Jump toUpdate content
Setting up bucket policies
Reviewed on 15 June 2021 • Published on 17 February 2021
Bucket policy is a resource-based policy option. It allows users to grant access to buckets to other Scaleway projects and organizations.
By default, all S3 resources in a project are private and can be accessed only by users of said project. To grant access to outside users, a policy file can be added to a bucket via an API call or the AWS-CLI.
Bucket policies use a JSON-based access policy language and are composed of strings, such as: Version, Id, Statement, Sid, Principal, Action, Effect, Resource and Condition.
Version
- Description
- IAM syntax version
- Required
- Yes
- Type
- const
- Value
- “2012-10-17”
Sample:
{
"Version": "2012-10-17",
"Id": "MyBucketPolicy",
"Statement": [
{
"Sid": "Delegate access",
"Effect":"Allow",
"Principal": {
"SCW": "project_id:<PROJECT_ID>"
},
"Action": "s3:ListBucket",
"Resource": "<BUCKET_NAME>"
}
]
}
Id
- Description
- Information about the policy as a whole. The length is limited to 280 characters.
- Required
- No
- Type
- string
Sample
{
"Version": "2012-10-17",
"Id": "MyBucketPolicy",
"Statement": [
{
"Sid": "Delegate access",
"Effect":"Allow",
"Principal":{
"SCW":"project_id:<PROJECT_ID>"
},
"Action":[
"s3:ListBucket",
"s3:GetObject"
],
"Resource":[
"<BUCKET_NAME>",
"<BUCKET_NAME>/*"
]
}
]
}
Statement
- Description
Statementis an array that defines the rules that should be respected by our policy engine.- Children
Sid,Principal,Action,EffectandResource- Required
- No
- Type
- array
Samples
{
"Version": "2012-10-17",
"Id":"MyBucketPolicy",
"Statement": [
{
"Sid": "Delegate access",
"Effect":"Allow",
"Principal":{
"SCW":"project_id:<PROJECT_ID>"
},
"Action":[
"s3:ListBucket",
"s3:GetObject"
],
"Resource":[
"<BUCKET_NAME>",
"<BUCKET_NAME>/*"
]
}
]
}
{
"Version": "2012-10-17",
"Id":"MyBucketPolicy",
"Statement": [
{
"Sid": "Delegate access to project",
"Effect":"Allow",
"Principal":{
"SCW":"project_id:<PROJECT_ID>"
},
"Action":[
"s3:ListBucket",
"s3:GetObject"
],
"Resource":[
"<BUCKET_NAME>",
"<BUCKET_NAME>/*"
]
},
{
"Sid": "Delegate PUT to project bis",
"Effect":"Allow",
"Principal":{
"SCW":"project_id:<PROJECT_ID_BIS>"
},
"Action":"s3:PutObject",
"Resource":"<BUCKET_NAME>/*"
}
]
}
Sid
- Description
- Provides a way to include information about an individual statement.
