Sharing Object Storage buckets in read-only mode
Before you start
To complete the actions presented below, you must have:
- Owner status or IAM permissions allowing you to perform actions in the intended Organization
It is possible to implement a bucket policy to grant a Scaleway organization or project viewing rights to a bucket in a different project.
For example, you are logged in to Organization A and you have a bucket (A1) inside Project A. You wish to share the bucket in read-only mode with users in Organization B, Project B.
To do so, you have to apply a policy to bucket A1 that grants access to Organization B or Project B and include which API calls they are allowed to make.
To guarantee that they can only view contents, include "s3:ListBucket" and "s3:GetObject" under Action in the bucket-policy.json file you create.
Specify which resources they can access under Resource:
"<BUCKET_NAME>"- Grants access to the bucket, but not to the objects inside. If thes3:ListBucketaction is applied, this resource specification is required."<BUCKET_NAME>/*"- Grants access to all objects inside a bucket, but not to the bucket itself. If thes3:GetObjectactions is applied, this resource specification is required."<BUCKET_NAME>/<PREFIX>/*"- Grants access only to objects with the specified prefix inside a bucket, but not to the bucket itself. For example, if you apply a bucket policy that specifies"my_files/movie/*"under Resource, you would grant access to all objects with themovie/prefix, but not to other objects inmy_files/bucket. If thes3:GetObjectactions is applied, this resource specification is required.
Apply the policy using the PutBucketPolicy API call or run the following aws-cli command:
You can provide the user in Organization B with the name of your bucket. If the policy is correctly applied, they will be able to see bucket A1 included in their bucket list when running List_Buckets. If they know the name of an object, they can view their details by running Get_Object.