Bucket Policy
Arvancloud Bucket Policy allows you to share your buckets with others. Using this feature, you may grant access to your buckets to users you've invited to your workspace by selecting the appropriate access level. If you are an enterprise or have many buckets in your user account, this feature will help you manage your files and buckets safely and optimally.
Policy Management
To activate this feature, open the "Policy Management" page from the Bucket Policy section after entering Arvancloud Object Storage panel.
Then, by clicking on the "Add Bucket Policy" button, define a rule for sharing the bucket based on your needs.
On this page, you must enter the following:
Bucket: In this section, select the bucket for which you want to define a policy.
Note that you cannot define a new rule for buckets that already have a policy specified for them; instead, you must change the old rule.
Policy Name: Define an arbitrary name for your rule. This name can contain upper and lower case English letters or numbers.
Effect: Specify whether you want to allow or deny access to resources.
Users: In this section, you can select the users you want from the list of invited users or machine users created in your workspace.
You can manage the list of users from the User Management section.
Permissions: You can grant necessary permissions to users from the following options and control their access to resources.
Permissions Description Full Access Full access to the bucket AbortMultipartUpload Access to cancel multipart upload CreateBucket Access to create a new bucket DeleteBucketPolicy Access to delete bucket policy DeleteBucket Access to delete the bucket in the rule DeleteObject Access to delete the Null version of an object DeleteObjectVersion Access to delete a specific version of an object GetBucketAcl Access to get ACL settings of the bucket GetBucketCORS Access to get the CORS settings of the bucket GetBucketNotification Access to get bucket notification settings GetBucketPolicy Access to get policies of the bucket GetBucketTagging Access to get bucket tags GetBucketVersioning Access to get the versioning status of the bucket GetBucketWebsite Access to get bucket website settings GetLifecycleConfiguration Access to get bucket lifecycle settings GetObjectAcl Access to get object ACL settings GetObject Access to get object GetObjectTagging Access to get object tags PutObjectTagging Access to add tags to object GetObjectVersionAcl Access to get a specific version of the object ACL GetObjectVersion Access to get a specific version of an object ListAllMyBuckets Access to get a list of all buckets of the account ListBucketMultipartUploads Access to get a list of running multipart uploads ListBucket Access to get the list of all or some objects of the bucket (up to 1000 objects) ListBucketVersions Access to get the metadata list of all versions of the bucket objects ListMultipartUploadParts Access to get the list of parts uploaded in a multipart upload PutBucketAcl Access to set the level of access to a bucket by ACL PutBucketCORS Access to set CORS settings for the bucket PutBucketNotification Access to get notifications of certain events PutBucketPolicy Access to add or replace bucket policy PutBucketTagging Access to add tags to the bucket PutBucketVersioning Access to set the versioning status of the bucket PutBucketWebsite Access to set the the bucket website PutLifecycleConfiguration Access to add or replace lifecycle rules PutObjectAcl Access to set ACL for objects PutObject Access to add objects to the bucket PutObjectVersionAcl Access to set ACL for existing objects Objects : specify which objects of the bucket to be shared by entering the object name or prefix.
If you do not fill this field, the policy will be applied to all objects in the bucket.
Also, on this page and by clicking on the "Add another policy" button, you can define more rules for the bucket.
At the end, confirm the rule by clicking the save button.
Managing Policy with SDK
In addition to the Arvancloud user panel, you can also manage your bucket policies with Object Storage SDK. For example, you can use the following Golang code snippet:
package main
import (
"github.com/aws/aws-sdk-go/aws"
"github.com/aws/aws-sdk-go/aws/awserr"
"github.com/aws/aws-sdk-go/aws/session"
"github.com/aws/aws-sdk-go/service/s3"
"github.com/aws/aws-sdk-go/aws/credentials"
"encoding/json"
"fmt"
"os"
"path/filepath"
)
func main() {
if len(os.Args) != 2 {
exitErrorf("bucket name required\nUsage: %s bucket_name",
filepath.Base(os.Args[0]))
}
bucket := os.Args[1]
sess, err := session.NewSession(&aws.Config{
Credentials: credentials.NewStaticCredentials("access_key_owner", "secret_key", ""),
})
svc := s3.New(sess, &aws.Config{
Region: aws.String("ir-thr-at1"),
Endpoint: aws.String("s3.ir-thr-at1.arvanstorage.ir"),
})
// Create a policy using map interface. Filling in the bucket as the
// resource.
readOnlyAnonUserPolicy := map[string]interface{}{
"Version": "2012-10-17",
"Statement": []map[string]interface{}{
{
"Sid": "AddPermDef",
"Effect": "Allow",
"Principal": map[string]interface{}{
"AWS": []string{
"arn:aws:iam:::user/Accesskey_invited_user",
},
},
"Action": []string{
"s3:GetObject",
"s3:GetObjectTagging",
},
"Resource": []string{
fmt.Sprintf("arn:aws:s3:::%s/*", bucket),
},
},
},
}
// Marshal the policy into a JSON value so that it can be sent to S3.
policy, err := json.Marshal(readOnlyAnonUserPolicy)
if err != nil {
exitErrorf("Failed to marshal policy, %v", err)
}
// Call S3 to put the policy for the bucket.
_, err = svc.PutBucketPolicy(&s3.PutBucketPolicyInput{
Bucket: aws.String(bucket),
Policy: aws.String(string(policy)),
})
if err != nil {
if aerr, ok := err.(awserr.Error); ok && aerr.Code() == s3.ErrCodeNoSuchBucket {
// Special error handling for the when the bucket doesn't
// exists so we can give a more direct error message from the CLI.
exitErrorf("Bucket %q does not exist", bucket)
}
exitErrorf("Unable to set bucket %q policy, %v", bucket, err)
}
fmt.Printf("Successfully set bucket %q's policy\n", bucket)
}
func exitErrorf(msg string, args ...interface{}) {
fmt.Fprintf(os.Stderr, msg+"\n", args...)
os.Exit(1)
}
Managing Policy with S3Browser
If you use S3browser to manage your objects and buckets, you can define the rule you want from the "Buckets" section and the "Edit Bucket Policy" option. After entering the policy, click the "Apply" button.
Note that you must enter the Access Key of the desired user in the
principal
section.
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "AllowPublicRead",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam:::user/ACCESS-KEY"
},
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::my-brand-new-bucket/*"
]
}
]
}
User Management
You can see the list of users with whom you can share resources from the Bucket Policy menu and the "User Management" section. These users are the members of your workspace that you have invited earlier.
You can also grant access to machine users that you have created. Users created in this way in the Object Storage are not able to create resources for themselves and can only use resources that are shared with them.
These users can access shared resources through S3 or SDK tools only.
Shared Buckets
By clicking on the "Buckets" section in the Arvancloud user panel and from the "Shared Buckets" tab, you can view the buckets that have been shared with you and manage them.
If a bucket is shared with you and it is not in this list, you can use the "Add bucket" option.
You can also add these bucketes in S3Browser. To do this, enter the name of the bucket you want from the "Buckets" menu and the "Add External Bucket" option and click on the "Add External Bucket" button.
You can then manage this bucket according to its access level in S3Browser.