Skip to content

Instantly share code, notes, and snippets.

@krishnasrinivas

krishnasrinivas/bucket-policies-primer.md

Forked from harshavardhana/bucket-policies-primer.md
Created September 9, 2017 19:51
Show Gist options
  • Save krishnasrinivas/2f5a9affe6be6aff42fe723f02c86d6a to your computer and use it in GitHub Desktop.
Save krishnasrinivas/2f5a9affe6be6aff42fe723f02c86d6a to your computer and use it in GitHub Desktop.
Download ZIP
Explanation of bucket polices by example
Raw
bucket-policies-primer.md

Bucket Policy

Bucket policy is an access policy available for you to grant anonymous permissions to your Minio resources. Bucket policy uses JSON-based access policy language.

This section presents a few examples of typical use cases for bucket policies. The policies use testbucket strings in the resource value. To test these policies, you need to replace these strings with your bucket name. For more information please read Amazon S3 access policy language

Granting Read-Only Permission to an Anonymous User

The following example policy grants the s3:GetObject permission to any public anonymous users. This permission allows anyone to read the object data under testbucket, which is useful for when you have publicly readable assets. A typical example is a website assets stored in testbucket.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "s3:GetObject"
      ],
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "*"
        ]
      },
      "Resource": [
        "arn:aws:s3:::testbucket/*"
      ],
      "Sid": ""
    }
  ]
}

The following example policy grants the s3:GetObject permission to any public anonymous users. This permission allows anyone to read the object data under testbucket matching all the prefixes under user further matching everything inside files/public/*, which is useful for when you want to organize user assets from your application to be publicly available. Most probably a social media profile picture which is kept under public assets in /user/{username}/files/public/{image.jpg} .

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "s3:GetObject"
      ],
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "*"
        ]
      },
      "Resource": [
        "arn:aws:s3:::testbucket/user/*/files/public/*"
      ],
      "Sid": ""
    }
  ]
}

Now you can set this policy on your bucket using aws cli , following command assumes Minio is running locally at port 9000 and bucket is testbucket.

aws --endpoint-url http://localhost:9000 s3api put-bucket-policy --bucket testbucket --policy file:///tmp/policy.json

Advanced

In Bucket policy JSON there are two types of key matches are allowed one is * and another is ?

Now lets say if you have following value in your bucket policy Resource

arn:aws:s3:::testbucket/user/*/files/public/*

Then the policies will match an object named user/harsha/files/public/issue

arn:aws:s3:::testbucket/user/harsha/files/public/issue

Now lets say if you have following value in your bucket policy Resource

arn:aws:s3:::testbucket/user/?/files/public/*

Then the policies will match an object named user/1/files/public/issue, ? is different from * in meaning - ? only means to match single character match in wildcard terms.

arn:aws:s3:::testbucket/user/1/files/public/issue

You can even repeat ? to restrict the username length of the users as well. Lets say if you have 6 repeated ?

arn:aws:s3:::testbucket/user/??????/files/public/*

Then the policies will match

arn:aws:s3:::testbucket/user/harsha/files/public/issue
@KraiChamnivikaipong
Copy link

Great material! Thank you.

@ramzerof
Copy link

Thanks, nice examples!

@thtiggemann
Copy link

Cool - thank you

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment