Managing S3 public buckets

By using the mms3 command, you can create an anonymous account, which grants public access to the buckets. By using the s3api, you can set a policy, and after the policy is applied, the bucket becomes publicly accessible without access or secret keys.

Note:
  • Only a single anonymous account is supported.
  • An anonymous account can be created by using uid:gid or a username. Bucket path and account name are optional. For more information, see Managing an anonymous account.
  • Buckets cannot be created by using an anonymous account.
  • Public buckets must be created by using an account that has the same uid and gid as the anonymous account. For more information, see Managing S3 accounts.
  1. Create an anonymous account by using uid:gid. For more information, see Managing S3 accounts. 
    mms3 account create --anonymous --uid 2001 --gid 8000
    A sample output is as follows:
    An anonymous account created successfully.
  2. Create an S3 account by using uid:gid. 
    mms3 account create account1 --uid 2001 --gid 8000 --newBucketsPath /ibm/fs1/account1/
    A sample output is as follows:
    Account account1 created successfully.
Access Key              Secret Key
----------------------  ----------------------------------------
ImopR2DTisZPRBhZqT8w    tWaB1T9XiBg+ppIqsKB2uoOWAtf0CmOzhxFjzawt
  3. Create an S3 account by using uid:gid. 
    mms3 account create account1 --uid 2001 --gid 8000 --newBucketsPath /ibm/fs1/account1/
    A sample output is as follows:
    Account account1 created successfully.
Access Key              Secret Key
----------------------  ----------------------------------------
ImopR2DTisZPRBhZqT8w    tWaB1T9XiBg+ppIqsKB2uoOWAtf0CmOzhxFjzawt
  4. Create a bucket from the S3 client. 
    alias account1_keys='AWS_ACCESS_KEY_ID=ImopR2DTisZPRBhZqT8w
AWS_SECRET_ACCESS_KEY=tWaB1T9XiBg+ppIqsKB2uoOWAtf0CmOzhxFjzawt'
account1_keys aws --endpoint http://9.30.247.107:6001 s3 mb s3://bucket10
    A sample output is as follows:
    make_bucket: bucket10
  5. Check the information about the anonymous account. 
    mms3 account list --anonymous
    A sample output is as follows:
    
Name       New Buckets Path  Uid   Gid Access Key   Secret Key
---------  ----------------- ---   --- ----------- -----------
anonymous  -                 2001 8000 -           -
  6. Set the bucket policy by using the S3 client. 
    alias account1_keys='AWS_ACCESS_KEY_ID=ImopR2DTisZPRBhZqT8w
AWS_SECRET_ACCESS_KEY=tWaB1T9XiBg+ppIqsKB2uoOWAtf0CmOzhxFjzawt'
account1_keys aws s3api put-bucket-policy --bucket bucket10 --policy '{"Version":"2012-
10-
17","Statement":[{"Effect":"Allow","Principal":{"AWS":["*"]},"Action":["s3:*"],"Resource":["arn:a
ws:s3:::bucket10/*","arn:aws:s3:::bucket10"]}]}' --endpoint http://x.y.z.zz
  7. Get the bucket policy information. 
    account1_keys aws s3api get-bucket-policy --bucket bucket10 --endpoint
http://x.y.z.zz
    A sample output is as follows: 
    {
"Policy": "{\"Version\":\"2012-10-
17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"AWS\":[\"*\"]},\"Action\":[\"s3:*\"],\"R
esource\":[\"arn:aws:s3:::bucket10/*\",\"arn:aws:s3:::bucket10\"]}]}"
}
  8. Check which public bucket objects you can access. 
    aws s3api list-objects --bucket bucket10 --endpoint http://x.y.z.zz --no-sign-request