HomeStorageObject StorageAPI/CLI
Understanding bucket policies
Jump toUpdate content

Understanding bucket policies

Reviewed on 13 June 2023Published on 17 February 2021
Security & Identity (IAM):

You may need certain IAM permissions to carry out some actions described on this page. This means:

  • you are the Owner of the Scaleway Organization in which the actions will be carried out, or
  • you are an IAM user of the Organization, with a policy granting you the necessary permission sets

Bucket policies and IAM overview

IAM

Identity and Access Management (IAM) brings a set of features to your Scaleway account, allowing you to control and manage access to your resources. For users of Scaleway Object Storage, this means that besides configuring access via bucket policies, you can use IAM policies to configure permissions.

An IAM policy is used to define the permissions of users, groups and applications in a given Organization. A policy is composed of a principal (the user, group or application to which it applies) and one or more IAM rules (which describe the permission sets the principal should have, and the scope of those permission sets).

Bucket policies

A bucket policy is a resource-based policy option. It allows you to grant more granular access to Object Storage resources.

By default, all Object Storage resources in a Project are private and can be accessed only by users or applications with IAM permissions. Adding a bucket policy to a bucket allows you to specify who can perform which actions on a bucket and the objects it contains. You can use different combinations of the policy's component strings to customize your permissions for different purposes as required.

The different component strings of a bucket policy allow you to configure fine-grained permissions.

Bucket policies behave like objects: they can be uploaded into buckets. Once you upload, or “put”, a bucket policy into a bucket, it takes immediate effect and will from then on define who can access and perform actions on the bucket.

Important:

Each bucket can have only one bucket policy.

Bucket policies description

Bucket policies use a JSON-based access policy language and are composed of strings, such as: Version, Id, Statement, Sid, Principal, Action, Effect, Resource and Condition.

Version

Description
IAM syntax version
Required
Yes
Type
const
Value
“2023-04-17”

Sample:

{
"Version": "2023-04-17",
"Id": "MyBucketPolicy",
"Statement": [
{
"Sid": "Delegate access",
"Effect":"Allow",
"Principal": {
"SCW": "user_id:<USER_ID>"
},
"Action": "s3:ListBucket",
"Resource": "<BUCKET_NAME>"
}
]
}
Note:

Refer to the documentation on bucket policy versions for more information.

Id

Description
Information about the policy as a whole. The length is limited to 280 characters.
Required
No
Type
string

Sample

{
"Version": "2023-04-17",
"Id": "MyBucketPolicy",
"Statement": [
{
"Sid": "Delegate access",
"Effect":"Allow",
"Principal":{
"SCW":"application_id:<APPLICATION_ID>"
},
"Action":[
"s3:ListBucket",
"s3:GetObject"
],
"Resource":[
"<BUCKET_NAME>",
"<BUCKET_NAME>/*"
]
}
]
}

Statement

Description
Statement defines the rules that should be respected by our policy engine.
Children
Sid, Principal, Action, Effect and Resource
Required
No
Type
array

Samples

{
"Version": "2023-04-17",
"Id":"MyBucketPolicy",
"Statement": [
{
"Sid": "Delegate access",
"Effect":"Allow",
"Principal":{
"SCW":"user_id:<USER_ID>"
},
"Action":[
"s3:ListBucket",
"s3:GetObject"
],
"Resource":[
"<BUCKET_NAME>",
"<BUCKET_NAME>/*"
]
}
]
}
{
"Version": "2023-04-17",
"Id":"MyBucketPolicy",
"Statement": [
{
"Sid": "Delegate access to user",
"Effect":"Allow",
"Principal":{
"SCW":"user_id:<USER_ID>"
},
"Action":[
"s3:ListBucket",
"s3:GetObject"
],
"Resource":[
"<BUCKET_NAME>",
"<BUCKET_NAME>/*"
]
},
{
"Sid": "Delegate PUT to application",
"Effect":"Allow",
"Principal":{
"SCW":"application_id:<APPLICATION_ID>"
},
"Action":"s3:PutObject",
"Resource":"<BUCKET_NAME>/*"
}
]
}

Sid

Description
Provides a way to include information about an individual statement.
Required
No
Parent
Statement
Type
string

Sample

{
"Version": "2023-04-17",
"Id":"MyBucketPolicy",
"Statement": [
{
"Sid": "Grant list to user",
"Effect":"Allow",
"Principal":{
"SCW":"user_id:<USER_ID>"
},
"Action":"s3:ListBucket",
"Resource":"<BUCKET_NAME>"
}
]
}

