HomeStorageObject StorageAPI/CLI
Creating and applying bucket policies
Jump toUpdate content

Creating and applying a bucket policy

Reviewed on 30 October 2023Published on 17 January 2021

A bucket policy is a resource-based policy option. It allows you to grant more granular access to Object Storage resources.

By default, all Object Storage resources in a Project are private and can be accessed only by users or applications with IAM permissions. Adding a bucket policy to a bucket allows you to specify who can perform which actions on a bucket and the objects it contains. You can combine the different elements of a bucket policy to tailor your permissions according to your use case.

Security & Identity (IAM):

You may need certain IAM permissions to carry out some actions described on this page. This means:

  • you are the Owner of the Scaleway Organization in which the actions will be carried out, or
  • you are an IAM user of the Organization, with a policy granting you the necessary permission sets
Requirements:

How to create a bucket policy

  1. Create a bucket-policy.json file.

  2. Open it in a code editor and paste the code below inside. This statement only allows the specified user to see the bucket and its objects.

    {
    "Version": "2023-04-17",
    "Id": "MyBucketPolicy",
    "Statement": [
    {
    "Sid": "DelegateAccess",
    "Effect": "Allow",
    "Principal": {
    "SCW": "user_id:<USER_ID>"
    },
    "Action": [
    "s3:ListBucket",
    "s3:GetObject"
    ],
    "Resource": [
    "<BUCKET_NAME>",
    "<BUCKET_NAME>/*"
    ]
    }
    ]
    }
  3. Replace the <USER_ID> placeholder with the ID of the user to which you want to grant access. You can also grant access to an application.

  4. Replace the <BUCKET_NAME> placeholders with the name of the concerned bucket. Refer to the resource documentation for more information.

Note:

Refer to the Bucket policies description for more details on each string.

How to apply a bucket policy

Make sure that you have installed the AWS CLI before proceeding.

  1. Open a terminal and access the folder containing the bucket-policy.json file.

  2. Run the command below to apply the policy. Replace <BUCKET_NAME> with the name of your bucket.

    aws s3api put-bucket-policy --bucket <BUCKET_NAME> --policy file://bucket-policy.json
    Important:
    • You may lose access to your bucket if you are not the owner of the organization and if you are not explicitly allowed by the bucket policy.
    • Each bucket can have only one bucket policy.
    • Pushing a new bucket policy to a bucket overwrites any existing bucket policy.
    • The owner of the Organization always has full rights and access to all resources and features in their Organization.
  3. Run the command below to display the bucket policy applied to your bucket.

    aws s3api get-bucket-policy --bucket <BUCKET_NAME> --query Policy --output text | jq

    An output similar to the following displays:

    {
    "Version": "2023-04-17",
    "Id": "MyBucketPolicy",
    "Statement": [
    {
    "Sid": "DelegateAccess",
    "Effect": "Allow",
    "Action": [
    "s3:ListBucket",
    "s3:GetObject"
    ],
    "Principal": {
    "SCW": "user_id:f3e2-example-8e51-0fd3299d5d70"
    },
    "Resource": [
    "my-bucket",
    "my-bucket/*"
    ]
    }
    ]
    }
See Also