Jump toUpdate content

Setting up bucket policies

Reviewed on 15 June 2021Published on 17 February 2021

Bucket policy is a resource-based policy option. It allows users to grant access to buckets to other Scaleway projects and organizations.

By default, all S3 resources in a project are private and can be accessed only by users of said project. To grant access to outside users, a policy file can be added to a bucket via an API call or the AWS-CLI.

Bucket policies use a JSON-based access policy language and are composed of strings, such as: Version, Id, Statement, Sid, Principal, Action, Effect, Resource and Condition.

Version

Description
IAM syntax version
Required
Yes
Type
const
Value
“2012-10-17”

Sample:

{    "Version": "2012-10-17",    "Id": "MyBucketPolicy",    "Statement": [        {            "Sid": "Delegate access",            "Effect":"Allow",            "Principal": {                "SCW": "project_id:<PROJECT_ID>"            },            "Action": "s3:ListBucket",            "Resource": "<BUCKET_NAME>"        }    ]}

Id

Description
Information about the policy as a whole. The length is limited to 280 characters.
Required
No
Type
string

Sample

{    "Version": "2012-10-17",    "Id": "MyBucketPolicy",    "Statement": [        {            "Sid": "Delegate access",            "Effect":"Allow",            "Principal":{                "SCW":"project_id:<PROJECT_ID>"            },            "Action":[                "s3:ListBucket",                "s3:GetObject"            ],            "Resource":[                "<BUCKET_NAME>",                "<BUCKET_NAME>/*"            ]        }    ]}

Statement

Description
Statement is an array that defines the rules that should be respected by our policy engine.
Children
Sid, Principal, Action, Effect and Resource
Required
No
Type
array

Samples

{    "Version": "2012-10-17",    "Id":"MyBucketPolicy",    "Statement": [        {            "Sid": "Delegate access",            "Effect":"Allow",            "Principal":{                "SCW":"project_id:<PROJECT_ID>"            },            "Action":[                "s3:ListBucket",                "s3:GetObject"            ],            "Resource":[                "<BUCKET_NAME>",                "<BUCKET_NAME>/*"            ]        }    ]}
{        "Version": "2012-10-17",    "Id":"MyBucketPolicy",    "Statement": [        {            "Sid": "Delegate access to project",            "Effect":"Allow",            "Principal":{                "SCW":"project_id:<PROJECT_ID>"            },            "Action":[                "s3:ListBucket",                "s3:GetObject"            ],            "Resource":[                "<BUCKET_NAME>",                "<BUCKET_NAME>/*"            ]        },        {            "Sid": "Delegate PUT to project bis",            "Effect":"Allow",            "Principal":{                "SCW":"project_id:<PROJECT_ID_BIS>"            },            "Action":"s3:PutObject",            "Resource":"<BUCKET_NAME>/*"        }    ]}

Sid

Description
Provides a way to include information about an individual statement.
Required
No
Parent
Statement
Type
string

Sample

{    "Version": "2012-10-17",    "Id":"MyBucketPolicy",    "Statement": [        {            "Sid": "Grant list to <PROJECT_ID>",            "Effect":"Allow",            "Principal":{                "SCW":"project_id:<PROJECT_ID>"            },            "Action":"s3:ListBucket",            "Resource":"<BUCKET_NAME>"        }    ]}

Principal

Description
Provides a way to specify a principal using the ProjectID of a Scaleway Project. Note that you can use * to grant access to “everyone”.
Required
Yes
Parent
Statement

