Policies on S3
Ceph Object Gateway supports a subset of the Amazon S3 policy language for configuring bucket access.
Read more about bucket policies in Ceph. Install AWS CLI to set policies.
Setting policies requires that aws
has access to a profile with full permission keys.
Serving files on a website
To serve files from an S3 bucket on an external website, you must
- Set the bucket's Cross-Origin Resource Sharing (CORS) policy.
- Allow read access to anonymous users.
Setting CORS policy
CORS is a security feature implemented in web browsers that controls how web applications hosted at one origin (domain) can interact with resources located at a different origin.
Create a file with a CORS policy that allows GET requests from your website
{
"CORSRules": [
{
"AllowedOrigins": [
"https://www.example.com"
],
"AllowedHeaders": [
"*"
],
"AllowedMethods": [
"GET"
],
"ExposeHeaders": [
"Date"
],
"MaxAgeSeconds": 3600
}
]
}
Adjust AllowedOrigins
to your website, or use *
to allow access from all origins. AllowedMethods
are the HTTP methods that the origin is allowed to execute, GET
, PUT
, POST
, DELETE
, or HEAD
.
Read more about CORS on AWS.
Set the policy with
aws --endpoint=https://s3.ice.ri.se s3api put-bucket-cors --cors-configuration file://cors_allow.json --bucket project-bucket
Read-only permission to anonymous users
Create the file
{
"Version": "2012-10-17",
"Statement": [{
"Sid": "MyPublicRead",
"Effect": "Allow",
"Principal": "*",
"Action": ["s3:GetObject", "s3:GetObjectVersion"],
"Resource": "arn:aws:s3:::project-bucket/*"
}]
}
Change project-bucket
to your bucket. Then set the policy with
aws --endpoint=https://s3.ice.ri.se s3api put-bucket-policy --policy file://public_read.json --bucket project-bucket
Files can now be accessed directly through the web, for example,
Denying bucket access to specific key
If you have multiple keys configured in aws
, you can set different access permissions using policies. Here the key do:alt-key
is denied access to list project-bucket
and its objects. Create the JSON policy file
{
"Version": "2012-10-17",
"Statement": [{
"Sid": "MyUserDeny",
"Effect": "Deny",
"Principal": {"AWS": "arn:aws:iam:::user/do:alt-key"},
"Action":["s3:ListBucket", "s3:GetObject"],
"Resource": "arn:aws:s3:::project-bucket"
}]
}
Set the policy as in the previous example
aws --endpoint=https://s3.ice.ri.se s3api put-bucket-policy --policy file://user_deny.json --bucket project-bucket
When the key user tries to access the bucket
They receive the error