Policy examples

Use the examples in this section to build StorageGRID Webscale access policies for buckets and groups.

Bucket policy examples

Bucket policies specify the access permissions for the bucket that the policy is attached to. Bucket policies are configured using the S3 PutBucketPolicy API.

A bucket policy can be configured using the AWS CLI as per the following command:

> aws s3api put-bucket-policy --bucket examplebucket --policy file://policy.json

Example: Allow everyone read-only access to a bucket

In this example, everyone, including anonymous, is allowed to List the bucket and perform GetObject operations on all objects in the bucket. All other operations will be denied. Note that this policy might not be particularly useful since no one except the account root has permissions to write to the bucket.
{ 
  "Statement": [
    {
      "Sid": "AllowEveryoneReadOnlyAccess",
      "Effect": "Allow",
      "Principal": "*",
      "Action": [ "s3:GetObject", "s3:ListBucket" ],
      "Resource": ["urn:sgws:s3:::examplebucket","urn:sgws:s3:::examplebucket/*"],
    }
  ]
}

Example: Allow everyone in one account full access, and everyone in another account read-only access to a bucket

In this example, everyone in one specified account is allowed full access to a bucket, while everyone in another specified account is only permitted to List the bucket and perform GetObject operations on objects in the bucket beginning with the ‘shared/’ object key prefix.
Note: In StorageGRID Webscale, objects created by a non-owner account (including anonymous accounts) are owned by the bucket owner account. The bucket policy applies to these objects.
{
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "SGWS": "95390887230002558202"
      },
      "Action": "s3:*",
      "Resource": [
        "urn:sgws:s3:::examplebucket",
        "urn:sgws:s3:::examplebucket/*"
      ]
    },
    {
      "Effect": "Allow",
      "Principal": {
        "SGWS": "31181711887329436680"
      },
      "Action": "s3:GetObject",
      "Resource": "urn:sgws:s3:::examplebucket/shared/*"
    },
    {
      "Effect": "Allow",
      "Principal": {
        "SGWS": "31181711887329436680"
      },
      "Action": "s3:ListBucket",
      "Resource": "urn:sgws:s3:::examplebucket",
      "Condition": {
        "StringLike": {
          "s3:prefix": "shared/*"
        }
      }
    }  
  ]
}

Example: Allow everyone read-only access to a bucket and full access by specified group

In this example, everyone including anonymous, is allowed to List the bucket and perform GetObject operations on all objects in the bucket, while only users belonging the group Marketing in the specified account are allowed full access.
{
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "SGWS": "urn:sgws:identity::95390887230002558202:federated-group/Marketing"
      },
      "Action": "s3:*",
      "Resource": [
        "urn:sgws:s3:::examplebucket",
        "urn:sgws:s3:::examplebucket/*"
      ]
    },
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": ["s3:ListBucket","s3:GetObject"],
      "Resource": [
        "urn:sgws:s3:::examplebucket",
        "urn:sgws:s3:::examplebucket/*"
      ]
    }
  ]
}

Example: Allow everyone read and write access to a bucket if client in IP range

In this example, everyone, including anonymous, is allowed to List the bucket and perform any Object operations on all objects in the bucket, provided that the requests come from a specified IP range (54.240.143.0 to 54.240.143.255, except 54.240.143.188). All other operations will be denied, and all requests outside of the IP range will be denied.
Note: The ‘Condition’ keyword is only supported in the Tenant Management Interface (StorageGRID Webscale version 10.4 or greater).
{ 
  "Statement": [
    {
      "Sid": "AllowEveryoneReadWriteAccessIfInSourceIpRange",
      "Effect": "Allow",
      "Principal": "*",
      "Action": [ "s3:*Object", "s3:ListBucket" ],
      "Resource": ["urn:sgws:s3:::examplebucket","urn:sgws:s3:::examplebucket/*"],
      "Condition": {
        "IpAddress": {"sgws:SourceIp": "54.240.143.0/24"},
        "NotIpAddress": {"sgws:SourceIp": "54.240.143.188"} 
      }
    }
  ]
}

