Skip to content

Bucket Policies

Overview

Bucket policies are used to control access to your buckets. There are two primary ways to manage these permissions:

  1. Predefined Anonymous Access Policies: For common scenarios involving anonymous (public) access, you can use simple, keyword-based policies like public, download, upload, or none using the mc anonymous set <policy-name> <ALIAS> command. These are convenient for quickly setting broad access levels for unauthenticated users. Sometimes, these policies are also referred to as "canned policies".

  2. JSON-Based Policies: For more granular control, including granting specific permissions to other authenticated object storage users or defining complex access rules, you will use JSON-formatted policies applied with the mc anonymous set-json <policy-file.json> <ALIAS> command. These offer a powerful way to define precisely who can perform what actions on your bucket and its objects.

The following sections will demonstrate how to use both types.

Usage

Allow anonymous access to a bucket

This section demonstrates using predefined anonymous access policies.

Assume the following user:

  • john with UUID f481b360-7ffe-44b7-8998-67cb83dc3c0b

To allow anonymous access to a bucket, you can run the following command:

mc anonymous set public john/johns-private-bucket

Now, anyone can access the bucket johns-private-bucket.

Valid policies include:

  • public - allows anonymous access to the bucket
  • download - allows anonymous access to the bucket for downloading objects
  • upload - allows anonymous access to the bucket for uploading objects
  • none - removes the anonymous access policy from the bucket, effectively making it private again. Note that JSON bucket policies may still grant access to authenticated object storage users.

Allow another object storage user to access a bucket

Here, we demonstrate using JSON-based policies for more granular control, such as granting access to specific authenticated users.

To grant another user access to a bucket, create a JSON bucket policy. Assume the two users:

  • john with UUID f481b360-7ffe-44b7-8998-67cb83dc3c0b — your current user
  • jane with UUID 33c4de8e-ffa0-44c6-a7ac-6c0719fee0b2 — the user you want to allow access to the bucket

First, create a bucket johns-private-bucket.

mc mb john/johns-private-bucket

Then, create a bucket policy that allows jane to access user john's bucket johns-private-bucket. Save the following policy to a file called policy.json.

{
  "Version": "2012-10-17",
  "Id": "S3Policy1",
  "Statement": [
    {
      "Sid": "BucketAllow",
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam:::user/33c4de8e-ffa0-44c6-a7ac-6c0719fee0b2"
        ]
      },
      "Action": [
        "s3:ListBucket",
        "s3:PutObject",
        "s3:GetObject"
      ],
      "Resource": [
        "arn:aws:s3:::johns-private-bucket",
        "arn:aws:s3:::johns-private-bucket/*"
      ]
    }
  ]
}

Now, apply the policy to the bucket.

mc anonymous set-json policy.json john/johns-private-bucket

Now, jane can access john's bucket johns-private-bucket.

mc ls jane/johns-private-bucket

In order to list the currently applied policy, you can use the following command:

mc anonymous get-json john/johns-private-bucket

To remove the policy, you must apply an empty policy to the bucket. Save the following to policy.json (or a new file):

{
  "Version": "2012-10-17",
  "Id": "S3Policy1",
  "Statement": []
}

Then apply it:

mc anonymous set-json policy.json john/johns-private-bucket

and verify that the policy is removed.

mc ls jane/johns-private-bucket
mc: <ERROR> Unable to list folder. Access Denied.

Considerations

Bucket ownership

When uploading files to a bucket, the uploader will become the owner of the uploaded files. You can restrict this by requiring the bucket-owner-full-control permission, using the following bucket policy statement:

{
  "Sid": "AllowPutIfBucketOwnerFullControl",
  "Effect": "Allow",
  "Principal": "*", // Or specify the uploader principal
  "Action": "s3:PutObject",
  "Resource": "arn:aws:s3:::your-bucket-name/*",
  "Condition": {
    "StringEquals": {
      "s3:x-amz-acl": "bucket-owner-full-control"
    }
  }
}

Please note that this requires clients to pass the condition header x-amz-acl: bucket-owner-full-control when uploading files. With mc, you can use the following command to upload files while requiring the bucket-owner-full-control permission:

mc cp --attr "x-amz-acl:bucket-owner-full-control" file.txt jane/johns-private-bucket

A note on ACLs

While SysEleven object storage supports ACLs, it is recommended to use bucket policies for access control.

Supported Actions

For an overview of the policy actions supported by SysEleven object storage, refer to the Ceph radosgw bucket policy documentation. Please note that we do not currently support AWS IAM policies on radosgw users, groups or roles.