Use these instructions to use bucket policies in Multicloud Object Gateway.
Before you begin
Ensure you have the following:
Procedure
- Create the bucket policy in JSON format.
For example:
{
"Version": "NewVersion",
"Statement": [
{
"Sid": "Example",
"Effect": "Allow",
"Principal": [
"john.doe@example.com"
],
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::john_bucket"
]
}
]
}
- Using AWS S3 client, use the put-bucket-policy command to apply the
bucket policy to your S3 bucket:
aws --endpoint ENDPOINT --no-verify-ssl s3api put-bucket-policy --bucket MyBucket --policy BucketPolicy
- ENDPOINT
- An S3 endpoint.
- MyBucket
- A name of the bucket to set the policy on.
- BucketPolicy
- A bucket policy JSON file.
- --no-verify-ssl
- Add this if you are using the default self signed certificates.
For
example:
aws --endpoint https://s3-openshift-storage.apps.gogo44.noobaa.org --no-verify-ssl s3api put-bucket-policy -bucket MyBucket --policy file://BucketPolicy
For more information on the put-bucket-policy command, see AWS CLI Command Reference for put-bucket-policy.
Note: The principal element specifies the user that is allowed or denied access to a resource, such
as a bucket. Currently, only NooBaa accounts can be used as principals. In the case of object bucket
claims, NooBaa automatically creates an account
.
obc-account.<generated bucket name>@noobaa.io
Note: Bucket policy conditions are not supported.
What to do next
There are many available elements for bucket policies with regard to access permissions.