What are ACLs?

ACLs, or Access Control Lists, are sets of rules that determine who has access to objects stored in Object Storage and what actions they are allowed to perform on those objects. Proper configuration of ACLs helps ensure the security of stored data.

Info

The storage owner is responsible for configuring ACLs. Use the AWS CLI or S3cmd documentation commands to manage ACLs for objects in Gcore Object Storage.

ACLs for objects can be configured for a variety of actions, such as:

AWS CLIS3cmdDescription
—public-read—acl-publicMaking an object publicly accessible
—private—acl-privateMaking an object private
—grant-full-control—acl-grant=full-controlGranting full control over the bucket
—grant-read—acl-grant=readAllowing the listing of objects in the bucket
—grant-read-acp—acl-grant=read_acpAllowing the reading of ACLs
—grant-write—acl-grant=writeAllowing recording, overwriting, and deleting of objects

What are policies?

Policies are JSON files that provide a more detailed way to control access to objects and buckets. They allow you to specify which actions a specific user or all users are allowed or denied to perform.

The maximum request size in the policy is 20 KB.

Note : The storage owner is responsible for configuring policies. Use the AWS CLI documentation actions, conditions, and resource types to manage policies for objects in Gcore Object Storage.

Configure access via ACLs and policies

We’ve provided examples of ACLs and policies for some common tasks in managing Object Storage.

In all the commands and JSON files, you need to replace the following with your values:

  • Replace sample.jpg with your object.
  • Replace my_bucket with your bucket.
  • Replace <https://s-ed1.cloud.gcore.lu> with your hostname.

Allow an object downloading by ACL

To allow all users to download an object, use the following command with the public ACL action —acl public-read (AWS CLI) or —acl public (S3cmd).

AWS CLI:

aws s3api put-bucket-acl --bucket my_bucket --key %filename% --acl public-read --endpoint-url=https://s-ed1.cloud.gcore.lu

S3cmd:

s3cmd setacl s3://my_bucket/sample.jpg --acl-public

Note : This will make the specified object in the bucket publicly available to everyone.

Allow listing of a bucket by ACL

To allow all users to list objects in a bucket, use the following command with the public ACL action —grant-read (AWS CLI) or —acl-grant=read (S3cmd).

AWS CLI:

aws s3api put-bucket-acl --bucket my_bucket --acl grant-read --endpoint-url=https://s-ed1.cloud.gcore.lu

S3cmd:

s3cmd setacl s3://my_bucket/sample.jpg --acl-grant=read

Note : This will allow users to list the objects in the bucket, but they won’t have permission to read or write them.

Allow an object downloading by policy

To allow all users to download an object:

1. Create a JSON file with the following policy:

{  

"Statement": [   

 {  

"Effect": "Allow",  

"Principal": "*",  

"Action": "s3:GetObject",  

"Resource": "arn:aws:s3:::my_bucket/*"  

  }  

 ]  

}

2. Apply the access policy to the bucket with the following command.

AWS CLI:

aws s3api put-bucket-policy --policy file://policy.json --endpoint-url=https://s-ed1.cloud.gcore.lu --bucket my_bucket

S3cmd:

s3cmd setpolicy policy_name.json s3://my_bucket/

As a result, the object in the bucket will be publicly available.

Note : This policy allows you to directly access the files, but it doesn’t allow you to list the files in the bucket.

Deny access to a bucket (hide a directory) by policy

To deny all users access to the “s3:GetObject” operation on a specific directory in a bucket while still allowing access to the higher-level bucket:

1. Create a JSON file with the following policy:

{  

  "Statement": [   

    {   

      "Effect": "Allow",  

      "Principal": "*",  

      "Action": "s3:GetObject",  

      "Resource": "arn:aws:s3:::my_bucket/*"   

    },  

    {   

      "Effect": "Deny",  

      "Principal": "*",  

      "Action": "s3:GetObject",  

      "Resource": "arn:aws:s3:::my_bucket/secret/*"   

    }  

  ]  

}

Note : Replace arn:aws:s3:::my_bucket/secret/* with the path to the directory you want to hide and arn:aws:s3:::my_bucket/* with the path to the higher-level bucket.

2. Apply the policy to the bucket with the following command.

AWS CLI:

aws s3api put-bucket-policy --policy file://policy.json --endpoint-url=https://s-ed1.cloud.gcore.lu --bucket my_bucket

S3cmd:

s3cmd setpolicy policy_name.json s3://my_bucket/

Allow requests from a particular IP by policy

To allow requests to the storage bucket from a specified IP address:

1. Create a JSON file with the following policy:

{  

  "Statement": [  

    {  

      "Sid": "IPAllow",  

      "Effect": "Allow",  

      "Principal": "*",  

      "Action": "s3:*",  

      "Resource": [  

        "arn:aws:s3:::",  

        "arn:aws:s3:::/*"  

      ],  

      "Condition": {  

        "IpAddress": {"aws:SourceIp": "10.0.0.0/24"}  

      }  

    }  

  ]  

}

Note : Replace 10.0.0.0/24 with your desired IP address.

2. Apply the policy to the bucket with the following command.

AWS CLI:

aws s3api put-bucket-policy --policy file://policy.json --endpoint-url=https://s-ed1.cloud.gcore.lu --bucket my_bucket

S3cmd:

s3cmd setpolicy policy_name.json s3://my_bucket/

Allow requests from a particular website by policy

To allow referrals to the storage bucket from specified websites:

1. Create a JSON file with the following policy:

{  

"Statement": [  

  {  

    "Sid":"Allow get requests originating from www.example.com and example.com.",  

    "Effect":"Allow",  

    "Principal":"*",  

    "Action":["s3:GetObject","s3:GetObjectVersion"],  

    "Resource":"arn:aws:s3:::/*",  

    "Condition": {  

      "StringLike":{"aws:Referer":["http://www.example.com/*","http://example.com/*"]}  

    }  

  }  

 ]  

}

Note : Replace <http://www.example.com/> and <http://example.com/> with your desired websites.

2. Apply the policy to the bucket with the following command.

AWS CLI:

aws s3api put-bucket-policy --policy file://policy.json --endpoint-url=https://s-ed1.cloud.gcore.lu --bucket my_bucket

S3cmd:

s3cmd setpolicy policy_name.json s3://my_bucket/

Grant a user access to a bucket by policy

To grant a user access to a bucket:

1. Create a JSON file with the following policy:

{ 

  "Statement": [ 

    { 

      "Effect":"Allow", 

      "Principal": {

        "AWS": ["arn:aws:iam:::user/1234-test"]

      }, 

      "Action": ["s3:GetObject","s3:ListBucket"], 

      "Resource": ["arn:aws:s3:::my_bucket/*", "arn:aws:s3:::my_bucket"] 

    } 

  ] 

}

Note : Replace 1234-test with the actual name of your storage in your account, and arn:aws:s3:::my_bucket with the actual name of your bucket.

2. Apply the policy to the bucket with the following command.

AWS CLI:

aws s3api put-bucket-policy --policy file://policy.json --endpoint-url=https://s-ed1.cloud.gcore.lu --bucket my_bucket

S3cmd:

s3cmd setpolicy policy_name.json s3://my_bucket/