Sharing Ceph-S3 data

Owned by Andy Tseng
Mar 21, 2024
2 min read

Bucket policy is an access policy option available for you to grant permission to your Amazon S3 resources, using JSON-based access policy language. UniMelb Object Storage Gateway Bucket Policy is compatible with S3 Bucket Policy. Please note that at the time of writing, UniMelb Object Storage Gateway does not support user policies. For a detailed example on using bucket policy, please refer to the following Amazon article: https://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies.html.

The following sections will detail a number of specific use-case when using UniMelb Object Storage Gateway.

Provide Read-only Access to Your S3-compatible Object Storage

Preparation

  • You will need to apply for an additional access account, please contact Research Computing Services for this account before proceeding

  • Click on the readOnlyPolicy.json file below and download it to your desktop

readOnlyPolicy.json
{ 
  "Version":"2012-10-17",
  "Statement":[
    {
      "Effect":"Allow",
      "Principal":{
        "AWS":[
          "arn:aws:iam::$TENANT:user/$USER"
        ]
      },
      "Action":[
        "s3:GetObject",
        "s3:ListBucket"
      ],
      "Resource":[
        "arn:aws:s3:::$BUCKET/*",
        "arn:aws:s3:::$BUCKET"
      ]
    }
  ]
}

Open readOnlyPolicy.json file with any text editor and replace any $TENANT, $USER & $BUCKET values with your choices. E.g. below is an example of $TENANT is 2019UOM001, $USER is access and $BUCKET is readOnly-Bucket.

{ 
  "Version":"2012-10-17",
  "Statement":[
    {
      "Effect":"Allow",
      "Principal":{
        "AWS":[
          "arn:aws:iam::2019UOM001:user/access"
        ]
      },
      "Action":[
        "s3:GetObject",
        "s3:ListBucket"
      ],
      "Resource":[
        "arn:aws:s3:::readOnly-Bucket/*",
        "arn:aws:s3:::readOnly-Bucket"
      ]
    }
  ]
}

Set Bucket to Read-Only (using *s3cmd* as an example)

Create a bucket to be set as “read-only” using your admin credentials. If you need help on creating new s3cmd user credentials, please refer here.

$ s3cmd -c admin_config mb s3://readOnly-Bucket

This should list the content of this read-only bucket without issue.

  • Now try removing any content of this read-only bucket using your access credential:

$ s3cmd -c access_config rm s3://readOnly-Bucket/test.file

You should be getting this error message:

ERROR: S3 error: 403 (AccessDenied)

The same error message for uploading file to this bucket as well. You can adjust the policy to allow uploading if you want.