Permissions: Defining a Policy and Enabling
    • 04 Jun 2024
    • 1 Minute to read
    • PDF

    Permissions: Defining a Policy and Enabling

    • PDF

    Article summary

    Permissions are available to attach a policy to a bucket to define the actions that can take place on the bucket and the conditions under which those actions can occur. In addition to defining a bucket policy, you can edit an existing policy or delete it. Defining, editing, and deleting a bucket policy are described in this article.

    Defining a Bucket Policy

    1. On the Buckets list, clickfor the desired bucket.
    2. Click Settings.
    3. Click the Permissions tab.


      If a policy is not already defined for the bucket, the panel will be blank, as shown above.

      If the panel appears with a policy defined, you can edit it (see Editing a Bucket Policy).

      You can clickto copy the Amazon Resource Name (ARN) to the clipboard. The following are the general formats for ARNs:
      arn:aws:service:account-id:resource-id
      arn:aws:service:account-id:resource-type/resource-id
      arn:aws:service:account-id:resource-type:resource-id
    4. Enter the code for the policy. For example:

      The following policy makes the bucket and content public.

      By default, public use of a bucket, folder, or file is allowed only by certain paid (not trial) accounts. If your account does not have access to this feature, contact Wasabi Support at support@wasabi.com for assistance.
      {
      "Version": "2012-10-17",
      "Statement": [
      {
      "Sid": "AllowPublicRead", "Effect": "Allow", "Principal": {
      "AWS": "*"
      },
      "Action": "s3:GetObject", "Resource": [
      "arn:aws:s3:::<BUCKET>/*",
      "arn:aws:s3:::<BUCKET>"
      ]
      }
      ]
      }

      The following policy is an example of just allowing a specific IP address:

      {
      "Id": "S3PolicyId1",
      "Version": "2012-10-17",
      "Statement": [
      {
      "Sid": "IPAllow",
      "Effect": "Allow", "Principal": {
      "AWS": "*",
      "Action": "s3:*",
      "Resource": "arn:aws:s3:::<BUCKET>/*", "Condition": {
      "IpAddress": {
      "aws:SourceIp": "77.19.132.0/24"
      },
      "NotIpAddress": {
      "aws:SourceIp": "76.19.132.120/32"
      }
      }
      }
      }
      ]
      }

      This policy grants permission to multiple accounts. In the example below, two accounts (arn:aws:iam::100000000164:root and arn:aws:iam::100000000162:root) are given access to objects under a bucket named multi-account.

      {
      "Version": "2012-10-17",
      "Statement": [
      {
      "Sid": "AddCannedAcl", "Effect": "Allow", "Principal": {
      "AWS": [
      "arn:aws:iam::100000000164:root", "arn:aws:iam::100000000162:root"
      ]
      },
      "Action": [ "s3:GetObject", "s3:ListBucket", "s3:PutObject", "s3:PutObjectAcl"
      ],
      "Resource": "arn:aws:s3:::multi-account/*"
      }
      ]
      }

      Note that syntax errors will be flagged as you enter information. In this example, the colon (:) is missing after “Statement” in line 3:

    5. When you see you can click Save to create the policy.

    Editing a Bucket Policy

    If a policy exists for a bucket, you can edit it.

    1. On the Buckets list, clickfor the desired bucket.
    2. Click Settings.
    3. Click the Policies tab.
    4. Edit the content of the policy, as required.

    5. Click Save.

    Deleting a Bucket Policy

    If a policy exists for a bucket, you can delete it.

    1. On the Buckets list, clickfor the desired bucket.
    2. Click Settings.
    3. Click the Policies tab.

    4. Click Delete.