"Allow",
"Principal":{
"SCW":"project_id:<PROJECT_ID>"
},
"Action":[
"s3:ListBucket",
"s3:GetObject"
],
"Resource":[
"<BUCKET_NAME>",
"<BUCKET_NAME>/*"
]
}
]
}
{
"Version": "2012-10-17",
"Id":"MyBucketPolicy",
"Statement": [
{
"Sid": "Delegate access to project",
"Effect":"Allow",
"Principal":{
"SCW":"project_id:<PROJECT_ID>"
},
"Action":[
"s3:ListBucket",
"s3:GetObject"
],
"Resource":[
"<BUCKET_NAME>",
"<BUCKET_NAME>/*"
]
},
{
"Sid": "Delegate PUT to project bis",
"Effect":"Allow",
"Principal":{
"SCW":"project_id:<PROJECT_ID_BIS>"
},
"Action":"s3:PutObject",
"Resource":"<BUCKET_NAME>/*"
}
]
}
Sid
:
Description: Provides a way to include information about an individual statement.
Required: No
Parent: Statement
Type: string
Sample:
{
"Version": "2012-10-17",
"Id":"MyBucketPolicy",
"Statement": [
{
"Sid": "Grant list to <PROJECT_ID>",
"Effect":"Allow",
"Principal":{
"SCW":"project_id:<PROJECT_ID>"
},
"Action":"s3:ListBucket",
"Resource":"<BUCKET_NAME>"
}
]
}
Principal
:
Description: Provides a way to specify a principal using the ProjectID of a Scaleway Project. Note that you can use *
to grant access to “everyone”.
Required: Yes
Parent: Statement
Sample:
{
"Version": "2012-10-17",
"Id":"MyBucketPolicy",
"Statement": [
{
"Sid": "Grant List and GET to everyone",
"Effect":"Allow",
"Principal":"*",
"Action":[
"s3:ListBucket",
"s3:GetObject"
],
"Resource":[
"<BUCKET_NAME>",
"<BUCKET_NAME>/*"
]
}
]
}
{
"Version": "2012-10-17",
"Id":"MyBucketPolicy",
"Statement": [
{
"Sid": "Grant List and GET to <PROJECT_ID>",
"Effect":"Allow",
"Principal":{
"SCW":"project_id:<PROJECT_ID>"
},
"Action":[
"s3:ListBucket",
"s3:GetObject"
],
"Resource":[
"<BUCKET_NAME>",
"<BUCKET_NAME>/*"
]
}
]
}
{
"Version": "2012-10-17",
"Id":"MyBucketPolicy",
"Statement": [
{
"Sid": "Grant List and GET to <PROJECT_ID>",
"Effect":"Allow",
"Principal":{
"SCW":[
"project_id:<PROJECT_ID>",
"project_id:<PROJECT_ID_BIS>"
]
},
"Action":[
"s3:ListBucket",
"s3:GetObject"
],
"Resource":[
"<BUCKET_NAME>",
"<BUCKET_NAME>/*"
]
}
]
}
Action
:
Description: Consists of S3 namespace, a colon, and the name of an action. Action names can include wildcards represented by *
.
Required: Yes
Parent: Statement
Sample:
Important: Currently only the
ListBucket
,PutObject
,GetObject
andDeleteObject
operations are supported.
