Skip to content

Policies on S3

Ceph Object Gateway supports a subset of the Amazon S3 policy language for configuring bucket access.

Read more about bucket policies in Ceph. Install AWS CLI to set policies.

Setting policies requires that aws has access to a profile with full permission keys.

Serving files on a website

To serve files from an S3 bucket on an external website, you must

  1. Set the bucket's Cross-Origin Resource Sharing (CORS) policy.
  2. Allow read access to anonymous users.

Setting CORS policy

CORS is a security feature implemented in web browsers that controls how web applications hosted at one origin (domain) can interact with resources located at a different origin.

Create a file with a CORS policy that allows GET requests from your website

cors_allow.json
{
    "CORSRules": [
        {
            "AllowedOrigins": [
                "https://www.example.com"
            ],
            "AllowedHeaders": [
                "*"
            ],
            "AllowedMethods": [
                "GET"
            ],
            "ExposeHeaders": [
                "Date"
            ],
            "MaxAgeSeconds": 3600
        }
    ]
}

Adjust AllowedOrigins to your website, or use * to allow access from all origins. AllowedMethods are the HTTP methods that the origin is allowed to execute, GET, PUT, POST, DELETE, or HEAD.

Read more about CORS on AWS.

Set the policy with

aws --endpoint=https://s3.ice.ri.se s3api put-bucket-cors --cors-configuration file://cors_allow.json --bucket project-bucket

Read-only permission to anonymous users

Create the file

public_read.json
{
  "Version": "2012-10-17",
  "Statement": [{
    "Sid": "MyPublicRead",
    "Effect": "Allow",
    "Principal": "*",
    "Action": ["s3:GetObject", "s3:GetObjectVersion"],
    "Resource": "arn:aws:s3:::project-bucket/*"
  }]
}

Change project-bucket to your bucket. Then set the policy with

aws --endpoint=https://s3.ice.ri.se s3api put-bucket-policy --policy file://public_read.json --bucket project-bucket 

Files can now be accessed directly through the web, for example,

ICE logo

https://s3.ice.ri.se/ice-demo-bucket/ICE_logo.png

Denying bucket access to specific key

If you have multiple keys configured in aws, you can set different access permissions using policies. Here the key do:alt-key is denied access to list project-bucket and its objects. Create the JSON policy file

user_deny.json
{
  "Version": "2012-10-17",
  "Statement": [{
    "Sid": "MyUserDeny",
    "Effect": "Deny",
    "Principal": {"AWS": "arn:aws:iam:::user/do:alt-key"},
    "Action":["s3:ListBucket", "s3:GetObject"],
    "Resource": "arn:aws:s3:::project-bucket"
  }]
}

Set the policy as in the previous example

aws --endpoint=https://s3.ice.ri.se s3api put-bucket-policy --policy file://user_deny.json --bucket project-bucket 

When the key user tries to access the bucket

aws --profile do:alt-key --endpoint=https://s3.ice.ri.se s3 ls s3://project-bucket/

They receive the error

An error occurred (AccessDenied) when calling the ListObjectsV2 operation: Unknown