TrueCloudLab/frostfs-s3-gw
15
3
Fork 18
Code Issues 19 Pull requests 6 Projects Releases 17 Packages Activity Actions
frostfs-s3-gw/docs/bucket_policy.md
Denis Kirillov 9f29fcbd52
Some checks failed
/ DCO (pull_request) Successful in 1m35s
Details
/ Builds (1.20) (pull_request) Successful in 2m12s
Details
/ Builds (1.21) (pull_request) Successful in 1m51s
Details
/ Vulncheck (pull_request) Failing after 2m8s
Details
/ Lint (pull_request) Successful in 3m2s
Details
/ Tests (1.20) (pull_request) Successful in 2m40s
Details
/ Tests (1.21) (pull_request) Successful in 2m34s
Details
[#353] docs: Add bucket policy docs 
Signed-off-by: Denis Kirillov <d.kirillov@yadro.com>
2024-04-15 11:41:19 +03:00

3.2 KiB
Raw Blame History

Bucket policy

A bucket policy is a resource-based policy that you can use to grant access permissions to your S3 bucket and the objects in it https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-policies.html.

Conditions

In AWS there are a lot of condition keys https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.htm but s3-gw currently supports only the following conditions in bucket policy:

Note: all condition keys and values must be string formatted in json policy (even if they are numbers).

Condition key Description
s3:max-keys Filters access by maximum number of keys returned in a ListBucket request
s3:delimiter Filters access by delimiter parameter
s3:prefix Filters access by key name prefix
s3:VersionId Filters access by a specific object version

Each key can be used only with specific set of operators https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html (it depends on type of key).

s3 max-keys

Key: s3:max-keys

Type: Numeric

Description: Filters access by maximum number of keys returned in a ListBucket request

{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Principal": "*",
    "Action": "s3:ListBucket",
    "Resource": "arn:aws:s3:::example_bucket",
    "Condition": {
      "NumericLessThanEquals": {
        "s3:max-keys": "10"
      }
    }
  }
}

s3 delimiter

Key: s3:delimiter

Type: String

Description: Filters access by delimiter parameter

{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Principal": "*",
    "Action": "s3:ListBucket",
    "Resource": "arn:aws:s3:::example_bucket",
    "Condition": {
      "StringEquals": {
        "s3:delimiter": "/"
      }
    }
  }
}

s3 prefix

Key: s3:prefix

Type: String

Description: Filters access by key name prefix

{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Principal": {
      "AWS": [
        "arn:aws:iam::111122223333:user/JohnDoe"
      ]
    },
    "Action": "s3:ListBucket",
    "Resource": "arn:aws:s3:::example_bucket",
    "Condition": {
      "StringEquals": {
        "s3:prefix": "home/JohnDoe"
      }
    }
  }
}

s3 VersionId

Key: s3:VersionId

Type: String

Description: Filters access by a specific object version

{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Principal": {
      "AWS": [
        "arn:aws:iam::111122223333:user/JohnDoe"
      ]
    },
    "Action": "s3:GetObjectVersion",
    "Resource": "arn:aws:s3:::example_bucket/some-file.txt",
    "Condition": {
      "StringEquals": {
        "s3:VersionId": "AT2L3qER7CHGk4TDooocEzkz2RyqTm4Zh2b1QLzAhLbH"
      }
    }
  }
}