NavigationContentFooter
Jump toSuggest an edit

Bucket policies overview

Reviewed on 17 June 2024Published on 17 February 2021

What are bucket policies

A bucket policy is a resource-based policy option. It allows you to grant more granular access to Object Storage resources.

By default, all Object Storage resources in a Project are private and can be accessed only by users or applications with IAM permissions. Adding a bucket policy to a bucket allows you to specify who can perform which actions on a bucket and the objects it contains. You can combine the different elements of a bucket policy to tailor your permissions according to your use case.

The different component strings of a bucket policy allow you to configure fine-grained permissions when combined with Identity and Access Management (IAM), as shown in the table below.

Bucket policies behave like objects: they can be uploaded into buckets. Once you upload, or “put”, a bucket policy into a bucket, it takes immediate effect and will from then on define who can access and perform actions on the bucket and the objects it contains.

Important
  • You will lose access to your bucket if you are not the owner of the Organization, and if you are not explicitly allowed by the bucket policy.
  • The owner of the Organization always has the right to put and delete bucket policies, even if he is not allowed to perform other bucket operations by the bucket policy.
  • Each bucket can have only one bucket policy.
  • Pushing a new bucket policy to a bucket overwrites any existing bucket policy.

Bucket policies versions

Version IDLifecycle status
2023-04-17Current
2012-10-17Deprecated
  • The 2012-10-17 version is deprecated, and its usage is strongly discouraged.

  • With the 2023-04-17 version, only actions explicitly allowed by the bucket policy are permitted, if the principal is also allowed by an IAM policy. Deny statements are therefore useless.

Bucket policies description

Bucket policies use a JSON-based access policy language and are composed of strings, such as: Version, Id, Statement, Sid, Principal, Action, Effect, Resource, and Condition.

Version

Description
IAM syntax version
Required
Yes
Type
const
Value
“2023-04-17”

Sample:

{
"Version": "2023-04-17",
"Id": "MyBucketPolicy",
"Statement": [
{
"Sid": "Delegate access",
"Effect":"Allow",
"Principal": {
"SCW": "user_id:<USER_ID>"
},
"Action": "s3:ListBucket",
"Resource": "<BUCKET_NAME>"
}
]
}
Note

Refer to the documentation on bucket policy versions for more information.

Id

Description
Information about the policy as a whole. The length is limited to 280 characters.
Required
No
Type
string

Sample

{
"Version": "2023-04-17",
"Id": "MyBucketPolicy",
"Statement": [
{
"Sid": "Delegate access",
"Effect":"Allow",
"Principal":{
"SCW":"application_id:<APPLICATION_ID>"
},
"Action":[
"s3:ListBucket",
"s3:GetObject"
],
"Resource":[
"<BUCKET_NAME>",
"<BUCKET_NAME>/*"
]
}
]
}

Statement

Description
Statement defines the rules that should be respected by our policy engine.
Children
Sid, Principal, Action, Effect and Resource
Required
No
Type
array

Samples

{
"Version": "2023-04-17",
"Id":"MyBucketPolicy",
"Statement": [
{
"Sid": "Delegate access",
"Effect":"Allow",
"Principal":{
"SCW":"user_id:<USER_ID>"
},
"Action":[
"s3:ListBucket",
"s3:GetObject"
],
"Resource":[
"<BUCKET_NAME>",
"<BUCKET_NAME>/*"
]
},
{
"Sid": "Delegate PUT to application",
"Effect":"Allow",
"Principal":{
"SCW":"application_id:<APPLICATION_ID>"
},
"Action":"s3:PutObject",
"Resource":"<BUCKET_NAME>/*"
}
]
}
{
"Version": "2023-04-17",
"Id":"MyBucketPolicy",
"Statement": [
{
"Sid": "Delegate access to user",
"Effect":"Allow",
"Principal":{
"SCW":"user_id:<USER_ID>"
},
"Action":[
"s3:ListBucket",
"s3:GetObject"
],
"Resource":[
"<BUCKET_NAME>",
"<BUCKET_NAME>/*"
]
},
{
"Sid": "Delegate PUT to application",
"Effect":"Allow",
"Principal":{
"SCW":"application_id:<APPLICATION_ID>"
},
"Action":"s3:PutObject",
"Resource":"<BUCKET_NAME>/*"
}
]
}

