Simple Object Storage Bucket Policy

Tagged in
- iam
- storage

Exoscale’s Simple Object Storage (SOS) supports bucket policies, enabling fine-grained access control over your storage resources. This feature aligns with our commitment to offer enhanced security and flexibility for managing access to your data.

What’s New

With the introduction of bucket policies, you can define detailed access permissions directly at the bucket level using JSON-based policy documents. These policies provide control over who can access your buckets and objects, ensuring your data is secure and accessible only to the right users. Unlike the current use of Org Policy and IAM policies with IAM keys they are also enforced for unauthenticated users.

Bucket Policies

Bucket policies in Exoscale SOS allow you to specify permissions using our existing Exoscale policy format with Common Expression Language (CEL) expressions. These policies can be managed via the SOS API, compatible with common AWS S3 API tools.

Example Policies

Minimal IP filter policy:

{
  "default-service-strategy": "deny",
  "services": {
    "sos": {
      "type": "rules",
      "rules": [
        {
          "action": "allow",
          "expression": "source_ip.inIpRange('89.145.160.0/24') || source_ip.inIpRange('2a04:c46::/32')"
        }
      ]
    }
  }
}

The default-service-strategy is deny which means if no rule matches we deny the operation on the bucket / object in the bucket. Then we specify a rule for the "sos" service: if the source IP of the request comes from IPv4 subnet 89.145.160.0/24 or IPv6 subnet 2a04:c46::/32 we allow the operation (tip: if your network interface has an IPv4 and IPv6 address assigned you should specify both).

IP filter only for unauthenticated requests:

{
  "default-service-strategy": "deny",
  "services": {
    "sos": {
      "type": "rules",
      "rules": [
        {
          "action": "allow",
          "expression": "identity.key!=null || source_ip.inIpRange('89.145.160.0/24') || source_ip.inIpRange('2a04:c46::/32')"
        }
      ]
    }
  }
}

For more details on writing policies, refer to the Exoscale IAM documentation.

Testing a bucket policy

Before applying the bucket policy to a bucket you can test it on a specific IAM key. To do this you can create a role with the bucket policy you want to test:

Portal create new Role with bucket policy

In the next step you create an IAM api key that uses that role.

Portal new IAM key

Portal new IAM key2

Now you can test the bucket policy with the newly created key. On requests with a different key the bucket policy doesn’t have an influence. Note: When you use the example policy it will apply to all buckets since it does not filter for the bucket name.

In the next section we will install the policy on a bucket which will have an effect on all requests with or without an IAM api key!

Policy Management

You can use the following S3 API-compatible commands to manage your bucket policies:

First let’s create an alias so we don’t have to repeat the same options to use aws cli (I assume we use a bucket in our Zurich zone ch-dk-2):

alias awsexo='aws --profile=exo  --endpoint=https://sos-ch-dk-2.exo.io --region=ch-dk-2'

Get Bucket Policy

awsexo s3api get-bucket-policy --bucket my-bucket

If no bucket policy is configured for the bucket an NoSuchBucketPolicy error is returned.

Put Bucket Policy

awsexo s3api put-bucket-policy --bucket my-bucket --policy file://policy.json

Delete Bucket Policy

awsexo s3api delete-bucket-policy --bucket my-bucket

Note: It’s possible that you specify a policy that makes it impossible for you to access the bucket or delete the bucket policy (e.g. wrong IP in the filter). In this case contact our support via the portal to unlock your bucket.