Example: Allow full access to a bucket exclusively by a specified federated user

In this example, the federated user Bob is allowed full access to the examplebucket bucket and its objects. All other users, including ‘root’, are explicitly denied all operations. Note however that ‘root’ is never denied permissions to Put/Get/DeleteBucketPolicy.
{
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "SGWS": "urn:sgws:identity::95390887230002558202:federated-user/Bob"
      },
      "Action": [
        "s3:*"
      ],
      "Resource": [
        "urn:sgws:s3:::examplebucket",
        "urn:sgws:s3:::examplebucket/*"
      ]
    },
    {
      "Effect": "Deny",
      "NotPrincipal": {
        "SGWS": "urn:sgws:identity::95390887230002558202:federated-user/Bob"
      },
      "Action": [
        "s3:*"
      ],
      "Resource": [
        "urn:sgws:s3:::examplebucket",
        "urn:sgws:s3:::examplebucket/*"
      ]
    }
  ]
}

Group policy examples

Group policies specify the access permissions for the group that the policy is attached to. There is no Principal element in the policy since it is implicit. Group policies are configured using the Tenant Management Interface or the API.

Example: Setting the group policy using the Tenant Management Interface

When using the Tenant Management Interface to add or edit a group, you can use the S3 Policy dialog box to create and update group policies using valid JSON strings:
screenshot showing sample JSON policy

Example: Allow group full access to all buckets

In this example, all members of the group are permitted full access to all buckets owned by the tenant account unless explicitly denied by bucket policy.
{
  "Statement": [
    {
      "Action": "s3:*",
      "Effect": "Allow",
      "Resource": "urn:sgws:s3:::*"
    }
  ]
}

Example: Allow group read-only access to all buckets

In this example, all members of the group are permitted read-only access to all buckets unless explicitly denied by bucket policy. Access to buckets owned by this account would be allowed unless explicitly denied by the target bucket policy.
{
  "Statement": [
    {
      "Sid": "AllowGroupReadOnlyAccess",
      "Effect": "Allow",
      "Action": [ "s3:ListAllMyBuckets", "s3:ListBucket", "s3:GetObject" ],
      "Resource": "urn:sgws:s3:::*"
    }
  ]
}

Example: Allow group members full access to only their “folder” in a bucket

In this example, members of the group are only permitted to list and access their specific folder (key prefix) in the specified bucket. Note that access permissions from other group policies and the bucket policy should be considered when determining the privacy of these folders.
Note: The ‘Condition’ keyword and sgws:username variable are only supported in the Tenant Management Interface (StorageGRID Webscale version 10.4 or later).
{
  "Statement": [
    {
      "Sid": "AllowListBucketOfASpecificUserPrefix",
      "Effect": "Allow",
      "Action": "s3:ListBucket",
      "Resource": "urn:sgws:s3:::department_bucket",
      "Condition": {
        "StringLike": {
          "s3:prefix": "${sgws:username}/*"
        }
      }
    },
    {
      "Sid": "AllowUserSpecificActionsOnlyInTheSpecificUserPrefix",
      "Effect": "Allow",
      "Action": "s3:*Object",
      "Resource": "urn:sgws:s3:::department_bucket/${sgws:username}/*"
    }
  ]
}

Example: PutOverwriteObject permission

In this example, the Deny Effect for PutOverwriteObject and DeleteObject protects the object’s data and metadata from being deleted or modified.

For more information, see Using the PutOverwriteObject permission and Write-once-read-many (WORM) protection.

{
"Sid": "WORMExamplePolicy",
"Effect": "Deny",
"Action": ["s3:PutOverwriteObject", "s3:DeleteObject"],
"Resource": ["urn:sgws:s3:::*"],
}