admin/3engines_doc
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
3engines_doc/docs/s3/Bucket-sharing-using-s3-bucket-policy-on-connectVM-Cloud.html.md
govardhan 365216ccd8 brand changes have been done
2025-08-16 08:07:54 +05:30

292 lines
8.3 KiB
Markdown
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

Bucket sharing using s3 bucket policy on connectVM Cloud[🔗](#bucket-sharing-using-s3-bucket-policy-on-brand-name "Permalink to this headline")
===============================================================================================================================================
S3 bucket policy[🔗](#s3-bucket-policy "Permalink to this headline")
-------------------------------------------------------------------
**Ceph** - the Software Defined Storage used in connectVM Cloud cloud, providing object storage compatibility with a subset of Amazon S3 API. Bucket policy in Ceph is part of the S3 API and allows for a selective access sharing to object storage buckets between users of different projects, in the same cloud.
Naming conventions used in this document[🔗](#naming-conventions-used-in-this-document "Permalink to this headline")
-------------------------------------------------------------------------------------------------------------------
Bucket Owner
: connectVM tenant who created an object storage bucket in their project, intending to share to their bucket or a subset of objects in the bucket to another tenant in the same cloud.
Bucket User
: connectVM tenant who wants to gain access to a Bucket Owners object storage bucket.
Bucket Owners Project
: A project in which a shared bucket is created.
Bucket Users Project
: A project which gets access to Bucket Owners object storage bucket.
Tenant Admin
: A tenants administrator user who can create connectVM projects and manage users and roles within their domain.
In code examples, values typed in all-capital letters, such as BUCKET\_OWNER\_PROJECT\_ID, are placeholders which should be replaced with actual values matching your use-case.
Limitations[🔗](#limitations "Permalink to this headline")
---------------------------------------------------------
It is possible to grant access at the project level only, not at the user level. In order to grant access to an individual user,
Bucket Users Tenant Admin must create a separate project within their domain, which only selected users will be granted access to.
Ceph S3 implementation
> * supports the following S3 actions by setting bucket policy but
> * does not support user, role or group policies.
S3cmd CONFIGURATION[🔗](#s3cmd-configuration "Permalink to this headline")
-------------------------------------------------------------------------
To share bucket using S3 bucket policy you have to configure s3cmd first using this tutorial [How to access private object storage using S3cmd or boto3 on connectVM Cloud](How-to-access-private-object-storage-using-S3cmd-or-boto3-on-connectVM-Cloud.html.md)
Declaring bucket policy[🔗](#declaring-bucket-policy "Permalink to this headline")
---------------------------------------------------------------------------------
Important
The code in this article will work only if the value of **Version** parameter is
```
"Version": "2012-10-17",
```
### Policy JSON files sections[🔗](#policy-json-file-s-sections "Permalink to this headline")
Bucket policy is declared using a JSON file. It can be created using editors such as **vim** or **nano**. Here is an example policy JSON template:
```
{
"Id": "POLICY_ID",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "STATEMENT_NAME",
"Action": [
"s3:ACTION_1",
"s3:ACTION_2"
],
"Effect": "EFFECT",
"Resource": "arn:aws:s3:::KEY_SPECIFICATION",
"Condition": {
"CONDITION_1": {
}
},
"Principal": {
"AWS": [
"arn:aws:iam::PROJECT_ID:root"
]
}
}
]
}
```
POLICY\_ID
: ID of your policy.
STATEMENT\_NAME
: Name of your statement.
ACTION
: Actions that you grant access to bucket user to perform on the bucket.
