Bucket Policy#

Bucket Policy allows you to set granular rules for accessing resources in object storage. The rules set for the bucket apply only to those objects, to which the bucket owner has permissions. However, they do not apply to objects that are owned by other users.

K2 Cloud supports Bucket Policy with some limitations. In particular, you cannot specify a user as Principal, but only the project that owns the bucket. Accordingly, all project users will be granted the same permissions.

PutBucketPolicy#

Sets bucket access rules.

Sample Request#

Allows all users (\*) to request objects from the bucket from the specified site.

Request
PUT /bucket1?policy=null HTTP/1.1
Host: s3.k2.cloud
X-Amz-Content-Sha256: beaead3198f7da1e70d03ab969765e0821b24fc913697e929e726aeaebf0eba3
X-Amz-Date: 20220601T141452Z
Authorization: AWS4-HMAC-SHA256 Credential=project:user@customer.ru/20220601/{region}/s3/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date, Signature=6522eeb1996b5a93b9cffc6091fde816d700d06dcd16c6f2322c86585c5863fa
Content-Type: application/json
Content-Length: 478

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ReadFromSite",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::bucket1/*",
            "Condition":{
               "StringLike":{"aws:Referer":["http://www.site.com/*","http://site.com/*"]}
             }
        }
    ]
}

Sample Response#

Response
HTTP/1.1 200 OK
x-amz-request-id: tx0000000000000083bd671-006297745c-40173986-default
content-length: 0
date: Wed, 01 Jun 2022 14:14:52 GMT

GetBucketPolicy#

Returns bucket access rules.

Sample Request#

Request
GET /bucket1?lifecycle=null HTTP/1.1
Host: s3.k2.cloud
X-Amz-Content-Sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
X-Amz-Date: 20220601T114555Z
Authorization: AWS4-HMAC-SHA256 Credential=project:user@customer.ru/20220601/{region}/s3/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date, Signature=7f49aa189dd0b80285149fe3f979b166a9be8ccf2ef7da2a394ac98bd2056d93

Sample Response#

Response
HTTP/1.1 200 OK
x-amz-request-id: tx00000000000000843275a-0062978777-41e627a3-default
content-type: application/json
content-length: 478
date: Wed, 01 Jun 2022 11:45:55 GMT

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ReadFromSite",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::bucket1/*",
            "Condition": {
                "StringLike": {
                    "aws:Referer": [
                        "http://www.site.com/*",
                        "http://site.com/*"
                    ]
                }
            }
        }
    ]
}

DeleteBucketPolicy#

Deletes bucket access rules.

Sample Request#

Request
DELETE /tf-test/?policy=null HTTP/1.1
Host: s3.k2.cloud
X-Amz-Content-Sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
X-Amz-Date: 20220601T155557Z
Authorization: AWS4-HMAC-SHA256 Credential=project:user@customer.ru/20220601/{region}/s3/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date, Signature=67fae605dc8ceb75f85f60f4937e98ce7c27eed4aa8f52b4fb784c4f6dabf5d3

Sample Response#

Response
HTTP/1.1 200 OK
x-amz-request-id: tx00000000000000481dd53-0062978c0d-41e72c37-default
content-length: 0
date: Wed, 01 Jun 2022 15:55:57 GMT