TrueCloudLab
/
frostfs-s3-gw
15
2
Fork 16
Code Issues 21 Pull Requests 9 Actions Packages Projects Releases 9 Activity
frostfs-s3-gw/docs/bucket_policy.md

3.2 KiB
Raw Blame History

Bucket policy

A bucket policy is a resource-based policy that you can use to grant access permissions to your S3 bucket and the objects in it https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-policies.html.

Conditions

In AWS there are a lot of condition keys https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.htm but s3-gw currently supports only the following conditions in bucket policy:

Note: all condition keys and values must be string formatted in json policy (even if they are numbers).

Condition key Description
s3:max-keys Filters access by maximum number of keys returned in a ListBucket request
s3:delimiter Filters access by delimiter parameter
s3:prefix Filters access by key name prefix
s3:VersionId Filters access by a specific object version

Each key can be used only with specific set of operators https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html (it depends on type of key).

s3 max-keys

Key: s3:max-keys

Type: Numeric

Description: Filters access by maximum number of keys returned in a ListBucket request

{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Principal": "*",
    "Action": "s3:ListBucket",
    "Resource": "arn:aws:s3:::example_bucket",
    "Condition": {
      "NumericLessThanEquals": {
        "s3:max-keys": "10"
      }
    }
  }
}

s3 delimiter

Key: s3:delimiter

Type: String

Description: Filters access by delimiter parameter

{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Principal": "*",
    "Action": "s3:ListBucket",
    "Resource": "arn:aws:s3:::example_bucket",
    "Condition": {
      "StringEquals": {
        "s3:delimiter": "/"
      }
    }
  }
}

s3 prefix

Key: s3:prefix

Type: String

Description: Filters access by key name prefix

{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Principal": {
      "AWS": [
        "arn:aws:iam::111122223333:user/JohnDoe"
      ]
    },
    "Action": "s3:ListBucket",
    "Resource": "arn:aws:s3:::example_bucket",
    "Condition": {
      "StringEquals": {
        "s3:prefix": "home/JohnDoe"
      }
    }
  }
}

s3 VersionId

Key: s3:VersionId

Type: String

Description: Filters access by a specific object version

{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Principal": {
      "AWS": [
        "arn:aws:iam::111122223333:user/JohnDoe"
      ]
    },
    "Action": "s3:GetObjectVersion",
    "Resource": "arn:aws:s3:::example_bucket/some-file.txt",
    "Condition": {
      "StringEquals": {
        "s3:VersionId": "AT2L3qER7CHGk4TDooocEzkz2RyqTm4Zh2b1QLzAhLbH"
      }
    }
  }
}