In general, the bucket owner has full control on a bucket and can grant permissions to other users and can set S3 bucket policies using an S3 client. In ECS, it is also possible for an ECS System or Namespace Administrator to set bucket policies using the Bucket Policy Editor from the ECS Portal.
You can use bucket policies in the following typical scenarios:
Grant bucket permissions to a user
Grant bucket permissions to all users
Automatically assign permissions to created objects
Grant bucket permissions to a user
To grant permission on a bucket to a user apart from the bucket owner, specify the resource that you want to change the permissions for. Set the principal attribute to the name of the user, and specify one or more actions that you want to enable.
The following example shows a policy that grants a user who is named
user1 the permission to update and read objects in the bucket that is named
mybucket:
You can also add conditions. For example, if you only want the user to read and write object when accessing the bucket from a specific IP address, add a
IpAddress condition as shown in the following policy:
To grant permission on a bucket to a user apart from the bucket owner, specify the resource that you want to change the permissions for. Set the principal attribute as anybody (*), and specify one or more actions that you want to enable.
The following example shows a policy that grants anyone permission to read objects in the bucket that is named
mybucket:
Automatically assign permissions to created objects
You can use bucket policies to automatically enable access to ingested object data. In the following example bucket policy,
user1 and
user2 can create subresources (that is, objects) in the bucket that is named
mybucket and can set object ACLs. With the ability to set ACLs, the users can then set permissions for other users. If you set the ACL in the same operation, a condition can be set. Such that a canned ACL public-read must be specified when the object is created. This ensures anybody can read all the created objects.