Chapter 8. Bucket policies in the Multicloud Object Gateway

1. Create the bucket policy in JSON format. See the following example:

   {
       "Version": "NewVersion",
       "Statement": [
           {
               "Sid": "Example",
               "Effect": "Allow",
               "Principal": [
                       "john.doe@example.com"
               ],
               "Action": [
                   "s3:GetObject"
               ],
               "Resource": [
                   "arn:aws:s3:::john_bucket"
               ]
           }
       ]
   }

   Copy to Clipboard Toggle word wrap

   There are many available elements for bucket policies with regard to access permissions.

   For details on these elements and examples of how they can be used to control the access permissions, see AWS Access Policy Language Overview.

   For more examples of bucket policies, see AWS Bucket Policy Examples.

   Instructions for creating S3 users can be found in Section 8.3, “Creating an AWS S3 user in the Multicloud Object Gateway”.

2. Using AWS S3 client, use the put-bucket-policy command to apply the bucket policy to your S3 bucket:

   # aws --endpoint ENDPOINT --no-verify-ssl s3api put-bucket-policy --bucket MyBucket --policy BucketPolicy

   Copy to Clipboard Toggle word wrap
   1. Replace ENDPOINT with the S3 endpoint.
   2. Replace MyBucket with the bucket to set the policy on.
   3. Replace BucketPolicy with the bucket policy JSON file.

   4. Add --no-verify-ssl if you are using the default self signed certificates.

      For example:

      # aws --endpoint https://s3-openshift-storage.apps.gogo44.noobaa.org --no-verify-ssl s3api put-bucket-policy -bucket MyBucket --policy file://BucketPolicy

      Copy to Clipboard Toggle word wrap

      For more information on the put-bucket-policy command, see the AWS CLI Command Reference for put-bucket-policy.

      Note

      The principal element specifies the user that is allowed or denied access to a resource, such as a bucket. Currently, Only NooBaa accounts can be used as principals. In the case of object bucket claims, NooBaa automatically create an account obc-account.<generated bucket name>@noobaa.io.

      Note

      Bucket policy conditions are not supported.

Procedure

1. In the OpenShift Web Console, click Storage Data Foundation.
2. In the Status card, click Storage System and click the storage system link from the pop up that appears.
3. In the Object tab, click the Multicloud Object Gateway link.

4. Under the Accounts tab, click Create Account.

   

   View larger image

   

5. Select S3 Access Only, provide the Account Name, for example, john.doe@example.com. Click Next.

   

   View larger image

   

6. Select S3 default placement, for example, noobaa-default-backing-store. Select Buckets Permissions. A specific bucket or all buckets can be selected. Click Create.

   

   View larger image