S3 Object Storage - Bucket Policy

manuelroth 2015-12-02 13:09:01 UTC #1

On AWS S3 a bucket policy needs to be specified to allow access to an object in the bucket.

I would like to allow anybody to GET any ressource inside the bucket photos.

The bucket policy would look like this:

{
  "Version":"2012-10-17",
  "Statement":[
    {
      "Sid":"AddPerm",
      "Effect":"Allow",
      "Principal": "*",
      "Action":["s3:GetObject"],
      "Resource":["arn:aws:s3:::photos/*"]
    }
  ]
}

How to set the bucket policy on Switchengines's Object Storage?- Would appreciate your help.

manuelroth 2015-12-02 14:20:18 UTC #2

I found out, that I can set an ACL rule on my bucket photos with the s3cmd tool. This solved my problem.

This command adds an access control rule to the bucket photos, which makes the bucket public accessible.

s3cmd setacl s3://photos/ --acl-public --recursive

As a general rule, AWS recommends using S3 bucket policies or IAM policies for access control. S3 ACLs is a legacy access control mechanism that predates IAM. However, if you already use S3 ACLs and you find them sufficient, there is no need to change.

I would still like to know how to set a bucket policy. It would be nice, if you could add an example to the documentation page.

manuelroth 2015-12-02 14:33:38 UTC #3

The support-team of SWITCHengines just told me, that the Object Store is just a AWS S3 like API. A detailed documentation can be found here

The documentation describes that bucket policies are not supported only acl's.

sleinen 2015-12-02 21:39:04 UTC #4

Correct. We use Ceph as the storage system supporting SWITCHengines. The "RadosGW" component of Ceph is used to provide an S3-like object store service, using account (tenant/project) information from OpenStack's "Keystone" identity service. RadosGW tries to be compatible with AWS S3, but as you see, some advanced functionality is missing.