{
"Version": "2012-10-17",
"Id":"MyBucketPolicy",
"Statement": [
{
"Sid": "Grant List and GET to <PROJECT_ID>",
"Effect":"Allow",
"Principal":{
"SCW":[
"project_id:<PROJECT_ID>",
"project_id:<PROJECT_ID_BIS>"
]
},
"Action":"*",
"Resource":[
"<BUCKET_NAME>",
"<BUCKET_NAME>/*"
]
}
]
}
{
"Version": "2012-10-17",
"Id":"MyBucketPolicy",
"Statement": [
{
"Sid": "Grant List and GET to <PROJECT_ID>",
"Effect":"Allow",
"Principal":{
"SCW":[
"project_id:<PROJECT_ID>",
"project_id:<PROJECT_ID_BIS>"
]
},
"Action":"s3:*",
"Resource":[
"<BUCKET_NAME>",
"<BUCKET_NAME>/*"
]
}
]
}
{
"Version": "2012-10-17",
"Id":"MyBucketPolicy",
"Statement": [
{
"Sid": "Grant List and GET to <PROJECT_ID>",
"Effect":"Allow",
"Principal":{
"SCW":[
"project_id:<PROJECT_ID>",
"project_id:<PROJECT_ID_BIS>"
]
},
"Action":"s3:ListBucket",
"Resource":"<BUCKET_NAME>"
}
]
}
{
"Version": "2012-10-17",
"Id":"MyBucketPolicy",
"Statement": [
{
"Sid": "Grant List and GET to <PROJECT_ID>",
"Effect":"Allow",
"Principal":{
"SCW":[
"project_id:<PROJECT_ID>",
"project_id:<PROJECT_ID_BIS>"
]
},
"Action":[
"s3:ListBucket",
"s3:GetObject"
],
"Resource":[
"<BUCKET_NAME>",
"<BUCKET_NAME>/*"
]
}
]
}
Effect
:
Description: Uses Allow or Deny to indicate whether the policy allows or denies access. Currently, only Allow is supported at Scaleway.
Required: Yes
Parent: Statement
Sample:
{
"Version": "2012-10-17",
"Id":"MyBucketPolicy",
"Statement": [
{
"Sid": "Grant List and GET to <PROJECT_ID>",
"Effect":"Allow",
"Principal":{
"SCW":[
"project_id:<PROJECT_ID>",
"project_id:<PROJECT_ID_BIS>"
]
},
"Action":[
"s3:ListBucket",
"s3:GetObject"
],
"Resource":[
"<BUCKET_NAME>",
"<BUCKET_NAME>/*"
]
}
]
}
Resource
:
Description: Consists of the S3 resource path.
Required: Yes
Parent: Statement
Sample:
"<BUCKET_NAME>"
- Grants access to the bucket, but not to the objects inside. If the s3:ListBucket
action is applied, this resource specification is required."<BUCKET_NAME>/*"
- Grants access to all objects inside a bucket, but not to the bucket itself. If the s3:PutObject
, s3:GetObject
and s3:DeleteObject
actions are applied, this resource specification is required."<BUCKET_NAME>/<PREFIX>/*"
- Grants access only to objects with the specified prefix inside a bucket, but not to the bucket itself. For example, if you apply a bucket policy that specifies "my_files/movie/*"
under Resource, you would grant access to all objects with the movie/
prefix, but not to other objects in my_files/
bucket. If the s3:PutObject
, s3:GetObject
and s3:DeleteObject
actions are applied, this resource specification is required.{
"Version": "2012-10-17",
"Id":"MyBucketPolicy",
"Statement": [
{
"Sid": "Grant List and GET to <PROJECT_ID>",
"Effect":"Allow",
"Principal":{
"SCW":[
"project_id:<PROJECT_ID>",
"project_id:<PROJECT_ID_BIS>"
]
},
"Action":[
"s3:ListBucket",
"s3:GetObject"
],
"Resource":[
"<BUCKET_NAME>",
"<BUCKET_NAME>/*"
]
}
]
}
{
"Version": "2012-10-17",
"Id":"MyBucketPolicy",
"Statement": [
{
"Sid": "Grant List and GET to <PROJECT_ID>",
"Effect":"Allow",
"Principal":{
"SCW":[
"project_id:<PROJECT_ID>",
"project_id:<PROJECT_ID_BIS>"
]
},
"Action":[
"s3:ListBucket",
"s3:GetObject"
],
"Resource":[
"<BUCKET_NAME>",
"<BUCKET_NAME>/photos/*"
]
}
]
}