Principal

Description
Provides a way to specify principals, eg. targets of the bucket policies, which can be a user or an application. You must use the user_id and/or application_id, to target these. Note that you can use * to grant access to “everyone”. Before the arrival of IAM principals in a Scaleway bucket policy were defined by the project_id. Now they can either be specified by the user_id or the application_id.
Required
Yes
Parent
Statement
Important:

If you want to use bucket policies to grant access to Object Storage resources, you must always specify to which principal (user or application) you are attributing the policy, even if they are the Owner of the Organization. If the Owner of the Organization does not have access rights to resources via a policy, they still have inherent rights to create and edit bucket policies and can add themselves as principals to a policy anytime.

Sample

{
"Version": "2023-04-17",
"Id":"MyBucketPolicy",
"Statement": [
{
"Sid": "Grant List and GET to everyone",
"Effect":"Allow",
"Principal":"*",
"Action":[
"s3:ListBucket",
"s3:GetObject"
],
"Resource":[
"<BUCKET_NAME>",
"<BUCKET_NAME>/*"
]
}
]
}
{
"Version": "2023-04-17",
"Id":"MyBucketPolicy",
"Statement": [
{
"Sid": "Grant List and GET to user",
"Effect":"Allow",
"Principal":{
"SCW":"user_id:<USER_ID>"
},
"Action":[
"s3:ListBucket",
"s3:GetObject"
],
"Resource":[
"<BUCKET_NAME>",
"<BUCKET_NAME>/*"
]
}
]
}
{
"Version": "2023-04-17",
"Id":"MyBucketPolicy",
"Statement": [
{
"Sid": "Grant List and GET to user and application",
"Effect":"Allow",
"Principal":{
"SCW":[
"user_id:<USER_ID>",
"application_id:<APPLICATION_ID>"
]
},
"Action":[
"s3:ListBucket",
"s3:GetObject"
],
"Resource":[
"<BUCKET_NAME>",
"<BUCKET_NAME>/*"
]
}
]
}

Action

Description
Consists of S3 namespace, a colon, and the name of an action. Action names can include wildcards represented by *.
Required
Yes
Parent
Statement

Sample

{
"Version": "2023-04-17",
"Id":"MyBucketPolicy",
"Statement": [
{
"Sid": "Grant List and GET to user and application",
"Effect":"Allow",
"Principal":{
"SCW":[
"user_id:<USER_ID>",
"application_id:<APPLICATION_ID>"
]
},
"Action":"*",
"Resource":[
"<BUCKET_NAME>",
"<BUCKET_NAME>/*"
]
}
]
}

Supported actions

  • *
  • s3:*
  • s3:AbortMultipartUpload
  • s3:DeleteBucketWebsite
  • s3:DeleteObject
  • s3:DeleteObjectTagging
  • s3:DeleteObjectVersion
  • s3:DeleteObjectVersionTagging
  • s3:GetBucketTagging
  • s3:GetBucketVersioning
  • s3:GetBucketWebsite
  • s3:GetLifecycleConfiguration
  • s3:GetObject
  • s3:GetObjectTagging
  • s3:GetObjectVersion
  • s3:GetObjectVersionTagging
  • s3:ListBucket
  • s3:ListBucketMultipartUploads
  • s3:ListMultipartUploadParts
  • s3:PutBucketTagging
  • s3:PutBucketVersioning
  • s3:PutBucketWebsite
  • s3:PutLifecycleConfiguration
  • s3:PutObject
  • s3:PutObjectTagging
  • s3:PutObjectVersionTagging

Effect

Description
Uses Allow or Deny to indicate whether the policy allows or denies access. All actions that are not explicitly allowed, are denied.
Required
Yes
Parent
Statement

Sample

  • Allow
{
"Version": "2023-04-17",
"Id":"MyBucketPolicy",
"Statement": [
{
"Sid": "Grant List and GET to user and application",
"Effect":"Allow",
"Principal":{
"SCW":[
"user_id:<USER_ID>",
"application_id:<APPLICATION_ID>"
]
},
"Action":[
"s3:ListBucket",
"s3:GetObject"
],
"Resource":[
"<BUCKET_NAME>",
"<BUCKET_NAME>/*"
]
}
]
}
  • Deny
{
"Version": "2023-04-17",
"Id": "MyBucketPolicy",
"Statement": [
{
"Sid": "Deny DELETE to everyone",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:DeleteObject",
"Resource": "*"
}
]
}

