Bucket Policies

A bucket policy will grant or deny permission to perform actions on objects within a designated bucket. This enables users to have significantly more control over how their data is managed.

Components of a bucket policy

Version

Telnyx Storage only supports version ”2012-10-17”. For more information, please refer to IAM JSON policy elements: Version .

Copy
Copied
"Version":"2012-10-17"

Note: After pasting the above content, Kindly check and remove any new line added

Id

Identifier for the bucket policy. This attribute is optional. It is recommended to use a unique ID. For more information, please refer to IAM JSON policy elements: Id .

Copy
Copied
“Id”:“8923fdae-679b-42d7-907f-1f53364fbdff”

Note: After pasting the above content, Kindly check and remove any new line added

Statement Id (Sid)

The Sid is an optional attribute. It is usually used to provide a description for the policy. For more information, please refer to IAM JSON policy elements: Sid .

Copy
Copied
“Sid”:“Allow public retrieval of all objects within a bucket.”

Note: After pasting the above content, Kindly check and remove any new line added

Effect

The Effect specifies if the policy will be either granting permission to perform an action (Allow) or prohibiting an action from being performed (Deny)

The only two possible values are Allow or Deny. For more information, please refer to IAM JSON policy elements: Effect .

Copy
Copied
"Effect":"Deny"

Note: After pasting the above content, Kindly check and remove any new line added

Principal

The Principal is the user or entity the policy will apply to. For more information, please refer to AWS JSON policy elements: Principal .

The user can define the principal as:

  • Public and/or anonymous users : * will apply the policy for public and/or anonymous users. Meaning users would not need to supply an API key in order to perform an action.
    Copy
    Copied
    "Principal":"*"

Note: After pasting the above content, Kindly check and remove any new line added

  • A specific Telnyx user : Passing a principal for a {{Telnyx_user_ID}} will apply the permission to the specified Telnyx user account.
    Copy
    Copied
    "Principal":"40d68ba2-0847-4df2-be9c-b0e0cb673e75”

Note: After pasting the above content, Kindly check and remove any new line added

Action

An Action describes which API request you are granting or denying permission to perform. For more information, please refer to IAM JSON policy elements: Action .

The list of possible actions Telnyx Storage currently supports are:

  • "s3:GetObject”
  • "s3:ListBucket"
  • "s3:PutObject"
  • "s3:PutObjectTagging"
Copy
Copied
"Action":["s3:GetObject"]

Note: After pasting the above content, Kindly check and remove any new line added

Resource

The resource refers to the bucket or prefix the policy will apply to. For more information, please refer to IAM JSON policy elements: Resource .

Copy
Copied
"Resource": "arn:aws:s3:::example-bucket/*"

Note: After pasting the above content, Kindly check and remove any new line added

Condition

Conditions are additional criteria that need to be met in order for a bucket policy to apply. For more information, please refer to IAM JSON policy elements: Condition .

Telnyx Storage currently supports the following condition operator’s:

  • ”StringEquals”
  • ”StringNotEquals”
  • ”StringLike”
  • ”StringNotLike”
  • ”IpAddress”
  • ”NotIpAddress”

If working with tags we can combine String conditions with ”ForAllValues” or ”ForAnyValue” prefix. Examples:

  • ”ForAllValues:StringEquals”
  • ”ForAnyValue:StringEquals”

Telnyx Storage currently supports the following condition key’s:

  • "s3:prefix"
  • "s3:delimiter"
  • ”s3:ExistingObjectTag/<key>”
  • ”s3:RequestObjectTagKeys”
  • ”s3:RequestObjectTag/<key>”
  • ”s3:x-amz-server-side-encryption”
  • aws:SourceIp

Managing bucket policies

Create a bucket policy

First, either create a new bucket or select one of your existing buckets. Then, perform the CreateBucket operation with the policy filter included in the path URL, and the policy itself included in the body of the request. For more information, please refer to PutBucketPolicy .

Copy
Copied
curl --location --request PUT 'https://storage.telnyx.com/bucketpolicytest?policy' \
--header 'Accept: text/xml' \
--header 'X-Amz-Content-Sha256: beaead3198f7da1e70d03ab969765e0821b24fc913697e929e726aeaebf0eba3' \
--header 'Authorization: AWS4-HMAC-SHA256 Credential={{your_telnyx_api_key_here}}/20230201/test/execute-api/aws4_request, SignedHeaders=accept;host;x-amz-content-sha256,
Signature=d796b07477c3643751c0b5315ee35763b7fbe2ad32c5c9db6c5d22694ffcfc4e' \
--header 'Content-Type: application/json' \
--data-raw '{
    "Version": "2012-10-17",
    "Id": "HTTP referer policy example",
    "Statement": [
        {
            "Sid": "Grant public read only access to the bucket",
            "Effect": "Allow",
            "Principal": "*",
            "Action": [
                "s3:GetObject"
            ],
            "Resource": "arn:aws:s3:::example-bucket/*"
        }
    ]
}'

Note: After pasting the above content, Kindly check and remove any new line added

View a bucket policy

To view the policy that you applied to a bucket, perform a GetBucket operation with the policy filter included in the path URL. The policy will appear in the body of the response. For more information, please refer to GetBucketPolicy .

