S3 Object Storage - Bucket Policy

manuelroth · 2015-12-02 13:09:01 UTC

On AWS S3 a bucket policy needs to be specified to allow access to an object in the bucket.

I would like to allow anybody to GET any ressource inside the bucket photos.

The bucket policy would look like this:

{
  "Version":"2012-10-17",
  "Statement":[
    {
      "Sid":"AddPerm",
      "Effect":"Allow",
      "Principal": "*",
      "Action":["s3:GetObject"],
      "Resource":["arn:aws:s3:::photos/*"]
    }
  ]
}

How to set the bucket policy on Switchengines’s Object Storage?- Would appreciate your help.

manuelroth · 2015-12-02 14:20:18 UTC

I found out, that I can set an ACL rule on my bucket photos with the s3cmd tool. This solved my problem.

This command adds an access control rule to the bucket photos, which makes the bucket public accessible.

s3cmd setacl s3://photos/ --acl-public --recursive

As a general rule, AWS recommends using S3 bucket policies or IAM policies for access control. S3 ACLs is a legacy access control mechanism that predates IAM. However, if you already use S3 ACLs and you find them sufficient, there is no need to change.

I would still like to know how to set a bucket policy. It would be nice, if you could add an example to the documentation page.

manuelroth · 2015-12-02 14:33:38 UTC

The support-team of SWITCHengines just told me, that the Object Store is just a AWS S3 like API. A detailed documentation can be found here

The documentation describes that bucket policies are not supported only acl’s.

sleinen · 2015-12-02 21:39:04 UTC

Correct. We use Ceph as the storage system supporting SWITCHengines. The “RadosGW” component of Ceph is used to provide an S3-like object store service, using account (tenant/project) information from OpenStack’s “Keystone” identity service. RadosGW tries to be compatible with AWS S3, but as you see, some advanced functionality is missing.

sleinen · 2018-03-29 17:15:42 UTC

It took some time, but since a recent upgrade of the Ceph software, bucket policies are now supported.

We are still trying to find out which complex policies work, but the one in your example (“get” access for everyone) certainly does—I just tried it.

Thanks for your patience! We continue to try to improve our service, and input such as yours is very helpful for us.

sleinen · 2018-03-29 17:19:12 UTC

Oh, I should have added the answer to your original question:

You can put the bucket policy in a file, let’s say my-policy.json, and then apply it using s3cmd as follows:

s3cmd setpolicy my-policy.json s3://photos

Hope this (still) helps!