Poq at 19:26, 6 February 2026

2026-02-06T19:26:46Z

← Older revision		Revision as of 19:26, 6 February 2026
Line 41:		Line 41:

	Get the local IP, this is the floating IP of a VM I have deployed on my project, but it could be any public IP or range.		Get the local IP, this is the floating IP of a VM I have deployed on my project, but it could be any public IP or range.
	<syntaxhighlight ~~,lang="bash"~~>		<syntaxhighlight>
	$curl -4 ifconfig.co		$curl -4 ifconfig.co
	198.168.189.175		198.168.189.175
Line 47:		Line 47:

	Check that the bucket is private, it returns AccessDenied in a xml file.		Check that the bucket is private, it returns AccessDenied in a xml file.
	<syntaxhighlight ~~,lang="bash"~~>		<syntaxhighlight>
	$curl https://objets.juno.calculquebec.ca/ad99d6c3087041bcb6c0fe5f2da54df9:truite/		$curl https://objets.juno.calculquebec.ca/ad99d6c3087041bcb6c0fe5f2da54df9:truite/
	<?xml version="1.0" encoding="UTF-8"?><Error><Code>AccessDenied</Code><Message></Message><BucketName>truite</BucketName><RequestId>tx00000a0656342bf1c6a6f-0069862e7e-122190171-default</RequestId><HostId>122190171-default-default</HostId></Error>		<?xml version="1.0" encoding="UTF-8"?><Error><Code>AccessDenied</Code><Message></Message><BucketName>truite</BucketName><RequestId>tx00000a0656342bf1c6a6f-0069862e7e-122190171-default</RequestId><HostId>122190171-default-default</HostId></Error>
Line 54:		Line 54:
	The xml formal is a pain we all have to deal with from time to time. You can install the [https://github.com/kislyuk/yq/ yq] cli to you environement to make them readable. The cli comes with yq a yaml parser but also with xq, an xml parser.		The xml formal is a pain we all have to deal with from time to time. You can install the [https://github.com/kislyuk/yq/ yq] cli to you environement to make them readable. The cli comes with yq a yaml parser but also with xq, an xml parser.

	<syntaxhighlight ~~,lang="bash"~~>		<syntaxhighlight>
	$pip install yq		$pip install yq
	$curl -s https://objets.juno.calculquebec.ca/ad99d6c3087041bcb6c0fe5f2da54df9:truite \| xq		$curl -s https://objets.juno.calculquebec.ca/ad99d6c3087041bcb6c0fe5f2da54df9:truite \| xq
Line 70:		Line 70:

	Now, lets apply the policy and see if we can list the bucket and get the data		Now, lets apply the policy and see if we can list the bucket and get the data
	<syntaxhighlight ~~,lang="bash"~~>		<syntaxhighlight>
	$aws --profile po-test s3api put-bucket-policy --policy file://policy.json --bucket truite		$aws --profile po-test s3api put-bucket-policy --policy file://policy.json --bucket truite
	$curl -s https://objets.juno.calculquebec.ca/ad99d6c3087041bcb6c0fe5f2da54df9:truite \| xq .ListBucketResult.Contents.[].Key		$curl -s https://objets.juno.calculquebec.ca/ad99d6c3087041bcb6c0fe5f2da54df9:truite \| xq .ListBucketResult.Contents.[].Key
Line 81:		Line 81:

	For good mesure we go on another machine to make sure that the data is not available form there:		For good mesure we go on another machine to make sure that the data is not available form there:
	<syntaxhighlight ~~,lang="bash"~~>		<syntaxhighlight >
	$curl -4 ifconfig.co		$curl -4 ifconfig.co
	132.219.138.77		132.219.138.77

Poq: Created page with "Bucket policies can be used to make buckets partially or completely public, they can also be used to limit access to public buckets. They can be used as some kind of firewall on your data. Our Object store S3 API is provided by Ceph's Rados Gateway. Its [https://docs.ceph.com/en/latest/radosgw/bucketpolicy/ supported policies] are a subset of the [https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-policies.html AWS bucket policies]. == Making a bucket public..."