Resource

Description
Consists in the S3 resource path.
Required
Yes
Parent
Statement

Sample

  • "<BUCKET_NAME>" - Grants access to the bucket, but not to the objects inside. If the s3:ListBucket action is applied, this resource specification is required.
  • "<BUCKET_NAME>/*" - Grants access to all objects inside a bucket, but not to the bucket itself. If the s3:PutObject, s3:GetObject and s3:DeleteObject actions are applied, this resource specification is required.
  • "<BUCKET_NAME>/<PREFIX>/*" - Grants access only to objects with the specified prefix inside a bucket, but not to the bucket itself. For example, if you apply a bucket policy that specifies "my_files/movie/*" under Resource, you would grant access to all objects with the movie/ prefix, but not to other objects in my_files/ bucket. If the s3:PutObject, s3:GetObject and s3:DeleteObject actions are applied, this resource specification is required.
{
"Version": "2023-04-17",
"Id":"MyBucketPolicy",
"Statement": [
{
"Sid": "Grant List and GET to user and application",
"Effect":"Allow",
"Principal":{
"SCW":[
"user_id:<USER_ID>",
"application_id:<APPLICATION_ID>"
]
},
"Action":[
"s3:ListBucket",
"s3:GetObject"
],
"Resource":[
"<BUCKET_NAME>",
"<BUCKET_NAME>/*"
]
}
]
}
{
"Version": "2023-04-17",
"Id":"MyBucketPolicy",
"Statement": [
{
"Sid": "Grant List and GET to user and application",
"Effect":"Allow",
"Principal":{
"SCW":[
"user_id:<USER_ID>",
"application_id:<APPLICATION_ID>"
]
},
"Action":[
"s3:ListBucket",
"s3:GetObject"
],
"Resource":[
"<BUCKET_NAME>",
"<BUCKET_NAME>/photos/*"
]
}
]
}

Condition

Description
The Condition element allows you to specify conditions for when a Policy is in effect.
Required
No
Parent
Statement
Condition Keys
  • aws:SourceIp, aws:Referer, aws:CurrentTime, aws:EpochTime
  • Examples

    • You can use the IpAddress condition to Allow actions for specific IP ranges or addresses.
    {
    "Version": "2023-04-17",
    "Id": "MyBucketPolicy",
    "Statement": [
    {
    "Sid": "Grant List and GET from my Instances",
    "Effect": "Allow",
    "Principal": "*",
    "Action": ["s3:ListBucket", "s3:GetObject"],
    "Resource": ["<BUCKET_NAME>", "<BUCKET_NAME>/*"],
    "Condition": {
    "IpAddress": {
    "aws:SourceIp": "192.0.2.0/24"
    }
    }
    }
    ]
    }
    • You can allow access only within a set timeframe, by implementing the DateGreaterThan and DateLessThan conditions.
    {
    "Version": "2023-04-17",
    "Id": "MyBucketPolicy",
    "Statement": [
    {
    "Sid": "Grant List and GET to user for 10 years",
    "Effect": "Allow",
    "Principal": {
    "SCW": "user_id:<USER_ID>"
    },
    "Action": ["s3:ListBucket", "s3:GetObject"],
    "Resource": ["<BUCKET_NAME>", "<BUCKET_NAME>/photos/*"],
    "Condition": {
    "DateGreaterThan": {
    "aws:CurrentTime": "2020-01-01T00:00:00Z"
    },
    "DateLessThan": {
    "aws:CurrentTime": "2030-01-01T00:00:00Z"
    }
    }
    }
    ]
    }
    • You can also allow access according to the HTTP referer.
    {
    "Version": "2023-04-17",
    "Id": "MyBucketPolicy",
    "Statement": [
    {
    "Sid": "Allow access to assets from my website",
    "Effect": "Allow",
    "Principal": "*",
    "Action": "s3:GetObject",
    "Resource": ["<BUCKET_NAME>/assets/*"],
    "Condition": {
    "StringLike": {
    "aws:Referer": "https://console.scaleway.com"
    }
    }
    }
    ]
    }

    Supported conditions

    • IpAddress
    • NotIpAddress
    • StringEquals
    • StringNotEquals
    • StringEqualsIgnoreCase
    • StringNotEqualsIgnoreCase
    • StringLike
    • StringNotLike
    • DateGreaterThan
    • DateGreaterThanEquals
    • DateLessThan
    • DateLessThanEquals
    See Also