PeaSoup supports a subset of the Amazon S3 policy language applied to buckets.
Bucket policies are managed through standard S3 operation.
For example, one may use s3cmd to set or delete a policy thus:
$ cat > examplepol
{
“Version”: “2012-10-17”,
“Statement”: [{
“Effect”: “Allow”,
“Principal”: {“AWS”: [“arn:aws:iam::usfolks:user/fred:subuser”]},
“Action”: “s3:PutObjectAcl”,
“Resource”: [
“arn:aws:s3:::happybucket/*”
]
}]
}
$ s3cmd setpolicy examplepol s3://happybucket
$ s3cmd delpolicy s3://happybucket
Currently, we support only the following actions:
- s3:AbortMultipartUpload
- s3:CreateBucket
- s3:DeleteBucketPolicy
- s3:DeleteBucket
- s3:DeleteBucketWebsite
- s3:DeleteObject
- s3:DeleteObjectVersion
- s3:DeleteReplicationConfiguration
- s3:GetAccelerateConfiguration
- s3:GetBucketAcl
- s3:GetBucketCORS
- s3:GetBucketLocation
- s3:GetBucketLogging
- s3:GetBucketNotification
- s3:GetBucketPolicy
- s3:GetBucketRequestPayment
- s3:GetBucketTagging
- s3:GetBucketVersioning
- s3:GetBucketWebsite
- s3:GetLifecycleConfiguration
- s3:GetObjectAcl
- s3:GetObject
- s3:GetObjectTorrent
- s3:GetObjectVersionAcl
- s3:GetObjectVersion
- s3:GetObjectVersionTorrent
- s3:GetReplicationConfiguration
- s3:IPAddress
- s3:NotIpAddress
- s3:ListAllMyBuckets
- s3:ListBucketMultipartUploads
- s3:ListBucket
- s3:ListBucketVersions
- s3:ListMultipartUploadParts
- s3:PutAccelerateConfiguration
- s3:PutBucketAcl
- s3:PutBucketCORS
- s3:PutBucketLogging
- s3:PutBucketNotification
- s3:PutBucketPolicy
- s3:PutBucketRequestPayment
- s3:PutBucketTagging
- s3:PutBucketVersioning
- s3:PutBucketWebsite
- s3:PutLifecycleConfiguration
- s3:PutObjectAcl
- s3:PutObject
- s3:PutObjectVersionAcl
- s3:PutReplicationConfiguration
- s3:RestoreObject
We do not yet support setting policies on users, groups, or roles.
| Permission | Condition Keys | Comments |
| s3:createBucket | s3:x-amz-acl s3:x-amz-grant-<perm> where perm is one of read/write/read-acp write-acp/ full-control | |
| s3:ListBucket & s3:ListBucketVersions | s3:prefix | |
| s3:delimiter | ||
| s3:max-keys | ||
| s3:PutBucketAcl | s3:x-amz-acl s3:x-amz-grant-<perm> |
| Permission | Condition Keys | Comments |
| s3:PutObject | s3:x-amz-acl & s3:x-amz-grant-<perm> | |
| s3:x-amz-copy-source | ||
| s3:x-amz-server-side-encryption | ||
| s3:x-amz-server-side-encryption-aws-kms-key-id | ||
| s3:x-amz-server-side-encryption-customer-algorithm | ||
| s3:x-amz-metadata-directive | PUT & COPY to overwrite/preserve metadata in COPY requests | |
| s3:RequestObjectTag/<tag-key> | ||
| s3:PutObjectAcl s3:PutObjectVersionAcl | s3:x-amz-acl & s3-amz-grant-<perm> | |
| s3:ExistingObjectTag/<tag-key> | ||
| s3:PutObjectTagging & s3:PutObjectVersionTagging | s3:RequestObjectTag/<tag-key> | |
| s3:ExistingObjectTag/<tag-key> | ||
| s3:GetObject & s3:GetObjectVersion | s3:ExistingObjectTag/<tag-key> | |
| s3:GetObjectAcl & s3:GetObjectVersionAcl | s3:ExistingObjectTag/<tag-key> | |
| s3:GetObjectTagging & s3:GetObjectVersionTagging | s3:ExistingObjectTag/<tag-key> | |
| s3:DeleteObjectTagging & s3:DeleteObjectVersionTagging | s3:ExistingObjectTag/<tag-key> |