viaprog/seaweedfs
1
0
Fork 0
mirror of https://github.com/seaweedfs/seaweedfs.git synced 2026-06-13 23:36:45 +03:00
Code Issues Packages Projects Releases Wiki Activity
Page: S3 Bucket Policies
Pages
A typical step‐by‐step example AWS CLI with SeaweedFS AWS IAM CLI Actual Users Admin UI OIDC Admin UI Amazon IAM API Amazon S3 API Applications Async Backup Async Filer Metadata Backup Async Replication to Cloud Async Replication to another Filer Benchmark SeaweedFS as a GlusterFS replacement Benchmarks from jinleileiking Benchmarks Cache Remote Storage Choosing a Filer Store Client Libraries Cloud Drive Architecture Cloud Drive Benefits Cloud Drive Quick Setup Cloud Monitoring Cloud Tier Cluster Plan Day 2 Operations Cluster Plan Inventory Reference Cluster Plan Workflow Components Configure Remote Storage Cryptography and FIPS Compliance Customize Filer Store Data Backup Data Structure for Large Files Deployment to Kubernetes and Minikube Deployment with seaweed up Directories and Files Distributed POSIX Locks Distributing AI Model Files for Multi GPU Loading Docker Compose for S3 Docker Image Registry with SeaweedFS Doris Iceberg Integration Dremio Iceberg Integration DuckDB Iceberg Integration EC Bitrot Detection Environment Variables Erasure Coding for warm storage Error reporting to sentry FAQ FIO benchmark FUSE Mount Failover Master Server File Operations Quick Reference Filer Active Active cross cluster continuous synchronization Filer Cassandra Setup Filer Change Data Capture Filer Commands and Operations Filer Data Encryption Filer JWT Use Filer Metadata Events Filer Notification Webhook Filer Operation Serialization Filer Redis Setup Filer Server API Filer Setup Filer Store Replication Filer Stores Filer as a Key Large Value Store Gateway to Remote Object Storage Getting Started HDFS via S3 connector Hadoop Benchmark Hadoop Compatible File System Hardware Hobbyest Tinkerer scale on premises tutorial Home Iceberg Table Maintenance Independent Benchmarks Kafka to Kafka Gateway to SMQ to SQL Kubernetes Backups and Recovery with K8up Kubernetes ServiceAccount Authentication Lakekeeper Iceberg Integration Large File Handling Load Command Line Options from a file Master Server API Migrate Maintenance Scripts to Admin Script Plugin Migrate to Filer Store Mount Remote Storage OIDC Integration Optimization for Many Small Buckets Optimization P2P reading in weed mount POSIX Compliance Path Specific Configuration Path Specific Filer Store Plugin Worker Scheduling PostgreSQL compatible Server weed db Production Setup Pub Sub to SMQ to SQL Quick Start with weed mini Replication RisingWave Iceberg Integration Run Blob Storage on Public Internet Run Presto on SeaweedFS Rust Volume Server S3 API Audit log S3 API Benchmark S3 API FAQ S3 Bucket Policies S3 Bucket Quota S3 CORS S3 Conditional Operations S3 Configuration S3 Credentials S3 Lifecycle Architecture S3 Lifecycle Monitoring S3 Lifecycle Operator Guide S3 Lifecycle Troubleshooting S3 Lifecycle vs Volume TTL S3 Lifecycle S3 Nginx Proxy S3 Object Lock and Retention S3 Object Versioning S3 Policy Conditions S3 Policy Variables S3 Rate Limiting S3 Table Bucket Commands S3 Table Bucket S3 Tables Security SFTP Server SQL Queries on Message Queue SQL Quick Reference SRV Service Discovery Seaweed Message Queue SeaweedFS Architecture SeaweedFS Iceberg Catalog SeaweedFS Java Client SeaweedFS in Docker Swarm Security Configuration Security Overview Server Side Encryption SSE C Server Side Encryption SSE KMS Server Side Encryption Server Startup via Systemd Simplest S3 Bucket and User Setup Spark Iceberg Integration Store file with a Time To Live Structured Data Lake with SMQ and SQL Super Large Directories Supported APIs vs Minio System Metrics TUS Resumable Uploads TensorFlow with SeaweedFS Tiered Storage Trino Iceberg Integration UrBackup with SeaweedFS Use Cases Volume Files Structure Volume Management Volume Server API WebDAV Words from SeaweedFS Users Worker fstab and systemd mount nodejs with Seaweed S3 rclone with SeaweedFS restic with SeaweedFS run HBase on SeaweedFS run Spark on SeaweedFS s3cmd with SeaweedFS weed shell
Clone
6
S3 Bucket Policies
Chris Lu edited this page 2026-03-25 22:33:09 -07:00
Table of Contents

S3 Bucket Policies

SeaweedFS supports AWS S3-compatible bucket policies for controlling access to buckets and objects at the bucket level.

