NavigationContentFooter
Jump toSuggest an edit

Creating and applying a bucket policy

Reviewed on 27 November 2024Published on 17 January 2021

A bucket policy is a resource-based policy option. It allows you to grant more granular access to Object Storage resources.

By default, all Object Storage resources in a Project are private and can be accessed only by users or applications with IAM permissions. Adding a bucket policy to a bucket allows you to specify who can perform which actions on a bucket and the objects it contains. You can combine the different elements of a bucket policy to tailor your permissions according to your use case.

To create and apply a bucket policy from the Scaleway console, refer to the dedicated documentation.

Before you start

To complete the actions presented below, you must have:

  • A Scaleway account logged into the console
  • Owner status or IAM permissions allowing you to perform actions in the intended Organization
  • An Object Storage bucket
  • Installed the AWS CLI
  • An IAM policy to grant access to your users and applications

How to create a bucket policy

  1. Create a bucket-policy.json file.

  2. Open it in a code editor and paste the code below inside. This sample bucket policy contains a statement that only allows the specified user to see the bucket and the objects it contains.

    {
    "Version": "2023-04-17",
    "Id": "MyBucketPolicy",
    "Statement": [
    {
    "Sid": "DelegateAccess",
    "Effect": "Allow",
    "Principal": {
    "SCW": "user_id:<USER_ID>"
    },
    "Action": [
    "s3:ListBucket",
    "s3:GetObject"
    ],
    "Resource": [
    "<BUCKET_NAME>",
    "<BUCKET_NAME>/*"
    ]
    }
    ]
    }
  3. Replace the <USER_ID> placeholder with the ID of the user to which you want to grant access. You can also grant access to an application.

  4. Replace the <BUCKET_NAME> placeholders with the name of the concerned bucket. Refer to the resource documentation for more information.

Note

Refer to the Bucket policies description for more details on each string.

How to apply a bucket policy

Make sure that you have installed the AWS CLI before proceeding.

  1. Open a terminal and access the folder containing the previously created bucket-policy.json file.

  2. Run the command below to apply the policy. Make sure to replace <BUCKET_NAME> with the name of your bucket.

    aws s3api put-bucket-policy --bucket <BUCKET_NAME> --policy file://bucket-policy.json
    Important
    • You will lose access to your bucket if you are not the owner of the Organization, and if you are not explicitly allowed by the bucket policy.
    • The owner of the Organization always has the right to put and delete bucket policies, even if he is not allowed to perform other bucket operations by the bucket policy.
    • Each bucket can have only one bucket policy.
    • Pushing a new bucket policy to a bucket overwrites any existing bucket policy.
  3. Run the command below to display the bucket policy applied to your bucket.

    aws s3api get-bucket-policy --bucket <BUCKET_NAME> --query Policy --output text | jq

    An output similar to the following displays:

    {
    "Version": "2023-04-17",
    "Id": "MyBucketPolicy",
    "Statement": [
    {
    "Sid": "DelegateAccess",
    "Effect": "Allow",
    "Action": [
    "s3:ListBucket",
    "s3:GetObject"
    ],
    "Principal": {
    "SCW": "user_id:f3e2-example-8e51-0fd3299d5d70"
    },
    "Resource": [
    "my-bucket",
    "my-bucket/*"
    ]
    }
    ]
    }

How to delete a bucket policy

Note

To delete a bucket policy, you must have Owner status, or the necessary IAM permissions.

Run the command below to delete the policy of a specific bucket. Replace <BUCKET_NAME> with the name of your bucket.

aws s3api delete-bucket-policy --bucket <BUCKET_NAME>
Important

Your objects will become accessible to all the users in your organization that have IAM permissions for Object Storage.

Was this page helpful?
API DocsScaleway consoleDedibox consoleScaleway LearningScaleway.comPricingBlogCareers
© 2023-2024 – Scaleway