Use the examples in this section to build StorageGRID Webscale access policies for buckets and groups.
Bucket policies specify the access permissions for the bucket that the policy is attached to. Bucket policies are configured using the S3 PutBucketPolicy API.
A bucket policy can be configured using the AWS CLI as per the following command:
> aws s3api put-bucket-policy --bucket examplebucket --policy file://policy.json
{ "Statement": [ { "Sid": "AllowEveryoneReadOnlyAccess", "Effect": "Allow", "Principal": "*", "Action": [ "s3:GetObject", "s3:ListBucket" ], "Resource": ["urn:sgws:s3:::examplebucket","urn:sgws:s3:::examplebucket/*"], } ] }
{ "Statement": [ { "Effect": "Allow", "Principal": { "SGWS": "95390887230002558202" }, "Action": "s3:*", "Resource": [ "urn:sgws:s3:::examplebucket", "urn:sgws:s3:::examplebucket/*" ] }, { "Effect": "Allow", "Principal": { "SGWS": "31181711887329436680" }, "Action": "s3:GetObject", "Resource": "urn:sgws:s3:::examplebucket/shared/*" }, { "Effect": "Allow", "Principal": { "SGWS": "31181711887329436680" }, "Action": "s3:ListBucket", "Resource": "urn:sgws:s3:::examplebucket", "Condition": { "StringLike": { "s3:prefix": "shared/*" } } } ] }
{ "Statement": [ { "Effect": "Allow", "Principal": { "SGWS": "urn:sgws:identity::95390887230002558202:federated-group/Marketing" }, "Action": "s3:*", "Resource": [ "urn:sgws:s3:::examplebucket", "urn:sgws:s3:::examplebucket/*" ] }, { "Effect": "Allow", "Principal": "*", "Action": ["s3:ListBucket","s3:GetObject"], "Resource": [ "urn:sgws:s3:::examplebucket", "urn:sgws:s3:::examplebucket/*" ] } ] }
{ "Statement": [ { "Sid": "AllowEveryoneReadWriteAccessIfInSourceIpRange", "Effect": "Allow", "Principal": "*", "Action": [ "s3:*Object", "s3:ListBucket" ], "Resource": ["urn:sgws:s3:::examplebucket","urn:sgws:s3:::examplebucket/*"], "Condition": { "IpAddress": {"sgws:SourceIp": "54.240.143.0/24"}, "NotIpAddress": {"sgws:SourceIp": "54.240.143.188"} } } ] }
{ "Statement": [ { "Effect": "Allow", "Principal": { "SGWS": "urn:sgws:identity::95390887230002558202:federated-user/Bob" }, "Action": [ "s3:*" ], "Resource": [ "urn:sgws:s3:::examplebucket", "urn:sgws:s3:::examplebucket/*" ] }, { "Effect": "Deny", "NotPrincipal": { "SGWS": "urn:sgws:identity::95390887230002558202:federated-user/Bob" }, "Action": [ "s3:*" ], "Resource": [ "urn:sgws:s3:::examplebucket", "urn:sgws:s3:::examplebucket/*" ] } ] }
Group policies specify the access permissions for the group that the policy is attached to. There is no Principal element in the policy since it is implicit. Group policies are configured using the Tenant Management Interface or the API.
When using the Tenant Management Interface to add or edit a group, you can use the S3 Policy dialog box to create and update group policies using valid JSON strings:
{ "Statement": [ { "Action": "s3:*", "Effect": "Allow", "Resource": "urn:sgws:s3:::*" } ] }
{ "Statement": [ { "Sid": "AllowGroupReadOnlyAccess", "Effect": "Allow", "Action": [ "s3:ListAllMyBuckets", "s3:ListBucket", "s3:GetObject" ], "Resource": "urn:sgws:s3:::*" } ] }
{ "Statement": [ { "Sid": "AllowListBucketOfASpecificUserPrefix", "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "urn:sgws:s3:::department_bucket", "Condition": { "StringLike": { "s3:prefix": "${sgws:username}/*" } } }, { "Sid": "AllowUserSpecificActionsOnlyInTheSpecificUserPrefix", "Effect": "Allow", "Action": "s3:*Object", "Resource": "urn:sgws:s3:::department_bucket/${sgws:username}/*" } ] }
In this example, the Deny Effect for PutOverwriteObject and DeleteObject protects the object’s data and metadata from being deleted or modified.
For more information, see Using the PutOverwriteObject permission and Write-once-read-many (WORM) protection.
{ "Sid": "WORMExamplePolicy", "Effect": "Deny", "Action": ["s3:PutOverwriteObject", "s3:DeleteObject"], "Resource": ["urn:sgws:s3:::*"], }