Jump toUpdate content
Understanding bucket policies
If you have activated IAM, you may need certain IAM permissions to carry out some actions described on this page. This means:
- you are the Owner of the Scaleway Organization in which the actions will be carried out, or
- you are an IAM user of the Organization, with a policy granting you the necessary permission sets
A bucket policy is a resource-based policy option. It allows users to grant access to buckets in other Scaleway projects and organizations.
By default, all Object Storage resources in a project are private and can be accessed only by users of said project. Adding a bucket policy to a bucket allows you to grant access to outside users. You can use different combinations of the policy's component strings to customize your permissions for different purposes as required.
Bucket policies use a JSON-based access policy language and are composed of strings, such as: Version
, Id
, Statement
, Sid
, Principal
, Action
, Effect
, Resource
and Condition
.
Version
- Description
- IAM syntax version
- Required
- Yes
- Type
- const
- Value
- “2012-10-17”
Sample:
{
"Version": "2012-10-17",
"Id": "MyBucketPolicy",
"Statement": [
{
"Sid": "Delegate access",
"Effect":"Allow",
"Principal": {
"SCW": "project_id:<PROJECT_ID>"
},
"Action": "s3:ListBucket",
"Resource": "<BUCKET_NAME>"
}
]
}
Id
- Description
- Information about the policy as a whole. The length is limited to 280 characters.
- Required
- No
- Type
- string
Sample
{
"Version": "2012-10-17",
"Id": "MyBucketPolicy",
"Statement": [
{
"Sid": "Delegate access",
"Effect":"Allow",
"Principal":{
"SCW":"project_id:<PROJECT_ID>"
},
"Action":[
"s3:ListBucket",
"s3:GetObject"
],
"Resource":[
"<BUCKET_NAME>",
"<BUCKET_NAME>/*"
]
}
]
}
Statement
- Description
Statement
is an array that defines the rules that should be respected by our policy engine.- Children
Sid
,Principal
,Action
,Effect
andResource
- Required
- No
- Type
- array
Samples
{
"Version": "2012-10-17",
"Id":"MyBucketPolicy",
"Statement": [
{
"Sid": "Delegate access",
"Effect":"Allow",
"Principal":{
"SCW":"project_id:<PROJECT_ID>"
},
"Action":[
"s3:ListBucket",
"s3:GetObject"
],
"Resource":[
"<BUCKET_NAME>",
"<BUCKET_NAME>/*"
]
}
]
}
{
"Version": "2012-10-17",
"Id":"MyBucketPolicy",
"Statement": [
{
"Sid": "Delegate access to project",
"Effect":"Allow",
"Principal":{
"SCW":"project_id:<PROJECT_ID>"
},
"Action":[
"s3:ListBucket",
"s3:GetObject"
],
"Resource":[
"<BUCKET_NAME>",
"<BUCKET_NAME>/*"
]
},
{
"Sid": "Delegate PUT to project bis",
"Effect":"Allow",
"Principal":{
"SCW":"project_id:<PROJECT_ID_BIS>"
},
"Action":"s3:PutObject",
"Resource":"<BUCKET_NAME>/*"
}
]
}
Sid
- Description
- Provides a way to include information about an individual statement.
