Policies on S3

Ceph Object Gateway supports a subset of the Amazon S3 policy language for configuring bucket access.

Read more about bucket policies in Ceph. Install AWS CLI to set policies.

Setting policies requires that aws has access to a profile with full permission keys.

Read-only permission to anonymous users

Create the file

public_read.json

{
  "Version": "2012-10-17",
  "Statement": [{
    "Sid": "MyPublicRead",
    "Effect": "Allow",
    "Principal": "*",
    "Action": ["s3:GetObject", "s3:GetObjectVersion"],
    "Resource": "arn:aws:s3:::project-bucket/*"
  }]
}

Change project-bucket to your bucket. Then set the policy with

aws --endpoint=https://s3.ice.ri.se s3api put-bucket-policy --policy file://public_read.json --bucket project-bucket 

Files can now be directly accessed through the web, for example,

https://s3.ice.ri.se/ice-demo-bucket/ICE_logo.png

Denying bucket access to specific key

Here the key do:alt-key is denied access to list project-bucket and its objects. Create the JSON policy file

user_deny.json

{
  "Version": "2012-10-17",
  "Statement": [{
    "Sid": "MyUserDeny",
    "Effect": "Deny",
    "Principal": {"AWS": "arn:aws:iam:::user/do:alt-key"},
    "Action":["s3:ListBucket", "s3:GetObject"],
    "Resource": "arn:aws:s3:::project-bucket"
  }]
}

Set the policy as in the previous example. When the key user tries to access the bucket

aws --profile do:alt-key --endpoint=https://s3.ice.ri.se s3 ls s3://project-bucket/

They receive the error

An error occurred (AccessDenied) when calling the ListObjectsV2 operation: Unknown

---

Last update: 2023-04-05
Created: 2021-01-11