- Required
- No
- Parent
- Statement
- Type
- string
Sample
{
"Version": "2012-10-17",
"Id":"MyBucketPolicy",
"Statement": [
{
"Sid": "Grant list to <PROJECT_ID>",
"Effect":"Allow",
"Principal":{
"SCW":"project_id:<PROJECT_ID>"
},
"Action":"s3:ListBucket",
"Resource":"<BUCKET_NAME>"
}
]
}
Principal
- Description
- Provides a way to specify a principal using the ProjectID of a Scaleway Project. Note that you can use
*to grant access to “everyone”. - Required
- Yes
- Parent
Statement
Sample
{
"Version": "2012-10-17",
"Id":"MyBucketPolicy",
"Statement": [
{
"Sid": "Grant List and GET to everyone",
"Effect":"Allow",
"Principal":"*",
"Action":[
"s3:ListBucket",
"s3:GetObject"
],
"Resource":[
"<BUCKET_NAME>",
"<BUCKET_NAME>/*"
]
}
]
}
{
"Version": "2012-10-17",
"Id":"MyBucketPolicy",
"Statement": [
{
"Sid": "Grant List and GET to <PROJECT_ID>",
"Effect":"Allow",
"Principal":{
"SCW":"project_id:<PROJECT_ID>"
},
"Action":[
"s3:ListBucket",
"s3:GetObject"
],
"Resource":[
"<BUCKET_NAME>",
"<BUCKET_NAME>/*"
]
}
]
}
{
"Version": "2012-10-17",
"Id":"MyBucketPolicy",
"Statement": [
{
"Sid": "Grant List and GET to <PROJECT_ID> and < PROJECT_ID_BIS>",
"Effect":"Allow",
"Principal":{
"SCW":[
"project_id:<PROJECT_ID>",
"project_id:<PROJECT_ID_BIS>"
]
},
"Action":[
"s3:ListBucket",
"s3:GetObject"
],
"Resource":[
"<BUCKET_NAME>",
"<BUCKET_NAME>/*"
]
}
]
}
Action
- Description
- Consists of S3 namespace, a colon, and the name of an action. Action names can include wildcards represented by
*. - Required
- Yes
- Parent
Statement
Sample
{
"Version": "2012-10-17",
"Id":"MyBucketPolicy",
"Statement": [
{
"Sid": "Grant List and GET to <PROJECT_ID> and < PROJECT_ID_BIS>",
"Effect":"Allow",
"Principal":{
"SCW":[
"project_id:<PROJECT_ID>",
"project_id:<PROJECT_ID_BIS>"
]
},
"Action":"*",
"Resource":[
"<BUCKET_NAME>",
"<BUCKET_NAME>/*"
]
}
]
}
Supported actions
*s3:*s3:AbortMultipartUploads3:DeleteBucketWebsites3:DeleteObjects3:DeleteObjectTaggings3:DeleteObjectVersions3:DeleteObjectVersionTaggings3:GetBucketTaggings3:GetBucketVersionings3:GetBucketWebsites3:GetLifecycleConfigurations3:GetObjects3:GetObjectTaggings3:GetObjectVersions3:GetObjectVersionTaggings3:ListBuckets3:ListBucketMultipartUploadss3:ListMultipartUploadPartss3:PutBucketTaggings3:PutBucketVersionings3:PutBucketWebsites3:PutLifecycleConfigurations3:PutObjects3:PutObjectTaggings3:PutObjectVersionTagging
Effect
- Description
- Uses Allow or Deny to indicate whether the policy allows or denies access.
- Required
- Yes
- Parent
Statement
Sample
- Allow
{
"Version": "2012-10-17",
"Id":"MyBucketPolicy",
"Statement": [
{
"Sid": "Grant List and GET to <PROJECT_ID> and <PROJECT_ID_BIS>",
"Effect":"Allow",
"Principal":{
"SCW":[
"project_id:<PROJECT_ID>",
"project_id:<PROJECT_ID_BIS>"
]
},
"Action":[
"s3:ListBucket",
"s3:GetObject"
],
"Resource":[
"<BUCKET_NAME>",
"<BUCKET_NAME>/*"
]
}
]
}
- Deny
{
"Version": "2012-10-17",
"Id": "MyBucketPolicy",
"Statement": [
{
"Sid": "Deny DELETE to everyone",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:DeleteObject",
"Resource": "*"
}
]
}
Resource
- Description
- Consists in the S3 resource path.
- Required
- Yes
- Parent
Statement
Sample
"<BUCKET_NAME>"- Grants access to the bucket, but not to the objects inside. If thes3:ListBucketaction is applied, this resource specification is required."<BUCKET_NAME>/*"- Grants access to all objects inside a bucket, but not to the bucket itself. If thes3:PutObject,s3:GetObjectands3:DeleteObjectactions are applied, this resource specification is required."<BUCKET_NAME>/<PREFIX>/*"- Grants access only to objects with the specified prefix inside a bucket, but not to the bucket itself. For example, if you apply a bucket policy that specifies"my_files/movie/*"under Resource, you would grant access to all objects with themovie/prefix, but not to other objects inmy_files/bucket. If thes3:PutObject,s3:GetObjectands3:DeleteObjectactions are applied, this resource specification is required.