- Required
- No
- Parent
- Statement
- Type
- string
Sample
{
"Version": "2012-10-17",
"Id":"MyBucketPolicy",
"Statement": [
{
"Sid": "Grant list to <PROJECT_ID>",
"Effect":"Allow",
"Principal":{
"SCW":"project_id:<PROJECT_ID>"
},
"Action":"s3:ListBucket",
"Resource":"<BUCKET_NAME>"
}
]
}
Principal
- Description
- Provides a way to specify a principal using the ProjectID of a Scaleway Project. Note that you can use
*
to grant access to “everyone”. - Required
- Yes
- Parent
Statement
Sample
{
"Version": "2012-10-17",
"Id":"MyBucketPolicy",
"Statement": [
{
"Sid": "Grant List and GET to everyone",
"Effect":"Allow",
"Principal":"*",
"Action":[
"s3:ListBucket",
"s3:GetObject"
],
"Resource":[
"<BUCKET_NAME>",
"<BUCKET_NAME>/*"
]
}
]
}
{
"Version": "2012-10-17",
"Id":"MyBucketPolicy",
"Statement": [
{
"Sid": "Grant List and GET to <PROJECT_ID>",
"Effect":"Allow",
"Principal":{
"SCW":"project_id:<PROJECT_ID>"
},
"Action":[
"s3:ListBucket",
"s3:GetObject"
],
"Resource":[
"<BUCKET_NAME>",
"<BUCKET_NAME>/*"
]
}
]
}
{
"Version": "2012-10-17",
"Id":"MyBucketPolicy",
"Statement": [
{
"Sid": "Grant List and GET to <PROJECT_ID> and < PROJECT_ID_BIS>",
"Effect":"Allow",
"Principal":{
"SCW":[
"project_id:<PROJECT_ID>",
"project_id:<PROJECT_ID_BIS>"
]
},
"Action":[
"s3:ListBucket",
"s3:GetObject"
],
"Resource":[
"<BUCKET_NAME>",
"<BUCKET_NAME>/*"
]
}
]
}
Action
- Description
- Consists of S3 namespace, a colon, and the name of an action. Action names can include wildcards represented by
*
. - Required
- Yes
- Parent
Statement
Sample
{
"Version": "2012-10-17",
"Id":"MyBucketPolicy",
"Statement": [
{
"Sid": "Grant List and GET to <PROJECT_ID> and < PROJECT_ID_BIS>",
"Effect":"Allow",
"Principal":{
"SCW":[
"project_id:<PROJECT_ID>",
"project_id:<PROJECT_ID_BIS>"
]
},
"Action":"*",
"Resource":[
"<BUCKET_NAME>",
"<BUCKET_NAME>/*"
]
}
]
}
Supported actions
*
s3:*
s3:AbortMultipartUpload
s3:DeleteBucketWebsite
s3:DeleteObject
s3:DeleteObjectTagging
s3:DeleteObjectVersion
s3:DeleteObjectVersionTagging
s3:GetBucketTagging
s3:GetBucketVersioning
s3:GetBucketWebsite
s3:GetLifecycleConfiguration
s3:GetObject
s3:GetObjectTagging
s3:GetObjectVersion
s3:GetObjectVersionTagging
s3:ListBucket
s3:ListBucketMultipartUploads
s3:ListMultipartUploadParts
s3:PutBucketTagging
s3:PutBucketVersioning
s3:PutBucketWebsite
s3:PutLifecycleConfiguration
s3:PutObject
s3:PutObjectTagging
s3:PutObjectVersionTagging
Effect
- Description
- Uses Allow or Deny to indicate whether the policy allows or denies access.
- Required
- Yes
- Parent
Statement
Sample
- Allow
{
"Version": "2012-10-17",
"Id":"MyBucketPolicy",
"Statement": [
{
"Sid": "Grant List and GET to <PROJECT_ID> and <PROJECT_ID_BIS>",
"Effect":"Allow",
"Principal":{
"SCW":[
"project_id:<PROJECT_ID>",
"project_id:<PROJECT_ID_BIS>"
]
},
"Action":[
"s3:ListBucket",
"s3:GetObject"
],
"Resource":[
"<BUCKET_NAME>",
"<BUCKET_NAME>/*"
]
}
]
}
- Deny
{
"Version": "2012-10-17",
"Id": "MyBucketPolicy",
"Statement": [
{
"Sid": "Deny DELETE to everyone",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:DeleteObject",
"Resource": "*"
}
]
}
Resource
- Description
- Consists in the S3 resource path.
