viaprog/seaweedfs
1
0
Fork 0
mirror of https://github.com/seaweedfs/seaweedfs.git synced 2026-06-13 23:36:45 +03:00
Code Issues Packages Projects Releases Wiki Activity
Page: S3 Policy Conditions
Pages
A typical step‐by‐step example AWS CLI with SeaweedFS AWS IAM CLI Actual Users Admin UI OIDC Admin UI Amazon IAM API Amazon S3 API Applications Async Backup Async Filer Metadata Backup Async Replication to Cloud Async Replication to another Filer Benchmark SeaweedFS as a GlusterFS replacement Benchmarks from jinleileiking Benchmarks Cache Remote Storage Choosing a Filer Store Client Libraries Cloud Drive Architecture Cloud Drive Benefits Cloud Drive Quick Setup Cloud Monitoring Cloud Tier Cluster Plan Day 2 Operations Cluster Plan Inventory Reference Cluster Plan Workflow Components Configure Remote Storage Cryptography and FIPS Compliance Customize Filer Store Data Backup Data Structure for Large Files Deployment to Kubernetes and Minikube Deployment with seaweed up Directories and Files Distributed POSIX Locks Distributing AI Model Files for Multi GPU Loading Docker Compose for S3 Docker Image Registry with SeaweedFS Doris Iceberg Integration Dremio Iceberg Integration DuckDB Iceberg Integration EC Bitrot Detection Environment Variables Erasure Coding for warm storage Error reporting to sentry FAQ FIO benchmark FUSE Mount Failover Master Server File Operations Quick Reference Filer Active Active cross cluster continuous synchronization Filer Cassandra Setup Filer Change Data Capture Filer Commands and Operations Filer Data Encryption Filer JWT Use Filer Metadata Events Filer Notification Webhook Filer Operation Serialization Filer Redis Setup Filer Server API Filer Setup Filer Store Replication Filer Stores Filer as a Key Large Value Store Gateway to Remote Object Storage Getting Started HDFS via S3 connector Hadoop Benchmark Hadoop Compatible File System Hardware Hobbyest Tinkerer scale on premises tutorial Home Iceberg Table Maintenance Independent Benchmarks Kafka to Kafka Gateway to SMQ to SQL Kubernetes Backups and Recovery with K8up Kubernetes ServiceAccount Authentication Lakekeeper Iceberg Integration Large File Handling Load Command Line Options from a file Master Server API Migrate Maintenance Scripts to Admin Script Plugin Migrate to Filer Store Mount Remote Storage OIDC Integration Optimization for Many Small Buckets Optimization P2P reading in weed mount POSIX Compliance Path Specific Configuration Path Specific Filer Store Plugin Worker Scheduling PostgreSQL compatible Server weed db Production Setup Pub Sub to SMQ to SQL Quick Start with weed mini Replication RisingWave Iceberg Integration Run Blob Storage on Public Internet Run Presto on SeaweedFS Rust Volume Server S3 API Audit log S3 API Benchmark S3 API FAQ S3 Bucket Policies S3 Bucket Quota S3 CORS S3 Conditional Operations S3 Configuration S3 Credentials S3 Lifecycle Architecture S3 Lifecycle Monitoring S3 Lifecycle Operator Guide S3 Lifecycle Troubleshooting S3 Lifecycle vs Volume TTL S3 Lifecycle S3 Nginx Proxy S3 Object Lock and Retention S3 Object Versioning S3 Policy Conditions S3 Policy Variables S3 Rate Limiting S3 Table Bucket Commands S3 Table Bucket S3 Tables Security SFTP Server SQL Queries on Message Queue SQL Quick Reference SRV Service Discovery Seaweed Message Queue SeaweedFS Architecture SeaweedFS Iceberg Catalog SeaweedFS Java Client SeaweedFS in Docker Swarm Security Configuration Security Overview Server Side Encryption SSE C Server Side Encryption SSE KMS Server Side Encryption Server Startup via Systemd Simplest S3 Bucket and User Setup Spark Iceberg Integration Store file with a Time To Live Structured Data Lake with SMQ and SQL Super Large Directories Supported APIs vs Minio System Metrics TUS Resumable Uploads TensorFlow with SeaweedFS Tiered Storage Trino Iceberg Integration UrBackup with SeaweedFS Use Cases Volume Files Structure Volume Management Volume Server API WebDAV Words from SeaweedFS Users Worker fstab and systemd mount nodejs with Seaweed S3 rclone with SeaweedFS restic with SeaweedFS run HBase on SeaweedFS run Spark on SeaweedFS s3cmd with SeaweedFS weed shell
Clone
1
S3 Policy Conditions
Chris Lu edited this page 2026-03-26 12:52:03 -07:00
Table of Contents

