Using bucket policies in Multicloud Object Gateway

Use these instructions to use bucket policies in Multicloud Object Gateway.

Before you begin

Ensure you have the following:

Procedure

  1. Create the bucket policy in JSON format.

    For example:

    {
        "Version": "NewVersion",
        "Statement": [
            {
                "Sid": "Example",
                "Effect": "Allow",
                "Principal": [
                        "john.doe@example.com"
                ],
                "Action": [
                    "s3:GetObject"
                ],
                "Resource": [
                    "arn:aws:s3:::john_bucket"
                ]
            }
        ]
    }
  2. Using AWS S3 client, use the put-bucket-policy command to apply the bucket policy to your S3 bucket:
    aws --endpoint ENDPOINT --no-verify-ssl s3api put-bucket-policy --bucket MyBucket --policy BucketPolicy
    ENDPOINT
    An S3 endpoint.
    MyBucket
    A name of the bucket to set the policy on.
    BucketPolicy
    A bucket policy JSON file.
    --no-verify-ssl
    Add this if you are using the default self signed certificates.
    For example:
    aws --endpoint https://s3-openshift-storage.apps.gogo44.noobaa.org --no-verify-ssl s3api put-bucket-policy -bucket MyBucket --policy file://BucketPolicy

    For more information on the put-bucket-policy command, see AWS CLI Command Reference for put-bucket-policy.

    Note: The principal element specifies the user that is allowed or denied access to a resource, such as a bucket. Currently, only NooBaa accounts can be used as principals. In the case of object bucket claims, NooBaa automatically creates an account .
    obc-account.<generated bucket name>@noobaa.io
    Note: Bucket policy conditions are not supported.

What to do next

There are many available elements for bucket policies with regard to access permissions.