Update content

Sharing Object Storage buckets in read-only mode

Reviewed on 28 May 2021Published on 19 May 2021

It is possible to implement a bucket policy to grant a Scaleway organization or project viewing rights to a bucket in a different project.

For example, you are logged in to Organization A and you have a bucket (A1) inside Project A. You wish to share the bucket in read-only mode with users in Organization B, Project B.

To do so, you have to apply a policy to bucket A1 that grants access to Organization B or Project B and include which API calls they are allowed to make.

To guarantee that they can only view contents, include "s3:ListBucket" and "s3:GetObject" under Action in the bucket-policy.json file you create.

Specify which resources they can access under Resource:

  • "<BUCKET_NAME>" - Grants access to the bucket, but not to the objects inside. If the s3:ListBucket action is applied, this resource specification is required.
  • "<BUCKET_NAME>/*" - Grants access to all objects inside a bucket, but not to the bucket itself. If the s3:GetObject actions is applied, this resource specification is required.
  • "<BUCKET_NAME>/<PREFIX>/*" - Grants access only to objects with the specified prefix inside a bucket, but not to the bucket itself. For example, if you apply a bucket policy that specifies "my_files/movie/*" under Resource, you would grant access to all objects with the movie/ prefix, but not to other objects in my_files/ bucket. If the s3:GetObject actions is applied, this resource specification is required.
{
"Version": "2012-10-17",
"Id": "Mybucketpolicy",
"Statement": [
{
"Sid": "DelegateAccess",
"Effect": "Allow",
"Principal": {
"SCW": "project_id:<PROJECT_ID>"
},
"Action": [
"s3:ListBucket",
"s3:GetObject"
],
"Resource": [
"<BUCKET_NAME>",
"<BUCKET_NAME>/*"
]
}
]
}

Apply the policy using the Put Bucket Policy API call or run the following aws-cli command:

$ aws s3api put-bucket-policy --bucket <SOURCE_BUCKET> --profile default_project --policy file://bucket-policy.json

You can provide the user in Organization B with the name of your bucket. If the policy is correctly applied, they will be able to see bucket A1 included in their bucket list when running List_Buckets. If they know the name of an object, they can view their details by running Get_Object.

See Also