Managing bucket permissions for IP addresses or ranges of IP
You can stipulate which IP addresses or IP ranges have access or permission to perform S3 operations on your buckets by creating a bucket policy with the IpAddress
or NotIpAddress
conditions.
It is possible to Allow
actions for a specific IP address or range of IPs, using the IpAddress
condition and the aws:SourceIp
condition key.
If you have activated IAM, you may need certain IAM permissions to carry out some actions described on this page. This means:
- you are the Owner of the Scaleway Organization in which the actions will be carried out, or
- you are an IAM user of the Organization, with a policy granting you the necessary permission sets
The aws:SourceIp
IPv4 and IPv6 values use the standard CIDR notation. For IPv6, we support using the double colon (::
) to represent strings of 0
.
- You have an account and are logged into the Scaleway console
- You have configured your API keys
- You have created an Object Storage bucket
In the example below, we allow the 192.0.2.0/24
IP range to perform the s3:ListBucket
and s3:GetObject
actions.
Replace the example IP addresses before applying your bucket policy or you might lose access to your bucket.
{
"Version": "2012-10-17",
"Id": "MyBucketPolicy",
"Statement": [
{
"Sid": "Grant List and GET from my Instances",
"Effect": "Allow",
"Principal": "*",
"Action": ["s3:ListBucket", "s3:GetObject"],
"Resource": ["<BUCKET_NAME>", "<BUCKET_NAME>/*"],
"Condition": {
"IpAddress": {
"aws:SourceIp": "198.51.100.0/24"
}
}
}
]
}
You can have the same result if you Deny
actions for IP addresses specified under the NotIpAddress
condition:
{
"Version": "2012-10-17",
"Id": "MyBucketPolicy",
"Statement": [
{
"Sid": "Grant List and GET from my Instances",
"Effect": "Deny",
"Principal": "*",
"Action": ["s3:ListBucket", "s3:GetObject"],
"Resource": ["<BUCKET_NAME>", "<BUCKET_NAME>/*"],
"Condition": {
"NotIpAddress": {
"aws:SourceIp": "198.51.100.0/24"
}
}
}
]
}
Alternatively, you can block certain IP addresses or IP address ranges from performing actions on your bucket. You can also use NotIpAddress
with the Allow
Effect:
{
"Version": "2012-10-17",
"Id": "MyBucketPolicy",
"Statement": [
{
"Sid": "Grant List and GET from my Instances",
"Effect": "Allow",
"Principal": "*",
"Action": ["s3:ListBucket", "s3:GetObject"],
"Resource": ["<BUCKET_NAME>", "<BUCKET_NAME>/*"],
"Condition": {
"NotIpAddress": {
"aws:SourceIp": "2001:db8::/32"
}
}
}
]
}
Or the Deny
effect paired with the IpAddress
condition:
{
"Version": "2012-10-17",
"Id": "MyBucketPolicy",
"Statement": [
{
"Sid": "Grant List and GET from my Instances",
"Effect": "Deny",
"Principal": "*",
"Action": ["s3:ListBucket", "s3:GetObject"],
"Resource": ["<BUCKET_NAME>", "<BUCKET_NAME>/*"],
"Condition": {
"IpAddress": {
"aws:SourceIp": "2001:db8::/32"
}
}
}
]
}
Bucket policies use a JSON-based access policy language. You can find more details on the JSON Policy Grammar documentation page.