2026-02-06T19:24:10Z

Created page with "Bucket policies can be used to make buckets partially or completely public, they can also be used to limit access to public buckets. They can be used as some kind of firewall on your data. Our Object store S3 API is provided by Ceph's Rados Gateway. Its [https://docs.ceph.com/en/latest/radosgw/bucketpolicy/ supported policies] are a subset of the [https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-policies.html AWS bucket policies]. == Making a bucket public..."

New page

Bucket policies can be used to make buckets partially or completely public, they can also be used to limit access to public buckets. They can be used as some kind of firewall on your data.

Our Object store S3 API is provided by Ceph's Rados Gateway. Its [https://docs.ceph.com/en/latest/radosgw/bucketpolicy/ supported policies] are a subset of the [https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-policies.html AWS bucket policies].

== Making a bucket public on a specific IP address range.==

We will use the [https://docs.aws.amazon.com/cli/latest/ aws cli] set policies. Make sure that is it properly configured for Juno.

This policy.json example will let objects from the bucket <private bucket> in project <project id> be listed (s3:ListBucket) and read (s3:GetObject) from the public IP < open IP> without the need for identification.

<div class="filename">'''File :''' policy.json </div>
<syntaxhighlight lang="json" file="my-policy.json">
{
"Version": "2012-10-17",
"Id": "S3-allow-from-my-ip",
"Statement": [
{
"Sid": "IPAllow",
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:ListBucket",
"s3:GetObject"
],
"Resource": [
"arn:aws:s3::<project id>:<private bucket>/*",
"arn:aws:s3::<project id>:<private bucket>"
],
"Condition": {
"IpAddress": {
"aws:SourceIp": "<open IP>/32"
}
}
}
]
}
</syntaxhighlight>

The policy on projects <project> is applied like this:

Get the local IP, this is the floating IP of a VM I have deployed on my project, but it could be any public IP or range.
<syntaxhighlight ,lang="bash">
$curl -4 ifconfig.co
198.168.189.175
</syntaxhighlight>

Check that the bucket is private, it returns AccessDenied in a xml file.
<syntaxhighlight ,lang="bash">
$curl https://objets.juno.calculquebec.ca/ad99d6c3087041bcb6c0fe5f2da54df9:truite/
<?xml version="1.0" encoding="UTF-8"?><Error><Code>AccessDenied</Code><Message></Message><BucketName>truite</BucketName><RequestId>tx00000a0656342bf1c6a6f-0069862e7e-122190171-default</RequestId><HostId>122190171-default-default</HostId></Error>
</syntaxhighlight>

The xml formal is a pain we all have to deal with from time to time. You can install the [https://github.com/kislyuk/yq/ yq] cli to you environement to make them readable. The cli comes with yq a yaml parser but also with xq, an xml parser.

<syntaxhighlight ,lang="bash">
$pip install yq
$curl -s https://objets.juno.calculquebec.ca/ad99d6c3087041bcb6c0fe5f2da54df9:truite | xq
{
"Error": {
"Code": "AccessDenied",
"Message": null,
"BucketName": "truite",
"RequestId": "tx00000b4182e1d6e9932f2-0069863de1-122190231-default",
"HostId": "122190231-default-default"
}
}
</syntaxhighlight>

Now, lets apply the policy and see if we can list the bucket and get the data
<syntaxhighlight ,lang="bash">
$aws --profile po-test s3api put-bucket-policy --policy file://policy.json --bucket truite
$curl -s https://objets.juno.calculquebec.ca/ad99d6c3087041bcb6c0fe5f2da54df9:truite | xq .ListBucketResult.Contents.[].Key
"package.json/package.json"
"testdir/"
"testdir/package.json"
"vagabon.png"
</syntaxhighlight>

For good mesure we go on another machine to make sure that the data is not available form there:
<syntaxhighlight ,lang="bash">
$curl -4 ifconfig.co
132.219.138.77
$curl -s https://objets.juno.calculquebec.ca/ad99d6c3087041bcb6c0fe5f2da54df9:truite | xq
{
"Error": {
"Code": "AccessDenied",
"Message": null,
"BucketName": "truite",
"RequestId": "tx00000f13e03ed77f374bd-0069863f2b-122190379-default",
"HostId": "122190379-default-default"
}
}

</syntaxhighlight>

Bucket policy - Revision history

Poq at 19:26, 6 February 2026