- Required
- Yes
- Parent
Statement
Sample
"<BUCKET_NAME>"
- Grants access to the bucket, but not to the objects inside. If thes3:ListBucket
action is applied, this resource specification is required."<BUCKET_NAME>/*"
- Grants access to all objects inside a bucket, but not to the bucket itself. If thes3:PutObject
,s3:GetObject
ands3:DeleteObject
actions are applied, this resource specification is required."<BUCKET_NAME>/<PREFIX>/*"
- Grants access only to objects with the specified prefix inside a bucket, but not to the bucket itself. For example, if you apply a bucket policy that specifies"my_files/movie/*"
under Resource, you would grant access to all objects with themovie/
prefix, but not to other objects inmy_files/
bucket. If thes3:PutObject
,s3:GetObject
ands3:DeleteObject
actions are applied, this resource specification is required.
{
"Version": "2012-10-17",
"Id":"MyBucketPolicy",
"Statement": [
{
"Sid": "Grant List and GET to <PROJECT_ID> and < PROJECT_ID_BIS>",
"Effect":"Allow",
"Principal":{
"SCW":[
"project_id:<PROJECT_ID>",
"project_id:<PROJECT_ID_BIS>"
]
},
"Action":[
"s3:ListBucket",
"s3:GetObject"
],
"Resource":[
"<BUCKET_NAME>",
"<BUCKET_NAME>/*"
]
}
]
}
{
"Version": "2012-10-17",
"Id":"MyBucketPolicy",
"Statement": [
{
"Sid": "Grant List and GET to <PROJECT_ID> and < PROJECT_ID_BIS>",
"Effect":"Allow",
"Principal":{
"SCW":[
"project_id:<PROJECT_ID>",
"project_id:<PROJECT_ID_BIS>"
]
},
"Action":[
"s3:ListBucket",
"s3:GetObject"
],
"Resource":[
"<BUCKET_NAME>",
"<BUCKET_NAME>/photos/*"
]
}
]
}
Condition
- Description
- The
Condition
element allows you specify conditions for when a Policy is in effect. - Required
- No
- Parent
Statement
- Condition Keys
aws:SourceIp
,aws:Referer
,aws:CurrentTime
,aws:EpochTime
Examples
- You can use the
IpAddress
condition toAllow
actions for specific IP ranges or addresses.
{
"Version": "2012-10-17",
"Id": "MyBucketPolicy",
"Statement": [
{
"Sid": "Grant List and GET from my Instances",
"Effect": "Allow",
"Principal": "*",
"Action": ["s3:ListBucket", "s3:GetObject"],
"Resource": ["<BUCKET_NAME>", "<BUCKET_NAME>/*"],
"Condition": {
"IpAddress": {
"aws:SourceIp": "192.0.2.0/24"
}
}
}
]
}
- You can allow access only within a set timeframe, by implementing the
DateGreaterThan
andDateLessThan
conditions.
{
"Version": "2012-10-17",
"Id": "MyBucketPolicy",
"Statement": [
{
"Sid": "Grant List and GET to <PROJECT_ID> for 10 years",
"Effect": "Allow",
"Principal": {
"SCW": "project_id:<PROJECT_ID>"
},
"Action": ["s3:ListBucket", "s3:GetObject"],
"Resource": ["<BUCKET_NAME>", "<BUCKET_NAME>/photos/*"],
"Condition": {
"DateGreaterThan": {
"aws:CurrentTime": "2020-01-01T00:00:00Z"
},
"DateLessThan": {
"aws:CurrentTime": "2030-01-01T00:00:00Z"
}
}
}
]
}
- You can also allow access according to the
HTTP
referer.
{
"Version": "2012-10-17",
"Id": "MyBucketPolicy",
"Statement": [
{
"Sid": "Allow access to assets from my website",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": ["<BUCKET_NAME>/assets/*"],
"Condition": {
"StringLike": {
"aws:Referer": "https://console.scaleway.com"
}
}
}
]
}
Supported conditions
IpAddress
NotIpAddress
StringEquals
StringNotEquals
StringEqualsIgnoreCase
StringNotEqualsIgnoreCase
StringLike
StringNotLike
DateGreaterThan
DateGreaterThanEquals
DateLessThan
DateLessThanEquals