# Bucket Policies **Bucket Policies** provides specific users, or all users, conditional and granular permissions for specific actions. Policy conditions can be used to assign permissions for a range of objects that match the condition and can be used to automatically assign permissions to newly uploaded objects. How access to resources is managed when using the S3 protocol is described in and you can use the information as the basis for understanding and using S3 bucket policies in cegedim.cloud Object Storage Service. This section provides basic information about the use of bucket policies. ## Manage Bucket Policies **Bucket policies** can be managed using **aws s3api** (other tools or SDK works too)**:** * get-bucket-policy * put-bucket-policy * delete-bucket-policy {% hint style="info" %} We use **aws s3** and **aws s3api** command line tools from AWSCLIv2 on Linux. `${S3_ENDPOINT}` and `${S3_PROFILE}` are environment variables. {% endhint %} ### Create Bucket Policy Create JSON file and configure your policy : {% code lineNumbers="true" %} ```json { "Version": "2012-10-17", "Id": "S3PolicyId1", "Statement": [ { "Sid": "Grant permission to ", "Effect": "Allow", "Principal": [""], "Action": [ "s3:PutObject","s3:GetObject" ], "Resource":[ "bucket-test/*" ] } ] } ``` {% endcode %} {% hint style="warning" %} The **`Principal`** element specifies the **Object User Access Key** that is allowed or denied access to a resource. You can use a wildcard '**`*`'** to mean all Object Users. ![(warning)](https://docs.cegedim.cloud/s/-qt169r/8804/1tgy0xz/_/images/icons/emoticons/warning.svg) Be careful, set a wildcard as '**`Principal`**' in a Bucket Policy means **anyone** can access to resources and perform allowed actions. {% endhint %} Apply it to the bucket: **bucket-test** {% code overflow="wrap" %} ```bash aws s3api --endpoint-url=${S3_ENDPOINT} put-bucket-policy --bucket bucket-test --policy file://policy.json --profile ${S3_PROFILE} ``` {% endcode %} ### Get Bucket Policy {% code overflow="wrap" %} ```bash aws s3api --endpoint-url=${S3_ENDPOINT} get-bucket-policy --bucket bucket-test --profile ${S3_PROFILE} ``` {% endcode %} ### Delete Bucket Policy {% code overflow="wrap" %} ```bash aws s3api --endpoint-url=${S3_ENDPOINT} delete-bucket-policy --bucket bucket-test --profile ${S3_PROFILE} ``` {% endcode %} ## Bucket Policy management scenarios ### Grant bucket permissions to a user {% code lineNumbers="true" %} ```json { "Version": "2012-10-17", "Id": "S3PolicyId1", "Statement": [ { "Sid": "Grant permission to user1", "Effect": "Allow", "Principal": [""], "Action": [ "s3:PutObject","s3:GetObject" ], "Resource":[ "arn:aws:s3:::mybucket/*" ] } ] } ``` {% endcode %} ### Grant read only bucket permissions to a user {% code lineNumbers="true" %} ```json { "Version": "2012-10-17", "Id": "s3ReadOnlyforUser", "Statement": [ { "Sid": "Grant read permission to user1", "Effect": "Allow", "Principal": [""], "Action": [ "s3:GetObject", "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::mybucket", "arn:aws:s3:::mybucket/*" ] } ] } ``` {% endcode %} ### Grant bucket permissions to all users (public access) cegedim.cloud Object Storage Service is directly accessible from Internet. {% hint style="danger" %} If you grant public access to your Bucket or a subset of your Bucket, **anyone can GET your objects**. {% endhint %} For more information, please read [manage-bucket-access](https://academy.cegedim.cloud/storage/object-storage/object-storage-get-started/manage-bucket-access "mention"). {% code title="Public bucket" lineNumbers="true" %} ```json { "Version": "2012-10-17", "Id": "S3PolicyId2", "Statement": [ { "Sid": "Public Access to mybucket", "Effect": "Allow", "Principal": "*", "Action": [ "s3:GetObject" ], "Resource":[ "arn:aws:s3:::mybucket/*" ] } ] } ``` {% endcode %} #### Accessing Bucket via baseURL in a Web Browser With **public access**, Bucket content can be accessed directly using a WEB browser. The URL to access to a public Bucket follow this format:\ https\://\.storage-\[eb4|et1].cegedim.cloud/\ Example : ** ### Grant bucket permissions to all users (public access) to Objects under a specific prefix cegedim.cloud Object Storage Service is directly accessible from Internet. {% hint style="danger" %} If you grant public access to your Bucket or a subset of your Bucket, **anyone can GET your objects**. {% endhint %} With the following policy, all objects in the bucket `my-bucket` and under the prefix `public/` are publicly accessible: {% code lineNumbers="true" %} ```json { "Version":"2012-10-17", "Statement":[ { "Sid":"public-access-based-on-prefix", "Effect":"Allow", "Principal": "*", "Action":["s3:GetObject"], "Resource":["arn:aws:s3:::my-bucket/public/*"] } ] } ``` {% endcode %} ## Supported Policy Operations & Conditions ### Supported bucket policy operations #### Permissions for Object Operations
Permission keywordSupported S3 operations
s3:GetObject applies to latest version for a version-enabled bucketGET Object, HEAD Object
s3:GetObjectVersionGET Object, HEAD Object This permission supports requests that specify a version number
s3:PutObjectPUT Object, POST Object, Initiate Multipart Upload, Upload Part, Complete Multipart Upload PUT Object
s3:GetObjectAclGET Object ACL
s3:GetObjectVersionAclGET ACL (for a Specific Version of the Object)
s3:PutObjectAclPUT Object ACL
s3:PutObjectVersionAclPUT Object (for a Specific Version of the Object)
s3:DeleteObjectDELETE Object
s3:DeleteObjectVersionDELETE Object (a Specific Version of the Object)
s3:ListMultipartUploadPartsList Parts
s3:AbortMultipartUploadAbort Multipart Upload
#### Permissions for Bucket Operations
Permission keywordSupported S3 operations
s3:DeleteBucketDELETE Bucket
s3:ListBucketGET Bucket (List Objects), HEAD Bucket
s3:ListBucketVersionsGET Bucket Object versions
s3:GetLifecycleConfigurationGET Bucket lifecycle
s3:PutLifecycleConfigurationPUT Bucket lifecycle
#### Permissions for Bucket Sub-resource Operations
Permission keywordSupported S3 operations
s3:GetBucketAclGET Bucket acl
s3:PutBucketAclPUT Bucket acl
s3:GetBucketCORSGET Bucket cors
s3:PutBucketCORSPUT Bucket cors
s3:GetBucketVersioningGET Bucket versioning
s3:PutBucketVersioningPUT Bucket versioning
s3:GetBucketPolicyGET Bucket policy
s3:DeleteBucketPolicyDELETE Bucket policy
s3:PutBucketPolicyPUT Bucket policy
### Supported bucket policy conditions {% hint style="info" %} The condition element is used to specify conditions that determine when a policy is in effect. The following tables show the condition keys that are supported by cegedim.cloud Object Storage Service and that can be used in condition expressions. {% endhint %} #### Supported generic AWS condition keys
Key nameDescriptionApplicable operators
aws:CurrentTimeUsed to check for date/time conditionsDate operator
aws:EpochTimeUsed to check for date/time conditions using a date in epoch or UNIX time (see Date Condition Operators).Date operator
aws:principalTypeUsed to check the type of principal (user, account, federated user, etc.) for the current request.String operator
aws:SourceIpUsed to check the requester's IP address.String operator
aws:UserAgentUsed to check the requester's client application.String operator
aws:usernameUsed to check the requester's user name.String operator
#### Supported S3-specific condition keys for object operations
Key nameDescriptionApplicable permissions
s3:x-amz-aclSets a condition to require specific access permissions when the user uploads an object.

