Refer to the Bucket policies description for more details on each string.
Creating and applying a bucket policy
A bucket policy is a resource-based policy option. It allows you to grant more granular access to Object Storage resources.
By default, all Object Storage resources in a Project are private and can be accessed only by users or applications with IAM permissions. Adding a bucket policy to a bucket allows you to specify who can perform which actions on a bucket and the objects it contains. You can combine the different elements of a bucket policy to tailor your permissions according to your use case.
To create and apply a bucket policy from the Scaleway console, refer to the dedicated documentation.
Before you start
To complete the actions presented below, you must have:
- A Scaleway account logged into the console
- Owner status or IAM permissions allowing you to perform actions in the intended Organization
- An Object Storage bucket
- Installed the AWS CLI
- An IAM policy to grant access to your users and applications
How to create a bucket policy
-
Create a
bucket-policy.json
file. -
Open it in a code editor and paste the code below inside. This sample bucket policy contains a statement that only allows the specified user to see the bucket and the objects it contains.
{"Version": "2023-04-17","Id": "MyBucketPolicy","Statement": [{"Sid": "DelegateAccess","Effect": "Allow","Principal": {"SCW": "user_id:<USER_ID>"},"Action": ["s3:ListBucket","s3:GetObject"],"Resource": ["<BUCKET_NAME>","<BUCKET_NAME>/*"]}]} -
Replace the
<USER_ID>
placeholder with the ID of the user to which you want to grant access. You can also grant access to an application. -
Replace the
<BUCKET_NAME>
placeholders with the name of the concerned bucket. Refer to the resource documentation for more information.
How to apply a bucket policy
Make sure that you have installed the AWS CLI before proceeding.
-
Open a terminal and access the folder containing the previously created
bucket-policy.json
file. -
Run the command below to apply the policy. Make sure to replace
<BUCKET_NAME>
with the name of your bucket.aws s3api put-bucket-policy --bucket <BUCKET_NAME> --policy file://bucket-policy.jsonImportant- You will lose access to your bucket if you are not the owner of the Organization, and if you are not explicitly allowed by the bucket policy.
- The owner of the Organization always has the right to put and delete bucket policies, even if he is not allowed to perform other bucket operations by the bucket policy.
- Each bucket can have only one bucket policy.
- Pushing a new bucket policy to a bucket overwrites any existing bucket policy.
-
Run the command below to display the bucket policy applied to your bucket.
aws s3api get-bucket-policy --bucket <BUCKET_NAME> --query Policy --output text | jqAn output similar to the following displays:
{"Version": "2023-04-17","Id": "MyBucketPolicy","Statement": [{"Sid": "DelegateAccess","Effect": "Allow","Action": ["s3:ListBucket","s3:GetObject"],"Principal": {"SCW": "user_id:f3e2-example-8e51-0fd3299d5d70"},"Resource": ["my-bucket","my-bucket/*"]}]}
How to delete a bucket policy
To delete a bucket policy, you must have Owner status, or the necessary IAM permissions.
Run the command below to delete the policy of a specific bucket. Replace <BUCKET_NAME>
with the name of your bucket.
aws s3api delete-bucket-policy --bucket <BUCKET_NAME>
Your objects will become accessible to all the users in your organization that have IAM permissions for Object Storage.