Sid

Description
Provides a way to include information about an individual statement.
Required
No
Parent
Statement
Type
string

Sample

{
"Version": "2023-04-17",
"Id":"MyBucketPolicy",
"Statement": [
{
"Sid": "Grant list to user",
"Effect":"Allow",
"Principal":{
"SCW":"user_id:<USER_ID>"
},
"Action":"s3:ListBucket",
"Resource":"<BUCKET_NAME>"
}
]
}

Effect

Description
Uses the Allow value to authorize the specified actions. All actions that are not explicitly allowed are denied, Deny statements are therefore useless.
Required
Yes
Parent
Statement

Sample

{
"Version": "2023-04-17",
"Id":"MyBucketPolicy",
"Statement": [
{
"Sid": "Grant List and GET to user and application",
"Effect":"Allow",
"Principal":{
"SCW":[
"user_id:<USER_ID>",
"application_id:<APPLICATION_ID>"
]
},
"Action":[
"s3:ListBucket",
"s3:GetObject"
],
"Resource":[
"<BUCKET_NAME>",
"<BUCKET_NAME>/*"
]
}
]
}

Principal

Description
Defines the targets of the bucket policy, which can be a user or an application. You must use the user_id and/or application_id, or * to grant access to “everyone”.
Required
Yes
Parent
Statement
Important

If you want to use bucket policies to grant access to Object Storage resources, you must always specify to which principal (user or application) you are attributing the policy, even if they are the Owner of the Organization. If the Owner of the Organization does not have access rights to resources via a policy, they still have inherent rights to create and edit bucket policies and can add themselves as principals to a policy anytime.

Sample

{
"Version": "2023-04-17",
"Id":"MyBucketPolicy",
"Statement": [
{
"Sid": "Grant List and GET to everyone",
"Effect":"Allow",
"Principal":"*",
"Action":[
"s3:ListBucket",
"s3:GetObject"
],
"Resource":[
"<BUCKET_NAME>",
"<BUCKET_NAME>/*"
]
}
]
}
{
"Version": "2023-04-17",
"Id":"MyBucketPolicy",
"Statement": [
{
"Sid": "Grant List and GET to user",
"Effect":"Allow",
"Principal":{
"SCW":"user_id:<USER_ID>"
},
"Action":[
"s3:ListBucket",
"s3:GetObject"
],
"Resource":[
"<BUCKET_NAME>",
"<BUCKET_NAME>/*"
]
}
]
}
{
"Version": "2023-04-17",
"Id":"MyBucketPolicy",
"Statement": [
{
"Sid": "Grant List and GET to user and application",
"Effect":"Allow",
"Principal":{
"SCW":[
"user_id:<USER_ID>",
"application_id:<APPLICATION_ID>"
]
},
"Action":[
"s3:ListBucket",
"s3:GetObject"
],
"Resource":[
"<BUCKET_NAME>",
"<BUCKET_NAME>/*"
]
}
]
}

Action

Description
Consists of an S3 namespace, a colon, and the name of an action. Action names can include wildcards represented by *.
Required
Yes
Parent
Statement

Sample

{
"Version": "2023-04-17",
"Id":"MyBucketPolicy",
"Statement": [
{
"Sid": "Grant List and GET to user and application",
"Effect":"Allow",
"Principal":{
"SCW":[
"user_id:<USER_ID>",
"application_id:<APPLICATION_ID>"
]
},
"Action":"*",
"Resource":[
"<BUCKET_NAME>",
"<BUCKET_NAME>/*"
]
}
]
}

Supported actions

Supported global actions
  • *
  • s3:*
Supported bucket actions
  • s3:DeleteBucketWebsite
  • s3:GetBucketTagging
  • s3:GetBucketVersioning
  • s3:GetBucketWebsite
  • s3:GetLifecycleConfiguration
  • s3:ListBucket
  • s3:ListBucketMultipartUploads
  • s3:ListBucketVersions
  • s3:PutBucketTagging
  • s3:PutBucketVersioning
  • s3:PutBucketWebsite
  • s3:PutLifecycleConfiguration
Supported object actions
  • s3:AbortMultipartUpload
  • s3:DeleteObject
  • s3:DeleteObjectTagging
  • s3:DeleteObjectVersion
  • s3:DeleteObjectVersionTagging
  • s3:GetObject
  • s3:GetObjectTagging
  • s3:GetObjectVersion
  • s3:GetObjectVersionTagging
  • s3:ListMultipartUploadParts
  • s3:PutObject
  • s3:PutObjectTagging
  • s3:PutObjectVersionTagging

