Explanation of bucket polices by example

bucket-policies-primer.md

Bucket Policy

Bucket policy is an access policy available for you to grant anonymous permissions to your Minio resources. Bucket policy uses JSON-based access policy language.

This section presents a few examples of typical use cases for bucket policies. To test these policies, you need to replace these strings with your bucket name. For more information please read Amazon S3 access policy language

Granting Read-Only Permission to an Anonymous User

The following example policy grants the s3:GetObject permission to any public anonymous users. This permission allows anyone to read the object data under testbucket, which is useful for when you have publicly readable assets. A typical example is website assets stored in testbucket.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "s3:GetObject"
      ],
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "*"
        ]
      },
      "Resource": [
        "arn:aws:s3:::testbucket/*"
      ],
      "Sid": ""
    }
  ]
}

The following example policy grants the s3:GetObject permission to any public anonymous users. This permission allows anyone to read the object data under testbucket matching all the prefixes under user further matching everything inside files/public/*, which is useful for when you want to organize user assets from your application to be publicly available. E.g, A social media profile picture which is kept under public assets in /user/{username}/files/public/{image.jpg} .

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "s3:GetObject"
      ],
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "*"
        ]
      },
      "Resource": [
        "arn:aws:s3:::testbucket/user/*/files/public/*"
      ],
      "Sid": ""
    }
  ]
}

Now you can set this policy on your bucket using aws cli , following command assumes Minio is running locally at port 9000 and bucket is testbucket. Above policy is present in /tmp/policy.json.

aws --endpoint-url http://localhost:9000 s3api put-bucket-policy --bucket testbucket --policy file:///tmp/policy.json

Advanced

In Bucket policy JSON there are two types of key matches are allowed one is * and another is ?

Now lets say if you have following value in your bucket policy Resource

arn:aws:s3:::testbucket/user/*/files/public/*

Then the policies will match an object named user/harsha/files/public/issue

arn:aws:s3:::testbucket/user/harsha/files/public/issue

Now lets say if you have following value in your bucket policy Resource

arn:aws:s3:::testbucket/user/?/files/public/*

Then the policies will match an object named user/1/files/public/issue, ? is different from * in meaning - ? only means to match single character match in wildcard terms.

arn:aws:s3:::testbucket/user/1/files/public/issue

You can even repeat ? to restrict the username length of the users as well. Lets say if you have 6 repeated ?

arn:aws:s3:::testbucket/user/??????/files/public/*

Then the policies will match

arn:aws:s3:::testbucket/user/harsha/files/public/issue

s/The policies use testbucket strings in the resource value. To test these policies, you need to replace these strings with your bucket name./To test these policies, you need to replace testbucket with your bucket name.

minor nit: s/is a website assets/is website assets

Suggestion: s/Most probably a social media profile picture/E.g, a social media profile picture

Minio is running locally at port 9000 and bucket is testbucket.

Also say that the above policy is present in /tmp/policy.json.

You could provide an example resource that would not match the policy.
e.g, arn:aws:s3:::testbucket/user/harsha1/files/public/issue

s/The policies use testbucket strings in the resource value. To test these policies, you need to replace these strings with your bucket name./To test these policies, you need to replace testbucket with your bucket name.

Done

minor nit: s/is a website assets/is website assets

Done

Suggestion: s/Most probably a social media profile picture/E.g, a social media profile picture

Done

Also say that the above policy is present in /tmp/policy.json.

Done

Hi,
Can I grant access to another user into a bucket using bucket policy? I don't want to make the bucket public or grant the access using user policy (because "user policy" requires admin access).

you cannot @sifat007

Thanks you very much.
But, Please let me rephrase the scenario just for my sanity -
I am a non-root user with full control of a bucket. I can give access to anonymous users, but I cannot give access to another authenticated user. Is that correct?

Also, when bucket policy is set to public anonymous users have access, but authenticated users don't (unless given access by user policy). Is that correct? If yes, then why?

@sifat007 lets talk on https://slack.min.io

@harshavardhana what was the conclusion of the chat on slack? That's made the info invisisble to everyone here.

Hello @harshavardhana
Thank you for all the great things!

After following every step, i get this message:

An error occurred (MalformedPolicy) when calling the PutBucketPolicy operation: invalid character 'i' in literal false (expecting 'a')

Am I missing something here?

Thank you so much