---
title: "Bucket Access Restriction Based on an Identity Policy"
slug: "how-to-separate-access-at-a-bucket-level"
updated: 2026-02-18T15:02:03Z
published: 2026-02-18T15:02:03Z
---

> ## Documentation Index
> Fetch the complete documentation index at: https://docs.wasabi.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Bucket Access Restriction Based on an Identity Policy

When sub-users are defined in the Wasabi account, you can use either identity-based (IAM) or resource-based policies to restrict bucket access. Identity-based policies, as described in this article, are assigned to groups or users, whereas [resource-based policies](https://docs.wasabi.com/docs/how-do-i-restrict-bucket-access-with-resource-based-policies) are applied to resources (buckets).

> If your company has numerous users, you may want to automate the entire process of creating users, buckets, policies, groups, and delegated user access. Refer to [Automating Infrastructure Design for Wasabi](https://docs.wasabi.com/docs/how-to-automate-infrastructure-design-on-wasabi).

You may want to separate users at the bucket level so that each sub-user has their own bucket and, while a sub-user can access their own bucket, they cannot access the buckets of other sub-users. You would define this in an identity-based policy. At a high level, the steps to do so are:

1. Create or log in to your Wasabi Root account.
2. Create a storage bucket for each sub-user.
3. Create sub-user(s).
4. Create an IAM policy that limits the access of each sub-user to just their storage bucket.
5. Attach the IAM policy to the sub-user.

The example in this article uses a company account with two sub-users:

- panjack
- stonecold

To separate a bucket for sub-user panjack:

1. Create a bucket called bucket-meant-for-panjack. In Wasabi Console:

![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/image-MJU6H6JU.png)
  1. Click **Buckets**.
  2. Click **Create Bucket**.
  3. [Create the bucket](https://docs.wasabi.com/docs/working-with-buckets-and-objects#creating-a-bucket) called bucket-meant-for-panjack.
2. Create a sub-user called panjack. In Wasabi Console:

![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/image-EBYC0I9Y.png)
  1. Click **Users**.
  2. Click **Create User**.
  3. [Create a sub-user](https://docs.wasabi.com/docs/creating-a-user-account-and-access-key#creating-a-user) called panjack.
3. Create an IAM policy that limits sub-user panjack access to bucket bucket-meant-for-panjack. In Wasabi Console:

```json
{
                "Version": "2012-10-17",
                "Statement": [
                {
                "Effect": "Allow",
                "Action": "s3:ListAllMyBuckets",
                "Resource": "arn:aws:s3:::*"
                },
                {
                "Effect": "Allow",
                "Action": "s3:*",
                "Resource": [
                "arn:aws:s3:::bucket-meant-for-panjack",
                "arn:aws:s3:::bucket-meant-for-panjack/*"
                ]
                }
                ]
                }
```

![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/image-BYNXIWWZ.png)
  1. Click **Policies**.
  2. Click **Create Policy**.
  3. [Create the policy](https://docs.wasabi.com/docs/creating-a-policy) with the code shown below.

The policy must include the ListAllMyBuckets action. This gives the sub-user permission to perform any bucket/object operations through the Console. The sub-user will be able to list all the buckets when logged in to the Console; however, the sub-user will have access to content only from the bucket for which the sub-user has access permission.
4. Attach the policy to sub-user panjack. In Wasabi Console:

![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/image-77JDWBU4.png)

The sub-user panjack will have access to their own bucket ONLY.
  1. Click **Users**.
  2. Locate and click on the sub-user (panjack in this example).
  3. Click **Policies**to open the settings.
  4. [Attach the policy](https://docs.wasabi.com/docs/reviewing-details-and-editing-an-existing-user#policies) to the sub-user.
5. Repeat the steps above for sub-user stonecold.
  1. Create a bucket called bucket-meant-for-stonecold.
  2. Create sub-user stonecold.
  3. Create an IAM policy with the appropriate bucket for this sub-user:

```powershell
{
                        "Version": "2012-10-17",
                        "Statement": [
                        {
                        "Effect": "Allow",
                        "Action": "s3:ListAllMyBuckets",
                        "Resource": "arn:aws:s3:::*"
                        },
                        {
                        "Effect": "Allow",
                        "Action": "s3:*",
                        "Resource": [
                        "arn:aws:s3:::bucket-meant-for-stonecold",
                        "arn:aws:s3:::bucket-meant-for-stonecold/*"
                        ]
                        }
                        ]
                        }
```
  4. Attach the policy to sub-user stonecold.