From 3212805955aeb213f546baceddec5c416adb09fe Mon Sep 17 00:00:00 2001
From: Denis Kirillov <denis@nspcc.ru>
Date: Wed, 9 Nov 2022 17:58:24 +0300
Subject: [PATCH] [#740] Update docs

Signed-off-by: Denis Kirillov <denis@nspcc.ru>
---
 CHANGELOG.md          |  3 +++
 docs/aws_s3_compat.md | 16 +++++++++++++++-
 2 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index a245b2d..856a970 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,6 +4,9 @@ This document outlines major changes between releases.
 
 ## [Unreleased]
 
+### Fixed
+- Empty bucket policy (#740) 
+
 ## [0.25.0] - 2022-10-31
 
 ### Fixed
diff --git a/docs/aws_s3_compat.md b/docs/aws_s3_compat.md
index b71081b..e7712c4 100644
--- a/docs/aws_s3_compat.md
+++ b/docs/aws_s3_compat.md
@@ -31,7 +31,21 @@ Reference:
 ## ACL
 
 For now there are some limitations:
-* [Bucket policy](https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-policies.html) supports only one `Principal` (type `AWS`) per `Statement`. To refer all users use `"AWS": "*"`
+* [Bucket policy](https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-policies.html) supports only one `Principal` per `Statement`. 
+Principal must be `"AWS": "*"` (to refer all users) or `"CanonicalUser": "0313b1ac3a8076e155a7e797b24f0b650cccad5941ea59d7cfd51a024a8b2a06bf"` (hex encoded public key of desired user).
+* Resource in bucket policy is an array. Each item MUST contain bucket name, CAN contain object name (wildcards are not supported):
+```json
+{
+  "Statement": [
+    {
+      "Resource": [
+        "arn:aws:s3:::bucket",
+        "arn:aws:s3:::bucket/some/object"
+      ]
+    }
+  ]
+}
+```
 * AWS conditions and wildcard are not supported in [resources](https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-arn-format.html)
 * Only `CanonicalUser` (with hex encoded public key) and `All Users Group` are supported in [ACL](https://docs.aws.amazon.com/AmazonS3/latest/userguide/acl-overview.html)