Simple Object Storage Bucket Policy
Exoscale’s Simple Object Storage (SOS) supports bucket policies, enabling fine-grained access control over your storage resources. This feature aligns with our commitment to offer enhanced security and flexibility for managing access to your data.
What’s New
With the introduction of bucket policies, you can define detailed access permissions directly at the bucket level using JSON-based policy documents. These policies provide control over who can access your buckets and objects, ensuring your data is secure and accessible only to the right users. Unlike the current use of Org Policy and IAM policies with IAM keys they are also enforced for unauthenticated users.
Bucket Policies
Bucket policies in Exoscale SOS allow you to specify permissions using our existing Exoscale policy format with Common Expression Language (CEL) expressions. These policies can be managed via the SOS API, compatible with common AWS S3 API tools.
Example Policies
Minimal IP filter policy:
{
"default-service-strategy": "deny",
"services": {
"sos": {
"type": "rules",
"rules": [
{
"action": "allow",
"expression": "source_ip.inIpRange('89.145.160.0/24') || source_ip.inIpRange('2a04:c46::/32')"
}
]
}
}
}
The default-service-strategy
is deny
which means if no rule matches we deny the operation on the bucket / object in the bucket. Then we specify a rule for the "sos"
service: if the source IP of the request comes from IPv4 subnet 89.145.160.0/24
or IPv6 subnet 2a04:c46::/32
we allow the operation (tip: if your network interface has an IPv4 and IPv6 address assigned you should specify both).
IP filter only for unauthenticated requests:
{
"default-service-strategy": "deny",
"services": {
"sos": {
"type": "rules",
"rules": [
{
"action": "allow",
"expression": "identity.key!=null || source_ip.inIpRange('89.145.160.0/24') || source_ip.inIpRange('2a04:c46::/32')"
}
]
}
}
}
For more details on writing policies, refer to the Exoscale IAM documentation.
Testing a bucket policy
Before applying the bucket policy to a bucket you can test it on a specific IAM key. To do this you can create a role with the bucket policy you want to test:
In the next step you create an IAM api key that uses that role.
Now you can test the bucket policy with the newly created key. On requests with a different key the bucket policy doesn’t have an influence. Note: When you use the example policy it will apply to all buckets since it does not filter for the bucket name.
In the next section we will install the policy on a bucket which will have an effect on all requests with or without an IAM api key!
Policy Management
You can use the following S3 API-compatible commands to manage your bucket policies:
First let’s create an alias so we don’t have to repeat the same options to use aws cli (I assume we use a bucket in our Zurich zone ch-dk-2
):
alias awsexo='aws --profile=exo --endpoint=https://sos-ch-dk-2.exo.io --region=ch-dk-2'
Get Bucket Policy
awsexo s3api get-bucket-policy --bucket my-bucket
If no bucket policy is configured for the bucket an NoSuchBucketPolicy
error is returned.
Put Bucket Policy
awsexo s3api put-bucket-policy --bucket my-bucket --policy file://policy.json
Delete Bucket Policy
awsexo s3api delete-bucket-policy --bucket my-bucket
Note: It’s possible that you specify a policy that makes it impossible for you to access the bucket or delete the bucket policy (e.g. wrong IP in the filter). In this case contact our support via the portal to unlock your bucket.