Bucket policy is an access policy available for you to grant anonymous permissions to your Minio resources. Bucket policy uses JSON-based access policy language.
This section presents a few examples of typical use cases for bucket policies. The policies use bucket and examplebucket strings in the resource value. To test these policies, you need to replace these strings with your bucket name. For more information please read Amazon S3 access policy language
The following example policy grants the s3:GetObject permission to any public anonymous users. This permission allows anyone to read the object data under testbucket, which is useful for when you have publicly readable assets. A typical example is a website assets stored in testbucket.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Principal": {
"AWS": [
"*"
]
},
"Resource": [
"arn:aws:s3:::testbucket/*"
],
"Sid": ""
}
]
}Now you can set this policy on your bucket using aws cli , following command assumes Minio is running locally at port 9000 and bucket is testbucket.
aws --endpoint-url http://localhost:9000 s3api put-bucket-policy --bucket testbucket --policy file:///tmp/policy.jsonThere are two types of key matches are allowed in bucket policies one is * and another is ?
Now if you have this in your Resource
arn:aws:s3:::testbucket/user/*/files/public/*
then the policies will match
arn:aws:s3:::testbucket/user/harsha/files/public/issue
Here the user is harsha
Now if you have this in your Resource
arn:aws:s3:::testbucket/user/?/files/public/*
then the policies will match
arn:aws:s3:::testbucket/user/1/files/public/issue
Here the user is 1 You can even repeat ? to restrict the character length of the users as well. Lets say if you have 6 repeated ?
arn:aws:s3:::testbucket/user/??????/files/public/*
then the policies will match
arn:aws:s3:::testbucket/user/harsha/files/public/issue
Great material! Thank you.