NavigationContentFooter
Jump toSuggest an edit

Creating and applying a bucket policy

Reviewed on 30 October 2023Published on 17 January 2021

A bucket policy is a resource-based policy option. It allows you to grant more granular access to Object Storage resources.

By default, all Object Storage resources in a Project are private and can be accessed only by users or applications with IAM permissions. Adding a bucket policy to a bucket allows you to specify who can perform which actions on a bucket and the objects it contains. You can combine the different elements of a bucket policy to tailor your permissions according to your use case.

Before you start

To complete the actions presented below, you must have:

  • A Scaleway account logged into the console
  • Owner status or IAM permissions allowing you to perform actions in the intended Organization
  • An Object Storage bucket
  • Installed the AWS CLI
  • An IAM policy to grant access to your users and applications

How to create a bucket policy

  1. Create a bucket-policy.json file.

  2. Open it in a code editor and paste the code below inside. This statement only allows the specified user to see the bucket and its objects.

    {
        "Version": "2023-04-17",
        "Id": "MyBucketPolicy",
        "Statement": [
            {
                "Sid": "DelegateAccess",
                "Effect": "Allow",
                "Principal": {
                    "SCW": "user_id:<USER_ID>"
                },
                "Action": [
                    "s3:ListBucket",
                    "s3:GetObject"
                ],
                "Resource": [
                    "<BUCKET_NAME>",
                    "<BUCKET_NAME>/*"
                ]
            }
        ]
    }

  3. Replace the <USER_ID> placeholder with the ID of the user to which you want to grant access. You can also grant access to an application.

  4. Replace the <BUCKET_NAME> placeholders with the name of the concerned bucket. Refer to the resource documentation for more information.

Note

Refer to the Bucket policies description for more details on each string.

How to apply a bucket policy

Make sure that you have installed the AWS CLI before proceeding.

  1. Open a terminal and access the folder containing the bucket-policy.json file.

  2. Run the command below to apply the policy. Replace <BUCKET_NAME> with the name of your bucket.

    aws s3api put-bucket-policy --bucket <BUCKET_NAME> --policy file://bucket-policy.json
    Important
    • You will lose access to your bucket if you are not the owner of the Organization, and if you are not explicitly allowed by the bucket policy.
    • The owner of the Organization always has the right to put and delete bucket policies, even if he is not allowed to perform other bucket operations by the bucket policy.
    • Each bucket can have only one bucket policy.
    • Pushing a new bucket policy to a bucket overwrites any existing bucket policy.

  3. Run the command below to display the bucket policy applied to your bucket.

    aws s3api get-bucket-policy --bucket <BUCKET_NAME> --query Policy --output text | jq

    An output similar to the following displays:

    {
      "Version": "2023-04-17",
      "Id": "MyBucketPolicy",
      "Statement": [
        {
          "Sid": "DelegateAccess",
          "Effect": "Allow",
          "Action": [
            "s3:ListBucket",
            "s3:GetObject"
          ],
          "Principal": {
            "SCW": "user_id:f3e2-example-8e51-0fd3299d5d70"
          },
          "Resource": [
            "my-bucket",
            "my-bucket/*"
          ]
        }
      ]
    }
Docs APIScaleway consoleDedibox consoleScaleway LearningScaleway.comPricingBlogCarreer
© 2023-2024 – Scaleway