- You can only apply a policy to a single bucket, but you can duplicate an existing policy and apply it to another bucket.
- If you change the target bucket of an existing policy, the bucket policy will be removed from the original bucket, and applied to the selected bucket.
How to create and manage bucket policies using the console
Scaleway Object Storage allows you to create bucket policies directly from the Scaleway console.
To create and apply a bucket policy from the AWS CLI, refer to the dedicated documentation.
A bucket policy is a resource-based policy option. It allows you to grant more granular access to Object Storage resources.
By default, all Object Storage resources in a Project are private and can be accessed only by users or applications with IAM permissions. Adding a bucket policy to a bucket allows you to specify who can perform which actions on a bucket and the objects it contains. You can combine the different elements of a bucket policy to tailor your permissions according to your use case.
Before you start
To complete the actions presented below, you must have:
- A Scaleway account logged into the console
- Owner status or IAM permissions allowing you to perform actions in the intended Organization
- Created a bucket
How to create a bucket policy
-
Click Object Storage on the left side menu of the console. The Object Storage dashboard displays.
-
Click the Bucket policies tab, then click + Create bucket policy. A creation form displays.
-
Enter a name for your bucket policy.
-
Select the bucket to which you want to apply the policy.
Note -
Select your preferred creation method:
-
The policy generator to add statements using a form.
-
The JSON editor to manually write or paste your bucket policy in a code editor.
NoteRefer to the dedicated documentation on bucket policies overview and combining IAM and bucket policies for more information on how to build a bucket policy.
-
-
Keep the Maintain access to bucket box ticked to prevent accidental lockout from your bucket. By default, the bucket policy contains a secure statement that allows every action to the user creating the policy.
-
Create a statement by entering the following information:
- Enter a unique statement ID (also called Sid) describing the purpose of the statement.
- Select the types of principals of your bucket policy from the drop-down menu.
- Select the users and applications you want to grant access to.
- Select the Actions to allow to the principal(s).
Tip
To allow different action sets to the different principals, create multiple statements.
- Select resources by entering the prefix of the objects, followed by
/*
. Enter*
to select every object in the bucket. - Add conditions by selecting by selecting them from the drop-down menu, and adding a supported key-value pair.
- Enter a unique statement ID (also called Sid) describing the purpose of the statement.
- Enter the types of principals and the user/application ID you want to grant access as shown below:
"Principal":{"SCW":["user_id:<USER_ID>","application_id:<APPLICATION_ID>"]},
- Enter the Actions to allow to the principal(s) as shown below. Enter
s3:*
to allow all actions."Action":["s3:ListBucket","s3:GetObject"],TipTo allow different action sets to the different principals, create multiple statements.
- Grant access to resources by entering the prefix of the objects as shown below. Enter
*
to select every object in the bucket."Resource":["<BUCKET_NAME>","<BUCKET_NAME>/photos/*"]NoteAdd the bucket as a resource to allow operations on the bucket, such as
s3:ListBucket
. - Add conditions as shown below:
"Condition": {"DateGreaterThan": {"aws:CurrentTime": "2020-01-01T00:00:00Z"},"StringLike": {"aws:Referer": "https://console.scaleway.com/*"},"IpAddress": {"aws:SourceIp": "192.0.2.0/24"}}
-
(Optional) Click + Add statement, and repeat the previous step to add another statement to your bucket policy.
-
Review your bucket policy using the JSON preview.
-
Click Create bucket policy to create it, and apply it to the selected bucket.
- You will lose access to your bucket if you are not the owner of the Organization, and if you are not explicitly allowed by the bucket policy.
- The owner of the Organization always has the right to put and delete bucket policies, even if he is not allowed to perform other bucket operations by the bucket policy.
- Each bucket can have only one bucket policy.
- Pushing a new bucket policy to a bucket overwrites any existing bucket policy.
Bucket policy example
Below is an example of a bucket policy generated using the console. For more information on each element of a bucket policy, refer to the dedicated documentation.
{"Id": "my-bucket-policy","Version": "2023-04-17","Statement": [{"Principal": {"SCW": ["user_id:example-c5cc-4862-8506-e09dfe5b9d1c","application_id:example-3967-f6rc-2064-b9d1ce09dfe5",]},"Sid": "my-statement-1","Action": ["s3:DeleteObject","s3:DeleteObjectTagging","s3:GetBucketTagging","s3:GetObject"],"Effect": "Allow","Resource": ["my-bucket","my-bucket/photos/*"],"Condition": {"IpAddress": {"aws:SourceIp": "192.0.2.0/24"}}},{"Principal": {"SCW": ["application_id:example-c5cc-4862-8506-e0969drses3d"]},"Sid": "my-statement-2","Action": ["s3:PutObject","s3:PutBucketTagging","s3:PutBucketVersioning"],"Effect": "Allow","Resource": ["my-bucket","my-bucket/documents/*"],"Condition": {"StringLike": {"aws:Referer": "https://console.scaleway.com/*"}}}]}
How to edit a bucket policy
-
Click Object Storage on the left side menu of the console. The Object Storage dashboard displays.
-
Click the Bucket policies tab.
-
Click the name of the bucket policy you want to edit.
-
Click Edit policy.
Alternatively, you can also edit a bucket policy from the Settings tab of your bucket, or by clicking «See more Icon» next to its name in the Bucket policies tab.
How to apply an existing policy to another bucket
The Scaleway console allows you to duplicate an existing policy, and apply it to another bucket.
-
Click Object Storage on the left side menu of the console. The Object Storage dashboard displays.
-
Click the Bucket policies tab.
-
Click the name of the bucket policy you want to apply to another bucket.
-
Click Apply to another bucket. A pop-up appears.
-
Select a bucket from the drop-down menu, then enter a name for the policy.
-
Click Apply policy.
- You will lose access to your bucket if you are not the owner of the Organization, and if you are not explicitly allowed by the bucket policy.
- The owner of the Organization always has the right to put and delete bucket policies, even if he is not allowed to perform other bucket operations by the bucket policy.
- Each bucket can have only one bucket policy.
- Pushing a new bucket policy to a bucket overwrites any existing bucket policy.
How to delete a bucket policy
-
Click Object Storage on the left side menu of the console. The Object Storage dashboard displays.
-
Click the Bucket policies tab.
-
Click the name of the bucket policy you want to delete.
-
Click Delete policy to permanently delete it.
Alternatively, you can also delete a bucket policy by clicking «See more Icon» next to its name in the Bucket policies tab.
Troubleshooting
-
If you accidentally lost access to your bucket after applying a bucket policy, refer to the dedicated troubleshooting page.
-
If an error displays upon validating your bucket policy, make sure that it is properly formatted. Refer to the bucket policies overview for more information on the syntax of each element.