{
"Version": "2012-10-17",
"Id":"MyBucketPolicy",
"Statement": [
{
"Sid": "Grant List and GET to <PROJECT_ID> and < PROJECT_ID_BIS>",
"Effect":"Allow",
"Principal":{
"SCW":[
"project_id:<PROJECT_ID>",
"project_id:<PROJECT_ID_BIS>"
]
},
"Action":[
"s3:ListBucket",
"s3:GetObject"
],
"Resource":[
"<BUCKET_NAME>",
"<BUCKET_NAME>/*"
]
}
]
}
{
"Version": "2012-10-17",
"Id":"MyBucketPolicy",
"Statement": [
{
"Sid": "Grant List and GET to <PROJECT_ID> and < PROJECT_ID_BIS>",
"Effect":"Allow",
"Principal":{
"SCW":[
"project_id:<PROJECT_ID>",
"project_id:<PROJECT_ID_BIS>"
]
},
"Action":[
"s3:ListBucket",
"s3:GetObject"
],
"Resource":[
"<BUCKET_NAME>",
"<BUCKET_NAME>/photos/*"
]
}
]
}
Condition
- Description
- The
Conditionelement allows you specify conditions for when a Policy is in effect. - Required
- No
- Parent
Statement- Condition Keys
aws:SourceIp,aws:Referer,aws:CurrentTime,aws:EpochTime
Examples
- You can use the
IpAddresscondition toAllowactions for specific IP ranges or addresses.
{
"Version": "2012-10-17",
"Id": "MyBucketPolicy",
"Statement": [
{
"Sid": "Grant List and GET from my instances",
"Effect": "Allow",
"Principal": "*",
"Action": ["s3:ListBucket", "s3:GetObject"],
"Resource": ["<BUCKET_NAME>", "<BUCKET_NAME>/*"],
"Condition": {
"IpAddress": {
"aws:SourceIp": "192.0.2.0/24"
}
}
}
]
}
- You can allow access only within a set timeframe, by implementing the
DateGreaterThanandDateLessThanconditions.
{
"Version": "2012-10-17",
"Id": "MyBucketPolicy",
"Statement": [
{
"Sid": "Grant List and GET to <PROJECT_ID> for 10 years",
"Effect": "Allow",
"Principal": {
"SCW": "project_id:<PROJECT_ID>"
},
"Action": ["s3:ListBucket", "s3:GetObject"],
"Resource": ["<BUCKET_NAME>", "<BUCKET_NAME>/photos/*"],
"Condition": {
"DateGreaterThan": {
"aws:CurrentTime": "2020-01-01T00:00:00Z"
},
"DateLessThan": {
"aws:CurrentTime": "2030-01-01T00:00:00Z"
}
}
}
]
}
- You can also allow access according to the
HTTPreferer.
{
"Version": "2012-10-17",
"Id": "MyBucketPolicy",
"Statement": [
{
"Sid": "Allow access to assets from my website",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": ["<BUCKET_NAME>/assets/*"],
"Condition": {
"StringLike": {
"aws:Referer": "https://console.scaleway.com"
}
}
}
]
}
Supported conditions
IpAddressNotIpAddressStringEqualsStringNotEqualsStringEqualsIgnoreCaseStringNotEqualsIgnoreCaseStringLikeStringNotLikeDateGreaterThanDateGreaterThanEqualsDateLessThanDateLessThanEquals
Bucket policy use cases
You can combine the strings in your Bucket Policy in several ways to configure your bucket permissions for different purposes.
Find out more about each one in these tutorials:
- How to import a copy of objects from a bucket in a different project
- How to Manage Bucket Permissions for IP addresses or Ranges of IP
- How to share buckets in read-only mode
See Also