PROJECT\_ID
: Project ID
### List of actions[🔗](#list-of-actions "Permalink to this headline")
```
s3:AbortMultipartUpload
s3:CreateBucket
s3:DeleteBucketPolicy
s3:DeleteBucket
s3:DeleteBucketWebsite
s3:DeleteObject
s3:DeleteObjectVersion
s3:GetBucketAcl
s3:GetBucketCORS
s3:GetBucketLocation
s3:GetBucketPolicy
s3:GetBucketRequestPayment
s3:GetBucketVersioning
s3:GetBucketWebsite
s3:GetLifecycleConfiguration
s3:GetObjectAcl
s3:GetObject
s3:GetObjectTorrent
s3:GetObjectVersionAcl
s3:GetObjectVersion
s3:GetObjectVersionTorrent
s3:ListAllMyBuckets
s3:ListBucketMultiPartUploads
s3:ListBucket
s3:ListBucketVersions
s3:ListMultipartUploadParts
s3:PutBucketAcl
s3:PutBucketCORS
s3:PutBucketPolicy
s3:PutBucketRequestPayment
s3:PutBucketVersioning
s3:PutBucketWebsite
s3:PutLifecycleConfiguration
s3:PutObjectAcl
s3:PutObject
s3:PutObjectVersionAcl
```
### KEY\_SPECIFICATION[🔗](#key-specification "Permalink to this headline")
It defines a bucket and its keys/objects. For example:
```
"arn:aws:s3:::*" - the bucket and all of its objects
"arn:aws:s3:::MY_SHARED_BUCKET/*" - all objects of mybucket
"arn:aws:s3:::MY_SHARED_BUCKET/myfolder/*" - all objects which are subkeys to myfolder in mybucket
```
### Conditions[🔗](#conditions "Permalink to this headline")
Additional conditions to filter access to the bucket. For example you can grant access to the specific IP Address using:
```
"Condition": {
"IpAddress": {
"aws:SourceIp": "USER_IP_ADRESS/32"
}
}
```
or, alternatively, you can permit access to the specific IP using:
```
"Condition": {
"NotIpAddress": {
"aws:SourceIp": "PERMITTED_USER_IP_ADRESS/32"
}
}
```
SETTING A POLICY ON THE BUCKET[🔗](#setting-a-policy-on-the-bucket "Permalink to this headline")
-----------------------------------------------------------------------------------------------
The policy may be set on a bucket using:
```
s3cmd setpolicy POLICY_JSON_FILE s3://MY_SHARED_BUCKET command.
```
To check policy on a bucket, use the following command:
```
s3cmd info s3://MY_SHARED_BUCKET
```
The policy may be deleted from the bucket using:
```
s3cmd delpolicy s3://MY_SHARED_BUCKET
```
Sample scenarios[🔗](#sample-scenarios "Permalink to this headline")
-------------------------------------------------------------------
### 1 Grant read/write access to a Bucket User using his **PROJECT\_ID**[🔗](#grant-read-write-access-to-a-bucket-user-using-his-project-id "Permalink to this headline")
A Bucket Owner wants to grant a bucket a read/write access to a Bucket User, using his **PROJECT\_ID**:
```
{
"Version": "2012-10-17",
"Id": "read-write",
"Statement": [
{
"Sid": "project-read-write",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::BUCKET_OWNER_PROJECT_ID:root",
"arn:aws:iam::BUCKET_USER_PROJECT_ID:root"
]
},
"Action": [
"s3:ListBucket",
"s3:PutObject",
"s3:DeleteObject",
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::*"
]
}
]
}
```
Lets assume that the file with this policy is named “read-write-policy.json”. To apply it, Bucket Owner should issue:
```
s3cmd setpolicy read-write-policy.json s3://MY_SHARED_BUCKET
```
Then, to access the bucket, for example list the bucket, Bucket User should issue:
```
s3cmd ls s3://MY_SHARED_BUCKET
```
### 2 Limit read/write access to a Bucket to users accessing from specific IP address range[🔗](#limit-read-write-access-to-a-bucket-to-users-accessing-from-specific-ip-address-range "Permalink to this headline")
A Bucket Owner wants to grant read/write access to Bucket Users which access the bucket from specific IP ranges.
(In this case, we are setting AWS to “\*” which will theoretically grant access to every Project in connectVM Cloud, then however we are going to filter access to only one IP)
```
{
"Id": "Policy1654675551882",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1654675545682",
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::MY_SHARED_BUCKET/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": "IP_ADRESS/32"
}
},
"Principal": {
"AWS": [
"*"
]
}
}
]
}
```
Lets assume that the file with this policy is named “read-write-policy-ip.json”. To apply it, Bucket Owner should issue:
```
s3cmd setpolicy read-write-policy-ip.json s3://MY_SHARED_BUCKET
```
Reference in New Issue View Git Blame Copy Permalink