Resource

Description
Consists in the S3 resource path.
Required
Yes
Parent
Statement

Sample

  • <BUCKET_NAME> - Grants access to the bucket, but not to the objects inside. If the s3:ListBucket action is applied, this resource specification is required.
  • <BUCKET_NAME>/* - Grants access to all objects inside a bucket, but not to the bucket itself. If the s3:PutObject, s3:GetObject and s3:DeleteObject actions are applied, this resource specification is required.
  • <BUCKET_NAME>/<PREFIX>/* - Grants access only to objects with the specified prefix inside a bucket, but not to the bucket itself.
{
"Version": "2023-04-17",
"Id":"MyBucketPolicy",
"Statement": [
{
"Sid": "Grant List and GET to user and application",
"Effect":"Allow",
"Principal":{
"SCW":[
"user_id:<USER_ID>",
"application_id:<APPLICATION_ID>"
]
},
"Action":[
"s3:ListBucket",
"s3:GetObject"
],
"Resource":[
"<BUCKET_NAME>",
"<BUCKET_NAME>/*"
]
}
]
}
{
"Version": "2023-04-17",
"Id":"MyBucketPolicy",
"Statement": [
{
"Sid": "Grant List and GET to user and application",
"Effect":"Allow",
"Principal":{
"SCW":[
"user_id:<USER_ID>",
"application_id:<APPLICATION_ID>"
]
},
"Action":[
"s3:ListBucket",
"s3:GetObject"
],
"Resource":[
"<BUCKET_NAME>",
"<BUCKET_NAME>/photos/*"
]
}
]
}

Condition

Description
The Condition element allows you to specify conditions for when a Policy is in effect.
Required
No
Parent
Statement
Condition keys
aws:SourceIp, aws:Referer, aws:CurrentTime, aws:EpochTime, s3:prefix

Examples

  • You can use the IpAddress condition to Allow actions for specific IP ranges or addresses.
{
"Version": "2023-04-17",
"Id": "MyBucketPolicy",
"Statement": [
{
"Sid": "Grant List and GET from my Instances",
"Effect": "Allow",
"Principal": "*",
"Action": ["s3:ListBucket", "s3:GetObject"],
"Resource": ["<BUCKET_NAME>", "<BUCKET_NAME>/*"],
"Condition": {
"IpAddress": {
"aws:SourceIp": "192.0.2.0/24"
}
}
}
]
}
  • You can allow access only within a set timeframe, by implementing the DateGreaterThan and DateLessThan conditions.
{
"Version": "2023-04-17",
"Id": "MyBucketPolicy",
"Statement": [
{
"Sid": "Grant List and GET to user for 10 years",
"Effect": "Allow",
"Principal": {
"SCW": "user_id:<USER_ID>"
},
"Action": ["s3:ListBucket", "s3:GetObject"],
"Resource": ["<BUCKET_NAME>", "<BUCKET_NAME>/photos/*"],
"Condition": {
"DateGreaterThan": {
"aws:CurrentTime": "2020-01-01T00:00:00Z"
},
"DateLessThan": {
"aws:CurrentTime": "2030-01-01T00:00:00Z"
}
}
}
]
}
  • You can also allow access according to the HTTP referer.
{
"Version": "2023-04-17",
"Id": "MyBucketPolicy",
"Statement": [
{
"Sid": "Allow access to assets from my website",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": ["<BUCKET_NAME>/assets/*"],
"Condition": {
"StringLike": {
"aws:Referer": "https://console.scaleway.com/*"
}
}
}
]
}

Supported conditions

  • IpAddress
  • NotIpAddress
  • StringEquals
  • StringNotEquals
  • StringEqualsIgnoreCase
  • StringNotEqualsIgnoreCase
  • StringLike
  • StringNotLike
  • DateGreaterThan
  • DateGreaterThanEquals
  • DateLessThan
  • DateLessThanEquals

Refer to our dedicated documentation for more information on managing bucket permissions for IP addresses or ranges of IP.

Docs APIScaleway consoleDedibox consoleScaleway LearningScaleway.comPricingBlogCarreer
© 2023-2024 – Scaleway