S3 Policy Conditions

SeaweedFS supports AWS S3-compatible policy conditions for fine-grained access control based on request context such as source IP, transport security, time, and request headers.

Overview

Conditions allow you to restrict when a policy statement applies. They are used in bucket policies and IAM policies to enforce rules like "allow access only from a specific IP range" or "require HTTPS".

A condition block has the form:

{
  "Condition": {
    "<operator>": {
      "<condition-key>": ["<value1>", "<value2>"]
    }
  }
}

Multiple operators within a Condition block are ANDed together. Multiple values for a single key are ORed.

Supported Condition Operators

String Operators

Operator Description
StringEquals Exact case-sensitive match
StringNotEquals Negated exact match
StringLike Case-sensitive match with * and ? wildcards
StringNotLike Negated wildcard match

Numeric Operators

Operator Description
NumericEquals Equal
NumericNotEquals Not equal
NumericLessThan Less than
NumericLessThanEquals Less than or equal
NumericGreaterThan Greater than
NumericGreaterThanEquals Greater than or equal

Date Operators

Date values must be in RFC 3339 format (e.g., 2025-01-01T00:00:00Z).

Operator Description
DateEquals Exact date match
DateNotEquals Negated date match
DateLessThan Before date
DateLessThanEquals Before or at date
DateGreaterThan After date
DateGreaterThanEquals After or at date

IP Address Operators

Values can be individual IPs or CIDR ranges (e.g., 192.168.1.0/24).

Operator Description
IpAddress Source IP is within the specified range
NotIpAddress Source IP is not within the specified range

Other Operators

Operator Description
Bool Boolean match ("true" or "false")
ArnEquals Exact ARN match
ArnLike ARN match with wildcards
Null Check whether a key is present ("true" = key absent, "false" = key present)

Set Operators

Prefix any string operator with ForAnyValue: or ForAllValues: for multi-valued keys:

  • ForAnyValue:StringEquals - at least one value matches
  • ForAllValues:StringEquals - all values match

Supported Condition Keys

AWS Global Context Keys

Key Type Description
aws:SourceIp IP Client IP address (supports CIDR)
aws:SecureTransport Bool true if the request was sent over HTTPS
aws:CurrentTime Date Current time in RFC 3339 format
aws:UserAgent String Client User-Agent header
aws:Referer String HTTP Referer header
aws:username String Username from principal ARN
aws:userid String User ID from principal ARN
aws:PrincipalAccount String Account ID from principal ARN
aws:principaltype String Principal type (IAMUser, IAMRole, AssumedRole)
aws:PrincipalArn String Full principal ARN
aws:FederatedProvider String Federated identity provider
aws:PrincipalServiceName String Service principal name

S3-Specific Keys

Key Type Description
s3:prefix String Prefix parameter from list operations
s3:delimiter String Delimiter parameter from list operations
s3:max-keys Numeric Max keys parameter from list operations
s3:ExistingObjectTag/<key> String Value of an existing object tag
s3:RequestMethod String HTTP method (GET, PUT, POST, DELETE)
s3:authType String Auth type (REST-HEADER or REST-QUERY-STRING)

| s3:x-amz-* | String | Any x-amz-* request header (e.g., s3:x-amz-server-side-encryption) |

