forked from TrueCloudLab/frostfs-s3-gw
[#353] docs: Add bucket policy docs
Signed-off-by: Denis Kirillov <d.kirillov@yadro.com>
This commit is contained in:
parent
8307c73fef
commit
9f29fcbd52
1 changed files with 131 additions and 0 deletions
131
docs/bucket_policy.md
Normal file
131
docs/bucket_policy.md
Normal file
|
@ -0,0 +1,131 @@
|
||||||
|
# Bucket policy
|
||||||
|
|
||||||
|
A bucket policy is a resource-based policy that you can use to grant access permissions to your S3 bucket and the
|
||||||
|
objects in it https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-policies.html.
|
||||||
|
|
||||||
|
## Conditions
|
||||||
|
|
||||||
|
In AWS there are a lot of condition
|
||||||
|
keys https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.htm
|
||||||
|
but s3-gw currently supports only the following conditions in bucket policy:
|
||||||
|
|
||||||
|
> Note: all condition keys and values must be string formatted in json policy (even if they are numbers).
|
||||||
|
|
||||||
|
| Condition key | Description |
|
||||||
|
|-------------------------------|---------------------------------------------------------------------------|
|
||||||
|
| [s3:max-keys](#s3-max-keys) | Filters access by maximum number of keys returned in a ListBucket request |
|
||||||
|
| [s3:delimiter](#s3-delimiter) | Filters access by delimiter parameter |
|
||||||
|
| [s3:prefix](#s3-prefix) | Filters access by key name prefix |
|
||||||
|
| [s3:VersionId](#s3-versionid) | Filters access by a specific object version |
|
||||||
|
|
||||||
|
Each key can be used only with specific set of
|
||||||
|
operators https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html
|
||||||
|
(it depends on type of key).
|
||||||
|
|
||||||
|
### s3 max-keys
|
||||||
|
|
||||||
|
**Key:** `s3:max-keys`
|
||||||
|
|
||||||
|
**Type:** `Numeric`
|
||||||
|
|
||||||
|
**Description:** Filters access by maximum number of keys returned in a ListBucket request
|
||||||
|
|
||||||
|
```json
|
||||||
|
{
|
||||||
|
"Version": "2012-10-17",
|
||||||
|
"Statement": {
|
||||||
|
"Effect": "Allow",
|
||||||
|
"Principal": "*",
|
||||||
|
"Action": "s3:ListBucket",
|
||||||
|
"Resource": "arn:aws:s3:::example_bucket",
|
||||||
|
"Condition": {
|
||||||
|
"NumericLessThanEquals": {
|
||||||
|
"s3:max-keys": "10"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
### s3 delimiter
|
||||||
|
|
||||||
|
**Key:** `s3:delimiter`
|
||||||
|
|
||||||
|
**Type:** `String`
|
||||||
|
|
||||||
|
**Description:** Filters access by delimiter parameter
|
||||||
|
|
||||||
|
```json
|
||||||
|
{
|
||||||
|
"Version": "2012-10-17",
|
||||||
|
"Statement": {
|
||||||
|
"Effect": "Allow",
|
||||||
|
"Principal": "*",
|
||||||
|
"Action": "s3:ListBucket",
|
||||||
|
"Resource": "arn:aws:s3:::example_bucket",
|
||||||
|
"Condition": {
|
||||||
|
"StringEquals": {
|
||||||
|
"s3:delimiter": "/"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
### s3 prefix
|
||||||
|
|
||||||
|
**Key:** `s3:prefix`
|
||||||
|
|
||||||
|
**Type:** `String`
|
||||||
|
|
||||||
|
**Description:** Filters access by key name prefix
|
||||||
|
|
||||||
|
```json
|
||||||
|
{
|
||||||
|
"Version": "2012-10-17",
|
||||||
|
"Statement": {
|
||||||
|
"Effect": "Allow",
|
||||||
|
"Principal": {
|
||||||
|
"AWS": [
|
||||||
|
"arn:aws:iam::111122223333:user/JohnDoe"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"Action": "s3:ListBucket",
|
||||||
|
"Resource": "arn:aws:s3:::example_bucket",
|
||||||
|
"Condition": {
|
||||||
|
"StringEquals": {
|
||||||
|
"s3:prefix": "home/JohnDoe"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
### s3 VersionId
|
||||||
|
|
||||||
|
**Key:** `s3:VersionId`
|
||||||
|
|
||||||
|
**Type:** `String`
|
||||||
|
|
||||||
|
**Description:** Filters access by a specific object version
|
||||||
|
|
||||||
|
```json
|
||||||
|
{
|
||||||
|
"Version": "2012-10-17",
|
||||||
|
"Statement": {
|
||||||
|
"Effect": "Allow",
|
||||||
|
"Principal": {
|
||||||
|
"AWS": [
|
||||||
|
"arn:aws:iam::111122223333:user/JohnDoe"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"Action": "s3:GetObjectVersion",
|
||||||
|
"Resource": "arn:aws:s3:::example_bucket/some-file.txt",
|
||||||
|
"Condition": {
|
||||||
|
"StringEquals": {
|
||||||
|
"s3:VersionId": "AT2L3qER7CHGk4TDooocEzkz2RyqTm4Zh2b1QLzAhLbH"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
```
|
Loading…
Reference in a new issue