Overview

Bucket policies allow you to grant or deny permissions for S3 operations on a bucket and its objects. They are resource-based policies that complement user-level IAM policies.

Quick Setup with Weed Shell

The s3.bucket.access shell command provides a simple way to set per-bucket access for any user. The user is auto-created if it does not exist.

# Grant anonymous read and list access (public download)
> s3.bucket.access -name my-bucket -user anonymous -access Read,List

# Grant full anonymous access
> s3.bucket.access -name my-bucket -user anonymous -access Read,Write,List

# View current access for a user on a bucket
> s3.bucket.access -name my-bucket -user anonymous

# Remove all access
> s3.bucket.access -name my-bucket -user anonymous -access none

Supported actions: Read, Write, List, Tagging, Admin (same as s3.configure -actions).

Actions are scoped to the specified bucket and stored on the IAM identity (as Action:bucket).

AWS CLI Setup

First, configure the AWS CLI to connect to your SeaweedFS S3 endpoint:

aws configure --profile seaweedfs

Enter your credentials and configure the endpoint:

AWS Access Key ID: your_access_key
AWS Secret Access Key: your_secret_key
Default region name: us-east-1
Default output format: json

Then use this profile with an endpoint URL for all commands (or configure it in your AWS config file):

export AWS_PROFILE=seaweedfs
alias s3="aws s3 --endpoint-url http://localhost:8333"
alias s3api="aws s3api --endpoint-url http://localhost:8333"

API Operations

Get Bucket Policy

Retrieve the current bucket policy:

aws s3api get-bucket-policy \
  --bucket my-bucket \
  --endpoint-url http://localhost:8333

Output:

{
  "Policy": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":\"*\",\"Action\":\"s3:GetObject\",\"Resource\":\"arn:aws:s3:::my-bucket/*\"}]}"
}

To view the policy in readable format:

aws s3api get-bucket-policy \
  --bucket my-bucket \
  --endpoint-url http://localhost:8333 \
  --output text | jq .Policy -r | jq .

Put Bucket Policy

Set or update a bucket policy from a file:

aws s3api put-bucket-policy \
  --bucket my-bucket \
  --policy file://policy.json \
  --endpoint-url http://localhost:8333

Or inline:

aws s3api put-bucket-policy \
  --bucket my-bucket \
  --policy '{
    "Version": "2012-10-17",
    "Statement": [
      {
        "Sid": "PublicRead",
        "Effect": "Allow",
        "Principal": "*",
        "Action": "s3:GetObject",
        "Resource": "arn:aws:s3:::my-bucket/*"
      }
    ]
  }' \
  --endpoint-url http://localhost:8333

Delete Bucket Policy

Remove the bucket policy:

aws s3api delete-bucket-policy \
  --bucket my-bucket \
  --endpoint-url http://localhost:8333

Policy Document Format

Bucket policies use the standard AWS S3 policy format with the following structure:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "OptionalStatementId",
      "Effect": "Allow|Deny",
      "Principal": "string or *",
      "Action": ["s3:action1", "s3:action2"],
      "Resource": ["arn:aws:s3:::bucket-name", "arn:aws:s3:::bucket-name/*"],
      "Condition": {
        "condition-operator": {
          "condition-key": ["value"]
        }
      }
    }
  ]
}

Key Components

  • Version: Must be "2012-10-17" (AWS policy language version)
  • Sid: Optional statement identifier for documentation
  • Effect: Allow or Deny - the action's result
  • Principal: Who the policy applies to ("*" for public, or specific user/role ARNs)
  • Action: S3 operations (e.g., s3:GetObject, s3:PutObject)
  • Resource: Bucket or object paths
    • arn:aws:s3:::bucket-name - for bucket operations
    • arn:aws:s3:::bucket-name/* - for all objects in the bucket
    • arn:aws:s3:::bucket-name/path/to/object - for specific objects
    • Simplified formats: bucket-name, bucket-name/* are also accepted
  • Condition: Optional conditions for when the policy applies

Common Examples

Public Read Access

Allow anyone to read objects in a bucket:

aws s3api put-bucket-policy \
  --bucket my-bucket \
  --policy '{
    "Version": "2012-10-17",
    "Statement": [
      {
        "Effect": "Allow",
        "Principal": "*",
        "Action": "s3:GetObject",
        "Resource": "arn:aws:s3:::my-bucket/*"
      }
    ]
  }' \
  --endpoint-url http://localhost:8333

Restrict by IP Address

Allow reads only from specific IP addresses:

aws s3api put-bucket-policy \
  --bucket my-bucket \
  --policy '{
    "Version": "2012-10-17",
    "Statement": [
      {
        "Effect": "Allow",
        "Principal": "*",
        "Action": "s3:GetObject",
        "Resource": "arn:aws:s3:::my-bucket/*",
        "Condition": {
          "IpAddress": {
            "aws:SourceIp": ["192.168.1.0/24"]
          }
        }
      }
    ]
  }' \
  --endpoint-url http://localhost:8333

Require HTTPS

Allow access only over secure connections:

aws s3api put-bucket-policy \
  --bucket my-bucket \
  --policy '{
    "Version": "2012-10-17",
    "Statement": [
      {
        "Effect": "Allow",
        "Principal": "*",
        "Action": ["s3:GetObject", "s3:PutObject"],
        "Resource": "arn:aws:s3:::my-bucket/*",
        "Condition": {
          "Bool": {
            "aws:SecureTransport": "true"
          }
        }
      }
    ]
  }' \
  --endpoint-url http://localhost:8333

Deny Unencrypted Uploads

Require encryption for all uploads:

aws s3api put-bucket-policy \
  --bucket my-bucket \
  --policy '{
    "Version": "2012-10-17",
    "Statement": [
      {
        "Effect": "Deny",
        "Principal": "*",
        "Action": "s3:PutObject",
        "Resource": "arn:aws:s3:::my-bucket/*",
        "Condition": {
          "StringNotEquals": {
            "s3:x-amz-server-side-encryption": "AES256"
          }
        }
      }
    ]
  }' \
  --endpoint-url http://localhost:8333

Supported S3 Actions

Common actions in bucket policies:

  • Object Operations: s3:GetObject, s3:PutObject, s3:DeleteObject
  • Bucket Operations: s3:ListBucket, s3:CreateBucket, s3:DeleteBucket
  • ACL Operations: s3:PutObjectAcl, s3:GetObjectAcl
  • Multipart Operations: s3:CreateMultipartUpload, s3:UploadPart, s3:CompleteMultipartUpload, s3:AbortMultipartUpload, s3:ListBucketMultipartUploads, s3:ListMultipartUploadParts
  • Object Tagging: s3:GetObjectTagging, s3:PutObjectTagging
  • Versioning: s3:GetObjectVersion, s3:PutObjectVersionAcl

Multipart Upload Permission Inheritance

When a policy grants s3:PutObject, it implicitly allows all multipart upload operations:

  • s3:CreateMultipartUpload - Start a multipart upload
  • s3:UploadPart - Upload parts of a multipart upload
  • s3:CompleteMultipartUpload - Complete a multipart upload
  • s3:AbortMultipartUpload - Abort an incomplete multipart upload
  • s3:ListBucketMultipartUploads - List in-progress multipart uploads
  • s3:ListMultipartUploadParts - List parts of a multipart upload

This behavior aligns with AWS S3 semantics where multipart upload is considered an implementation detail of s3:PutObject. Users can upload large objects using either a single direct upload (if s3:PutObject is granted) or multiple parts via multipart upload (also allowed by s3:PutObject).

Example: A policy granting only s3:PutObject is sufficient to perform complete multipart uploads without explicitly listing all multipart actions.

Policy Validation

SeaweedFS validates bucket policies for:

  • Correct policy document version (2012-10-17)
  • Presence of at least one statement
  • Required Principal field
  • Resources matching the bucket name
  • S3 action prefixes
  • Valid effect values (Allow/Deny)

Integration with IAM

Bucket policies work alongside IAM policies (defined at S3 Credentials) for comprehensive access control:

  • Bucket Policies: Resource-based, grant access across users
  • IAM Policies: User-based, define what users can do
  • Evaluation: Access is allowed only if both allow the operation (or if bucket policy explicitly allows and IAM doesn't deny)

See Amazon IAM API for more on IAM integration.

Storage

Bucket policies are stored as metadata in the filer alongside bucket configuration, ensuring they persist across server restarts.

See Also

Introduction

API

Configuration

Filer

Filer Stores

Management

Advanced Filer Configurations

FUSE Mount

WebDAV

SFTP Server

Cloud Drive

AWS S3 API

S3 Table Bucket

Iceberg Integrations

S3 Authentication & IAM

Server-Side Encryption

S3 Client Tools

Machine Learning

HDFS

Replication and Backup

Metadata Change Events

Messaging

Use Cases

Operations

Rust Volume Server

Advanced

Security

Misc Use Case Examples