Identity Provider Keys

Key Type Description
jwt:preferred_username String Username from JWT token
jwt:sub String Subject from JWT token
jwt:iss String Issuer from JWT token
jwt:aud String Audience from JWT token
oidc:sub String Subject from OIDC token
oidc:aud String Audience from OIDC token
oidc:iss String Issuer from OIDC token
oidc:<claim> String Any custom OIDC claim (e.g., oidc:roles, oidc:groups)
saml:username String Username from SAML assertion
saml:sub String Subject from SAML assertion
saml:aud String Audience from SAML assertion
saml:iss String Issuer from SAML assertion
ldap:username String Username from LDAP
ldap:dn String Distinguished name from LDAP
ldap:<attribute> String Any LDAP attribute

Source IP Handling

When SeaweedFS runs behind a reverse proxy, the aws:SourceIp condition key is resolved using the following logic:

  1. If the direct connection is from a private/loopback IP (RFC 1918, IPv6 ULA), forwarding headers are trusted:
    • X-Forwarded-For is checked for the rightmost non-private IP
    • X-Real-IP is used as a fallback
  2. If the direct connection is from a public IP, forwarding headers are ignored to prevent spoofing
  3. Final fallback is always RemoteAddr

This ensures correct behavior whether SeaweedFS is accessed directly or through a load balancer.

Examples

Restrict Access by IP Address

Allow reads only from your office network:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::my-bucket/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": ["10.0.0.0/8", "192.168.1.0/24"]
        }
      }
    }
  ]
}

Deny access from a specific IP range:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:*",
      "Resource": "arn:aws:s3:::my-bucket/*",
      "Condition": {
        "NotIpAddress": {
          "aws:SourceIp": "203.0.113.0/24"
        }
      }
    }
  ]
}

Require HTTPS

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:*",
      "Resource": "arn:aws:s3:::my-bucket/*",
      "Condition": {
        "Bool": {
          "aws:SecureTransport": "false"
        }
      }
    }
  ]
}

Time-Based Access

Allow access only during a specific window:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::my-bucket/*",
      "Condition": {
        "DateGreaterThan": {
          "aws:CurrentTime": "2025-01-01T00:00:00Z"
        },
        "DateLessThan": {
          "aws:CurrentTime": "2025-12-31T23:59:59Z"
        }
      }
    }
  ]
}

Require Encryption Header

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::my-bucket/*",
      "Condition": {
        "StringNotEquals": {
          "s3:x-amz-server-side-encryption": "AES256"
        }
      }
    }
  ]
}

Tag-Based Access Control

Allow deletion only if the object is tagged as deletable:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:DeleteObject",
      "Resource": "arn:aws:s3:::my-bucket/*",
      "Condition": {
        "StringEquals": {
          "s3:ExistingObjectTag/status": "deletable"
        }
      }
    }
  ]
}

Combining Multiple Conditions

Multiple operators are ANDed — all must be true:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::my-bucket/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "192.168.1.0/24"
        },
        "Bool": {
          "aws:SecureTransport": "true"
        },
        "DateGreaterThan": {
          "aws:CurrentTime": "2025-01-01T00:00:00Z"
        }
      }
    }
  ]
}

Policy Evaluation Logic

Conditions follow AWS-compatible evaluation order:

  1. Explicit Deny — if any statement with a matching condition denies, access is denied
  2. Explicit Allow — if a statement with a matching condition allows, access is allowed
  3. Default Deny — if no statement matches, access is denied

See Also

Introduction

API

Configuration

Filer

Filer Stores

Management

Advanced Filer Configurations

FUSE Mount

WebDAV

SFTP Server

Cloud Drive

AWS S3 API

S3 Table Bucket

Iceberg Integrations

S3 Authentication & IAM

Server-Side Encryption

S3 Client Tools

Machine Learning

HDFS

Replication and Backup

Metadata Change Events

Messaging

Use Cases

Operations

Rust Volume Server

Advanced

Security

Misc Use Case Examples