Sample

{    "Version": "2012-10-17",    "Id":"MyBucketPolicy",    "Statement": [        {            "Sid": "Grant List and GET to everyone",            "Effect":"Allow",            "Principal":"*",            "Action":[                "s3:ListBucket",                "s3:GetObject"            ],            "Resource":[                "<BUCKET_NAME>",                "<BUCKET_NAME>/*"            ]        }    ]}
{    "Version": "2012-10-17",    "Id":"MyBucketPolicy",    "Statement": [        {            "Sid": "Grant List and GET to <PROJECT_ID>",            "Effect":"Allow",            "Principal":{                "SCW":"project_id:<PROJECT_ID>"            },            "Action":[                "s3:ListBucket",                "s3:GetObject"            ],            "Resource":[                "<BUCKET_NAME>",                "<BUCKET_NAME>/*"            ]        }    ]}
{    "Version": "2012-10-17",    "Id":"MyBucketPolicy",    "Statement": [        {            "Sid": "Grant List and GET to <PROJECT_ID> and < PROJECT_ID_BIS>",            "Effect":"Allow",            "Principal":{                "SCW":[                    "project_id:<PROJECT_ID>",                    "project_id:<PROJECT_ID_BIS>"                ]            },            "Action":[                "s3:ListBucket",                "s3:GetObject"            ],            "Resource":[                "<BUCKET_NAME>",                "<BUCKET_NAME>/*"            ]        }    ]}

Action

Description
Consists of S3 namespace, a colon, and the name of an action. Action names can include wildcards represented by *.
Required
Yes
Parent
Statement

Sample

{    "Version": "2012-10-17",    "Id":"MyBucketPolicy",    "Statement": [        {            "Sid": "Grant List and GET to <PROJECT_ID> and < PROJECT_ID_BIS>",            "Effect":"Allow",            "Principal":{                "SCW":[                    "project_id:<PROJECT_ID>",                    "project_id:<PROJECT_ID_BIS>"                ]            },            "Action":"*",            "Resource":[                "<BUCKET_NAME>",                "<BUCKET_NAME>/*"            ]        }    ]}

Supported actions

  • *
  • s3:*
  • s3:AbortMultipartUpload
  • s3:DeleteBucketWebsite
  • s3:DeleteObject
  • s3:DeleteObjectTagging
  • s3:DeleteObjectVersion
  • s3:DeleteObjectVersionTagging
  • s3:GetBucketTagging
  • s3:GetBucketVersioning
  • s3:GetBucketWebsite
  • s3:GetLifecycleConfiguration
  • s3:GetObject
  • s3:GetObjectTagging
  • s3:GetObjectVersion
  • s3:GetObjectVersionTagging
  • s3:ListBucket
  • s3:ListBucketMultipartUploads
  • s3:ListMultipartUploadParts
  • s3:PutBucketTagging
  • s3:PutBucketVersioning
  • s3:PutBucketWebsite
  • s3:PutLifecycleConfiguration
  • s3:PutObject
  • s3:PutObjectTagging
  • s3:PutObjectVersionTagging

Effect

Description
Uses Allow or Deny to indicate whether the policy allows or denies access.
Required
Yes
Parent
Statement

Sample

  • Allow
{    "Version": "2012-10-17",    "Id":"MyBucketPolicy",    "Statement": [        {            "Sid": "Grant List and GET to <PROJECT_ID> and <PROJECT_ID_BIS>",            "Effect":"Allow",            "Principal":{                "SCW":[                    "project_id:<PROJECT_ID>",                    "project_id:<PROJECT_ID_BIS>"                ]            },            "Action":[                "s3:ListBucket",                "s3:GetObject"            ],            "Resource":[                "<BUCKET_NAME>",                "<BUCKET_NAME>/*"            ]        }    ]}
  • Deny
{  "Version": "2012-10-17",  "Id": "MyBucketPolicy",  "Statement": [    {      "Sid": "Deny DELETE to everyone",      "Effect": "Deny",      "Principal": "*",      "Action": "s3:DeleteObject",      "Resource": "*"    }  ]}