Copy
Copied
Request:

curl --location --request GET 'https://storage.telnyx.com/bucketpolicytest?policy' \
--header 'Authorization: AWS4-HMAC-SHA256 Credential={{your_telnyx_api_key_here}}/20230201/test/execute-api/aws4_request, SignedHeaders=host, Signature=4a053c601df22ac4854a5f648b5774505143de7ed71c762d94fa4ea4f52ffb87'

Response:

{"Statement":[{"Action":["s3:GetObject"],"Effect":"Allow","Principal":"*","Resource":"arn:aws:s3:::example-bucket/*","Sid":"Grant public read only access to the bucket"}],"Version":"2012-10-17"}

Note: After pasting the above content, Kindly check and remove any new line added

Delete a bucket policy

To delete a bucket policy, perform a DeleteBucket operation with the policy filter included in the path URL. This will only delete the policy, not the bucket. For more information, please refer to DeleteBucketPolicy .

Copy
Copied
curl --location --request DELETE 'https://storage.telnyx.com/bucketpolicytest?policy' \
--header 'Authorization: AWS4-HMAC-SHA256 Credential={{your_telnyx_api_key_here}}/test/execute-api/aws4_request, SignedHeaders=host,
Signature=9dd01dc80e537a485d40f1581e85eea5cc3b0d36ea56798c3c5c467b359d5e84'

Note: After pasting the above content, Kindly check and remove any new line added

Examples

Make your bucket publicly available

Copy
Copied
{
    "Version": "2012-10-17",
    "Id": "HTTP referer policy example",
    "Statement": [
        {
            "Sid": "Allow public read access for all objects within a bucket.",
            "Effect": "Allow",
            "Principal": "*",
            "Action": [
                "s3:GetObject"
            ],
            "Resource": "arn:aws:s3:::example-bucket/*"
        }
    ]
}

Note: After pasting the above content, Kindly check and remove any new line added

Grant public access only to objects with specific tags

Copy
Copied
{
    "Version": "2012-10-17",
    "Id": "HTTP referer policy example",
    "Statement": [
        {
            "Sid": "public read access for objects with specific tags.",
            "Effect": "Allow",
            "Principal": "*",
            "Action": [
                "s3:GetObject"
            ],
            "Resource": "arn:aws:s3:::example-bucket/*",
            "Condition": {
                "StringEquals": {
                    "s3:ExistingObjectTag/environment": "production"
                }
            }
        }
    ]
}

Note: After pasting the above content, Kindly check and remove any new line added

Allow requests initiated from a specific IP address to upload objects

Copy
Copied
{
    "Version":"2012-10-17",
    "Id":"HTTP referer policy example",
    "Statement":[
        {
            "Sid":"Grant object uploads from a specified IP address",
            "Effect":"Allow",
            "Principal":"*",
            "Action":["s3:PutObject"],
            "Resource":"arn:aws:s3:::DOC-EXAMPLE-BUCKET/*",
            "Condition": {
                "IpAddress": {
                    "aws:SourceIp": "192.0.2.0/24"
                }
            }
        }
    ]
}

Note: After pasting the above content, Kindly check and remove any new line added

Policy with multiple statements

Copy
Copied
{
    "Version":"2012-10-17",
    "Id":"HTTP referer policy example",
    "Statement":[
        {
            "Sid":"Grant object uploads from a specified IP address",
            "Effect":"Allow",
            "Principal":"*",
            "Action":["s3:PutObject"],
            "Resource":"arn:aws:s3:::DOC-EXAMPLE-BUCKET/*",
            "Condition": {
                "IpAddress": {
                    "aws:SourceIp": "192.0.2.0/24"
                }
            }
        },

        {
            "Sid":"Allow only GET requests for objects with a specific tag",
            "Effect":"Allow",
            "Principal":"*",
            "Action":["s3:GetObject"],
            "Resource":"arn:aws:s3:::DOC-EXAMPLE-BUCKET/*",
"Condition": {  
"StringEquals": {"s3:ExistingObjectTag/environment": "production" } 
}
        }
    ]
}

Note: After pasting the above content, Kindly check and remove any new line added