diff --git a/CHANGELOG.md b/CHANGELOG.md index a245b2d0c..856a970fc 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,9 @@ This document outlines major changes between releases. ## [Unreleased] +### Fixed +- Empty bucket policy (#740) + ## [0.25.0] - 2022-10-31 ### Fixed diff --git a/docs/aws_s3_compat.md b/docs/aws_s3_compat.md index b71081b42..e7712c461 100644 --- a/docs/aws_s3_compat.md +++ b/docs/aws_s3_compat.md @@ -31,7 +31,21 @@ Reference: ## ACL For now there are some limitations: -* [Bucket policy](https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-policies.html) supports only one `Principal` (type `AWS`) per `Statement`. To refer all users use `"AWS": "*"` +* [Bucket policy](https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-policies.html) supports only one `Principal` per `Statement`. +Principal must be `"AWS": "*"` (to refer all users) or `"CanonicalUser": "0313b1ac3a8076e155a7e797b24f0b650cccad5941ea59d7cfd51a024a8b2a06bf"` (hex encoded public key of desired user). +* Resource in bucket policy is an array. Each item MUST contain bucket name, CAN contain object name (wildcards are not supported): +```json +{ + "Statement": [ + { + "Resource": [ + "arn:aws:s3:::bucket", + "arn:aws:s3:::bucket/some/object" + ] + } + ] +} +``` * AWS conditions and wildcard are not supported in [resources](https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-arn-format.html) * Only `CanonicalUser` (with hex encoded public key) and `All Users Group` are supported in [ACL](https://docs.aws.amazon.com/AmazonS3/latest/userguide/acl-overview.html)