Resource

Description
Consists in the S3 resource path.
Required
Yes
Parent
Statement

Sample

  • "<BUCKET_NAME>" - Grants access to the bucket, but not to the objects inside. If the s3:ListBucket action is applied, this resource specification is required.
  • "<BUCKET_NAME>/*" - Grants access to all objects inside a bucket, but not to the bucket itself. If the s3:PutObject, s3:GetObject and s3:DeleteObject actions are applied, this resource specification is required.
  • "<BUCKET_NAME>/<PREFIX>/*" - Grants access only to objects with the specified prefix inside a bucket, but not to the bucket itself. For example, if you apply a bucket policy that specifies "my_files/movie/*" under Resource, you would grant access to all objects with the movie/ prefix, but not to other objects in my_files/ bucket. If the s3:PutObject, s3:GetObject and s3:DeleteObject actions are applied, this resource specification is required.
{    "Version": "2012-10-17",    "Id":"MyBucketPolicy",    "Statement": [        {            "Sid": "Grant List and GET to <PROJECT_ID> and < PROJECT_ID_BIS>",            "Effect":"Allow",            "Principal":{                "SCW":[                    "project_id:<PROJECT_ID>",                    "project_id:<PROJECT_ID_BIS>"                ]            },            "Action":[                "s3:ListBucket",                "s3:GetObject"            ],            "Resource":[                "<BUCKET_NAME>",                "<BUCKET_NAME>/*"            ]        }    ]}
{    "Version": "2012-10-17",    "Id":"MyBucketPolicy",    "Statement": [        {            "Sid": "Grant List and GET to <PROJECT_ID> and < PROJECT_ID_BIS>",            "Effect":"Allow",            "Principal":{                "SCW":[                    "project_id:<PROJECT_ID>",                    "project_id:<PROJECT_ID_BIS>"                ]            },            "Action":[                "s3:ListBucket",                "s3:GetObject"            ],            "Resource":[                "<BUCKET_NAME>",                "<BUCKET_NAME>/photos/*"            ]        }    ]}

Condition

Description
The Condition element allows you specify conditions for when a Policy is in effect.
Required
No
Parent
Statement
Condition Keys
  • aws:SourceIp, aws:Referer, aws:CurrentTime, aws:EpochTime
  • Examples

    • You can use the IpAddress condition to Allow actions for specific IP ranges or addresses.
    {  "Version": "2012-10-17",  "Id": "MyBucketPolicy",  "Statement": [    {      "Sid": "Grant List and GET from my instances",      "Effect": "Allow",      "Principal": "*",      "Action": ["s3:ListBucket", "s3:GetObject"],      "Resource": ["<BUCKET_NAME>", "<BUCKET_NAME>/*"],      "Condition": {        "IpAddress": {          "aws:SourceIp": "192.0.2.0/24"        }      }    }  ]}
    • You can allow access only within a set timeframe, by implementing the DateGreaterThan and DateLessThan conditions.
    {  "Version": "2012-10-17",  "Id": "MyBucketPolicy",  "Statement": [    {      "Sid": "Grant List and GET to <PROJECT_ID> for 10 years",      "Effect": "Allow",      "Principal": {        "SCW": "project_id:<PROJECT_ID>"      },      "Action": ["s3:ListBucket", "s3:GetObject"],      "Resource": ["<BUCKET_NAME>", "<BUCKET_NAME>/photos/*"],      "Condition": {        "DateGreaterThan": {          "aws:CurrentTime": "2020-01-01T00:00:00Z"        },        "DateLessThan": {          "aws:CurrentTime": "2030-01-01T00:00:00Z"        }      }    }  ]}
    • You can also allow access according to the HTTP referer.
    {  "Version": "2012-10-17",  "Id": "MyBucketPolicy",  "Statement": [    {      "Sid": "Allow access to assets from my website",      "Effect": "Allow",      "Principal": "*",      "Action": "s3:GetObject",      "Resource": ["<BUCKET_NAME>/assets/*"],      "Condition": {        "StringLike": {          "aws:Referer": "https://console.scaleway.com"        }      }    }  ]}

    Supported conditions

    • IpAddress
    • NotIpAddress
    • StringEquals
    • StringNotEquals
    • StringEqualsIgnoreCase
    • StringNotEqualsIgnoreCase
    • StringLike
    • StringNotLike
    • DateGreaterThan
    • DateGreaterThanEquals
    • DateLessThan
    • DateLessThanEquals

    Bucket policy use cases

    You can combine the strings in your Bucket Policy in several ways to configure your bucket permissions for different purposes.

    Find out more about each one in these tutorials:

    See Also