Skip to main content

Bucket Policy

Arvancloud Bucket Policy allows you to share your buckets with others. Using this feature, you may grant access to your buckets to users you've invited to your workspace by selecting the appropriate access level. If you are an enterprise or have many buckets in your user account, this feature will help you manage your files and buckets safely and optimally.

Policy Management

To activate this feature, open the "Policy Management" page from the Bucket Policy section after entering Arvancloud Object Storage panel.

Then, by clicking on the "Add Bucket Policy" button, define a rule for sharing the bucket based on your needs.

On this page, you must enter the following:

  • Bucket: In this section, select the bucket for which you want to define a policy.

    Note that you cannot define a new rule for buckets that already have a policy specified for them; instead, you must change the old rule.

  • Policy Name: Define an arbitrary name for your rule. This name can contain upper and lower case English letters or numbers.

  • Effect: Specify whether you want to allow or deny access to resources.

  • Users: In this section, you can select the users you want from the list of invited users or machine users created in your workspace.

    You can manage the list of users from the User Management section.

  • Permissions: You can grant necessary permissions to users from the following options and control their access to resources.

    PermissionsDescription
    Full AccessFull access to the bucket
    AbortMultipartUploadAccess to cancel multipart upload
    CreateBucketAccess to create a new bucket
    DeleteBucketPolicyAccess to delete bucket policy
    DeleteBucketAccess to delete the bucket in the rule
    DeleteObjectAccess to delete the Null version of an object
    DeleteObjectVersionAccess to delete a specific version of an object
    GetBucketAclAccess to get ACL settings of the bucket
    GetBucketCORSAccess to get the CORS settings of the bucket
    GetBucketNotificationAccess to get bucket notification settings
    GetBucketPolicyAccess to get policies of the bucket
    GetBucketTaggingAccess to get bucket tags
    GetBucketVersioningAccess to get the versioning status of the bucket
    GetBucketWebsiteAccess to get bucket website settings
    GetLifecycleConfigurationAccess to get bucket lifecycle settings
    GetObjectAclAccess to get object ACL settings
    GetObjectAccess to get object
    GetObjectTaggingAccess to get object tags
    PutObjectTaggingAccess to add tags to object
    GetObjectVersionAclAccess to get a specific version of the object ACL
    GetObjectVersionAccess to get a specific version of an object
    ListAllMyBucketsAccess to get a list of all buckets of the account
    ListBucketMultipartUploadsAccess to get a list of running multipart uploads
    ListBucketAccess to get the list of all or some objects of the bucket (up to 1000 objects)
    ListBucketVersionsAccess to get the metadata list of all versions of the bucket objects
    ListMultipartUploadPartsAccess to get the list of parts uploaded in a multipart upload
    PutBucketAclAccess to set the level of access to a bucket by ACL
    PutBucketCORSAccess to set CORS settings for the bucket
    PutBucketNotificationAccess to get notifications of certain events
    PutBucketPolicyAccess to add or replace bucket policy
    PutBucketTaggingAccess to add tags to the bucket
    PutBucketVersioningAccess to set the versioning status of the bucket
    PutBucketWebsiteAccess to set the the bucket website
    PutLifecycleConfigurationAccess to add or replace lifecycle rules
    PutObjectAclAccess to set ACL for objects
    PutObjectAccess to add objects to the bucket
    PutObjectVersionAclAccess to set ACL for existing objects
  • Objects : specify which objects of the bucket to be shared by entering the object name or prefix.

    If you do not fill this field, the policy will be applied to all objects in the bucket.

Also, on this page and by clicking on the "Add another policy" button, you can define more rules for the bucket.

At the end, confirm the rule by clicking the save button.

Managing Policy with SDK

In addition to the Arvancloud user panel, you can also manage your bucket policies with Object Storage SDK. For example, you can use the following Golang code snippet:

package main

import (
"github.com/aws/aws-sdk-go/aws"
"github.com/aws/aws-sdk-go/aws/awserr"
"github.com/aws/aws-sdk-go/aws/session"
"github.com/aws/aws-sdk-go/service/s3"
"github.com/aws/aws-sdk-go/aws/credentials"
"encoding/json"
"fmt"
"os"
"path/filepath"
)
func main() {
if len(os.Args) != 2 {
exitErrorf("bucket name required\nUsage: %s bucket_name",
filepath.Base(os.Args[0]))
}
bucket := os.Args[1]

sess, err := session.NewSession(&aws.Config{
Credentials: credentials.NewStaticCredentials("access_key_owner", "secret_key", ""),
})
svc := s3.New(sess, &aws.Config{
Region: aws.String("ir-thr-at1"),
Endpoint: aws.String("s3.ir-thr-at1.arvanstorage.ir"),
})

// Create a policy using map interface. Filling in the bucket as the
// resource.
readOnlyAnonUserPolicy := map[string]interface{}{
"Version": "2012-10-17",
"Statement": []map[string]interface{}{
{
"Sid": "AddPermDef",
"Effect": "Allow",
"Principal": map[string]interface{}{
"AWS": []string{
"arn:aws:iam:::user/Accesskey_invited_user",
},
},
"Action": []string{
"s3:GetObject",
"s3:GetObjectTagging",
},
"Resource": []string{
fmt.Sprintf("arn:aws:s3:::%s/*", bucket),
},
},
},
}

// Marshal the policy into a JSON value so that it can be sent to S3.
policy, err := json.Marshal(readOnlyAnonUserPolicy)
if err != nil {
exitErrorf("Failed to marshal policy, %v", err)
}

// Call S3 to put the policy for the bucket.
_, err = svc.PutBucketPolicy(&s3.PutBucketPolicyInput{
Bucket: aws.String(bucket),
Policy: aws.String(string(policy)),
})
if err != nil {
if aerr, ok := err.(awserr.Error); ok && aerr.Code() == s3.ErrCodeNoSuchBucket {
// Special error handling for the when the bucket doesn't
// exists so we can give a more direct error message from the CLI.
exitErrorf("Bucket %q does not exist", bucket)
}
exitErrorf("Unable to set bucket %q policy, %v", bucket, err)
}

fmt.Printf("Successfully set bucket %q's policy\n", bucket)
}

func exitErrorf(msg string, args ...interface{}) {
fmt.Fprintf(os.Stderr, msg+"\n", args...)
os.Exit(1)
}

Managing Policy with S3Browser

If you use S3browser to manage your objects and buckets, you can define the rule you want from the "Buckets" section and the "Edit Bucket Policy" option. After entering the policy, click the "Apply" button.

Note that you must enter the Access Key of the desired user in the principal section.

{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "AllowPublicRead",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam:::user/ACCESS-KEY"
},
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::my-brand-new-bucket/*"
]
}
]
}

User Management

You can see the list of users with whom you can share resources from the Bucket Policy menu and the "User Management" section. These users are the members of your workspace that you have invited earlier.

You can also grant access to machine users that you have created. Users created in this way in the Object Storage are not able to create resources for themselves and can only use resources that are shared with them.

These users can access shared resources through S3 or SDK tools only.

Shared Buckets

By clicking on the "Buckets" section in the Arvancloud user panel and from the "Shared Buckets" tab, you can view the buckets that have been shared with you and manage them.

If a bucket is shared with you and it is not in this list, you can use the "Add bucket" option.

You can also add these bucketes in S3Browser. To do this, enter the name of the bucket you want from the "Buckets" menu and the "Add External Bucket" option and click on the "Add External Bucket" button.

You can then manage this bucket according to its access level in S3Browser.