Creating and applying a bucket policy

Reviewed on 14 May 2024 • Published on 17 January 2021

A bucket policy is a resource-based policy option. It allows you to grant more granular access to Object Storage resources.

By default, all Object Storage resources in a Project are private and can be accessed only by users or applications with IAM permissions. Adding a bucket policy to a bucket allows you to specify who can perform which actions on a bucket and the objects it contains. You can combine the different elements of a bucket policy to tailor your permissions according to your use case.

To create and apply a bucket policy from the Scaleway console, refer to the dedicated documentation.

Before you start

To complete the actions presented below, you must have:

A Scaleway account logged into the console
Owner status or IAM permissions allowing you to perform actions in the intended Organization
An Object Storage bucket
Installed the AWS CLI
An IAM policy to grant access to your users and applications

How to create a bucket policy

Create a bucket-policy.json file.

Open it in a code editor and paste the code below inside. This statement only allows the specified user to see the bucket and its objects.

{
    "Version": "2023-04-17",
    "Id": "MyBucketPolicy",
    "Statement": [
        {
            "Sid": "DelegateAccess",
            "Effect": "Allow",
            "Principal": {
                "SCW": "user_id:<USER_ID>"
            },
            "Action": [
                "s3:ListBucket",
                "s3:GetObject"
            ],
            "Resource": [
                "<BUCKET_NAME>",
                "<BUCKET_NAME>/*"
            ]
        }
    ]
}

Replace the <USER_ID> placeholder with the ID of the user to which you want to grant access. You can also grant access to an application.
Replace the <BUCKET_NAME> placeholders with the name of the concerned bucket. Refer to the resource documentation for more information.

Note

Refer to the Bucket policies description for more details on each string.

How to apply a bucket policy

Make sure that you have installed the AWS CLI before proceeding.

Open a terminal and access the folder containing the bucket-policy.json file.
Run the command below to apply the policy. Replace <BUCKET_NAME> with the name of your bucket.
```
aws s3api put-bucket-policy --bucket <BUCKET_NAME> --policy file://bucket-policy.json
```
Important
- You will lose access to your bucket if you are not the owner of the Organization, and if you are not explicitly allowed by the bucket policy.
- The owner of the Organization always has the right to put and delete bucket policies, even if he is not allowed to perform other bucket operations by the bucket policy.
- Each bucket can have only one bucket policy.
- Pushing a new bucket policy to a bucket overwrites any existing bucket policy.

Run the command below to display the bucket policy applied to your bucket.

aws s3api get-bucket-policy --bucket <BUCKET_NAME> --query Policy --output text | jq

An output similar to the following displays:

{
  "Version": "2023-04-17",
  "Id": "MyBucketPolicy",
  "Statement": [
    {
      "Sid": "DelegateAccess",
      "Effect": "Allow",
      "Action": [
        "s3:ListBucket",
        "s3:GetObject"
      ],
      "Principal": {
        "SCW": "user_id:f3e2-example-8e51-0fd3299d5d70"
      },
      "Resource": [
        "my-bucket",
        "my-bucket/*"
      ]
    }
  ]
}

How to delete a bucket policy

Run the command below to delete the policy of a specific bucket. Replace <BUCKET_NAME> with the name of your bucket.

aws s3api delete-bucket-policy --bucket <BUCKET_NAME>

Important

Your objects will become accessible to all the users in your organization that have IAM permissions for Object Storage.