en:navody:object_storage:cesnet_s3_share_bucket

Using Bucket Policy for bucket sharing

Please be aware, that the wrong setup of the Bucket Policy can cause the public sharing of your data. We strongly recommend to test your Bucket Policy first. If you are not sure about the setup you can contact our support.

Setting up the Bucket Policy via aws tool

To use aws tool it is necessary to install it and set it up first. You can perform the installation and setting up using this guide.

Setting up the Bucket Policy from the json file:

aws s3api put-bucket-policy --profile test_user --endpoint-url https://s3.cl2.du.cesnet.cz --bucket BUCKET-NAME --policy file://C:/Users/User/Downloads/example_policy_tenant-ro.json
In the case of Linux system it is necessary to insert the path of the json file with Bucket Policy as follows:
aws s3api put-bucket-policy --profile test_user --endpoint-url https://s3.cl2.du.cesnet.cz --bucket BUCKET-NAME --policy file:///home/user/Downloads/example_policy_tenant-ro.json

Listing of Bucket Policy on the desired bucket:

aws s3api get-bucket-policy --profile test_user --endpoint-url https://s3.cl2.du.cesnet.cz --bucket BUCKET-NAME

Removing Bucket Policy on the desired bucket:

aws s3api delete-bucket-policy --profile test_user --endpoint-url https://s3.cl2.du.cesnet.cz --bucket BUCKET-NAME

Setting up the Bucket Policy via s3cmd tool

To use s3cmd tool it is necessary to install it and set it up first. You can perform the installation and setting up using this guide.

Setting up the Bucket Policy from the json file::

s3cmd -c ~/.s3cfg_test_user setpolicy /home/user/bucket_policy.json s3://BUCKET-NAME

Listing of Bucket Policy on the desired bucket:

s3cmd -c ~/.s3cfg_test_user info s3://BUCKET-NAME

Removing Bucket Policy on the desired bucket:

s3cmd -c ~/.s3cfg_test_user delpolicy s3://BUCKET-NAME

Examples for general use of Bucket Policy

Below are listed 3 general examples of Bucket Policy. It goes about sharing within tenant/group with read-only and read-write and then public-sharing for everyone.

For sharing within tenant is necessary to edit the value of the Principal attribute in json file containing Bucket Policy. This value was sent to you together with your credentials (access_key and secret_key), see below. The desired value is listed in the attribute user before the $ character. In our case is thus: 354dasf3_db44_4dsa_a9b9_24ae65476.
"keys": [
          {
            "user": "354dasf3_db44_4dsa_a9b9_24ae65476$136aadsdas57d4asdrt5hzuuzc",
            "access_key": "hash_access_key_hash",
            "secret_key": "hash_secret_key_hash"
          }
        ]
Below are listed exemplary Bucket Policies. DO NOT FORGET to change the BUCKET-NAME string in the attribute “Resource”. You have to change the “BUCKET-NAME” string to the name of your bucket, where you wish to set up the Bucket Policy.

Example of sharing within tenant for read-only access

example_policy_tenant-ro.json
  {
    "Statement":[
      {
        "Sid":"* on bucket-tenant-ro policy",
        "Effect":"Allow",
        "Principal": {"AWS": ["354dasf3_db44_4dsa_a9b9_24ae65476"]},
        "Action": ["s3:ListBucket","s3:GetObject"],
        "Resource":[ "arn:aws:s3:::BUCKET-NAME", "arn:aws:s3:::BUCKET-NAME/*" ]
      }
    ]
  }

Example of sharing within tenant for read-write access

example_policy_tenant-rw.json
  {
    "Statement":[
      {
        "Sid":"* on bucket-tenant-rw policy",
        "Effect":"Allow",
        "Principal": {"AWS": ["354dasf3_db44_4dsa_a9b9_24ae65476"]},
        "Action": ["s3:ListBucket","s3:GetObject","s3:PutObject","s3:DeleteObject"],
        "Resource":[ "arn:aws:s3:::BUCKET-NAME", "arn:aws:s3:::BUCKET-NAME/*" ]
      }
    ]
  }

Example of public sharing

example_policy_public.json
  {
    "Statement":[
      {
        "Sid":"* on bucket-tenant-public policy",
        "Effect":"Allow",
        "Principal": "*",
        "Action": ["s3:ListBucket","s3:GetObject"],
        "Resource":[ "arn:aws:s3:::BUCKET-NAME", "arn:aws:s3:::BUCKET-NAME/*" ]
      }
    ]
  }
If you set up public sharing on your bucket you can verify the access using a web browser. You can go to the bucket address. To do so, you need the value listed in user attribute before the $ character in your credential file. Our above example is: 354dasf3_db44_4dsa_a9b9_24ae65476. You should also insert your bucket name instead the “BUCKET-NAME” placeholder.
https://s3.cl2.du.cesnet.cz/354dasf3_db44_4dsa_a9b9_24ae65476:BUCKET-NAME/
In case you need some special setup of Bucket Policy, e.g. access only from a particular IP address or to share bucket only with a particular user, you can contact us. We will prepare the json file with the appropriate Bucket Policy.
Last modified:: 01.09.2022 18:22