- 05 Apr 2023
- Print
- PDF
Bucket Policy
- Updated on 05 Apr 2023
- Print
- PDF
You can attach a policy to define the actions that can take place on a bucket and the conditions under which those actions can occur. In addition, you can edit an existing policy or delete it.
Defining a Bucket Policy
- Click
for the bucket and click Settings.
- Click the POLICIES tab.
- If a policy is not already defined for the bucket, the panel will appear as:
If the panel appears with a policy defined, you can edit it (see Editing a Bucket Policy).
You can clickto copy the Amazon Resource Name (ARN) to the clipboard. The follow are the general formats for ARNs:
arn:aws:service:account-id:resource-id
arn:aws:service:account-id:resource-type/resource-id
arn:aws:service:account-id:resource-type:resource-id - Enter code for the policy. For example:
The following policy makes the bucket and content public.
By default, public use of a bucket, folder, or file is allowed only by certain paid (not trial) accounts. If your account does not have access to this feature, contact Wasabi Support at support@wasabi.com for assistance.{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowPublicRead", "Effect": "Allow", "Principal": {
"AWS": "*"
},
"Action": "s3:GetObject", "Resource": [
"arn:aws:s3:::mybucket/*",
"arn:aws:s3:::mybucket"
]
}
]
}The following policy is an example for just allowing a specific IP address:
{
"Id": "S3PolicyId1",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "IPAllow",
"Effect": "Allow", "Principal": {
"AWS": "*",
"Action": "s3:*",
"Resource": "arn:aws:s3:::vbatra-ip-only/*", "Condition": {
"IpAddress": {
"aws:SourceIp": "77.19.132.0/24"
},
"NotIpAddress": {
"aws:SourceIp": "76.19.132.120/32"
}
}
}
}
]
}This policy grants permission to multiple accounts. In the example below, two accounts (arn:aws:iam::100000000164:root and arn:aws:iam::100000000162:root) are given access to objects under a bucket named multi-account.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AddCannedAcl", "Effect": "Allow", "Principal": {
"AWS": [
"arn:aws:iam::100000000164:root", "arn:aws:iam::100000000162:root"
]
},
"Action": [ "s3:GetObject", "s3:ListBucket", "s3:PutObject", "s3:PutObjectAcl"
],
"Resource": "arn:aws:s3:::multi-account/*"
}
]
}Note that syntax errors will be flagged as you enter information. In this example, the colon (:) is missing after “Statement” in line 3:
- When you see
you can click SAVE to create the policy.
Editing a Bucket Policy
If a policy exists for a bucket, you can edit it.
- Click
for the bucket and click Settings.
- Click the POLICIES tab.
- Edit the content of the policy, as required.
- Click SAVE.
Deleting a Bucket Policy
If a policy exists for a bucket, you can delete it.
- Click
for the bucket and click Settings.
- Click the POLICIES tab.
- Click DELETE.