s3:PutObject

s3:PutObjectAcl

s3:PutObjectVersionAcl

s3:x-amz-grant-permission

(for explicit permissions), where permission can be:read, write, read-acp, write-acp, full-control

Bucket owner can add conditions using these keys to require certain permissions.

s3:PutObject

s3:PutObjectAcl

s3:PutObjectVersionAcl

s3:x-amz-server-side-encryptionRequires the user to specify this header in the request.

s3:PutObject

s3:PutObjectAcl

s3:VersionIdRestrict the user to accessing data only for a specific version of the object

s3:PutObject

s3:PutObjectAcl

s3:DeleteObjectVersion

#### Supported S3-specific condition keys for bucket operations
Key nameDescriptionApplicable permissions
s3:x-amz-aclSet a condition to require specific access permissions when the user uploads an object

s3:CreateBucket

s3:PutBucketAcl

s3:x-amz-grant-permission

(for explicit permissions), where permission can be:read, write, read-acp, write-acp, full-control

Bucket owner can add conditions using these keys to require certain permissions

s3:CreateBucket

s3:PutBucketAcl

s3:prefixRequires the user to specify this header in the request.

s3:PutObject

s3:PutObjectAcl

s3:delimiterRequire the user to specify the delimiter parameter in the Get Bucket (List Objects) request.

s3:PutObject

s3:PutObjectAcl

s3:DeleteObjectVersion

s3:max-keysLimit the number of keys Object Storage Service returns in response to the Get Bucket (List Objects) request by requiring the user to specify the max-keys parameter.

s3:ListBucket

s3:ListBucketVersions