Public Read Access for Object Storage Bucket

Linode Staff

I'd like to set blanket permissions that automatically apply to all existing and new files in my Object Storage bucket. How do I set public read access as my default bucket policy?

3 Replies

There's a section on Bucket Policies in our guide, Enacting Access Control Lists (ACLs) and Bucket Policies with Linode Object Storage, which we'll work off of in the below instructions:

First, you'll want to create a bucket policy written in JSON format with a text editor and save it to wherever you're running your s3cmd commands from (like your local computer). You can copy and paste the below policy into your file, changing out the placeholder values with your information. In the below example we've used the following placeholders:

  • File title: bucket_policy_example.json (you will reference this in the implementation command)
  • Bucket name: example_bucket (this is the bucket to which you want to give public read access)

The example policy reads as follows:

{
 "Statement": [
  {
    "Effect": "Allow",
    "Principal": {
      "AWS": [
        "*"
      ]
    },
    "Action": [
      "s3:GetObject"
    ],
    "Resource": [
      "arn:aws:s3::example_bucket/*"
    ]
  }
 ]
}

Some things to note:

  • The * under AWS is defining the user as everyone.
  • s3:GetObject gives everyone permission to retrieve objects from the bucket.
  • arn:aws:s3::example_bucket/* specifies the bucket to which everyone has access and applies these permissions to all (old and new) files in that bucket.

Once you have this file completed and saved, you can run the following command to implement the policy:

s3cmd setpolicy bucket_policy_example.json s3://example_bucket

To ensure it has applied correctly, run:

s3cmd info s3://bucket_policy_example

Now all existing files, and any file you upload thereafter, will have these permissions automatically set.

Hi there,

Thanks for this. I was wondering if it's possible to specify an endpoint for the setpolicy command. For instance, I have a few buckets in different data centers. Can I set the policy for a different data center or do i have to do a new s3cmd config setup?

Thanks!
Josh

Some customers have recently reported that the syntax of the previously-working policy config is now causing issues. The old entry "arn:aws:s3::example_bucket/*" syntax now appears to require three (3) : colons to work properly.

In order for this configuration to function properly, it needs to be formatted as such: "arn:aws:s3:::example_bucket/*". The full policy config would look like this now:

{
 "Statement": [
  {
    "Effect": "Allow",
    "Principal": {
      "AWS": [
        "*"
      ]
    },
    "Action": [
      "s3:GetObject"
    ],
    "Resource": [
      "arn:aws:s3:::example_bucket/*"
    ]
  }
 ]
}

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct