1. Academy
  2. Object Store

How to limit bucket access by IP address

The following example denies permissions to objects unless the request originates from the predefined IP addresses

Prerequisites:

The Fuga Object Store is S3 compatible and therefore can be managed with the official AWS CLI client.

Make sure you have all the prerequisites and open a new terminal window.

 

1. Setup your environment, set environment variables:

    $ export AWS_ACCESS_KEY_ID=<your access id>
    $ export AWS_SECRET_ACCESS_KEY=<your secret key>

    Validate the aws-cli works:

     

    2. Create a new bucket:

    $ aws \
    --endpoint https://core.fuga.cloud:8080 \
    --region '' \
    s3api create-bucket --bucket mybucket

    Or use the dashboard to create a bucket, see my.fuga.cloud/object-store

     

    3. Upload two objects; each with a different key:

    % date > date.txt
    % aws \
    --endpoint https://core.fuga.cloud:8080 \
    --region '' \
    s3api put-object --bucket mybucket --key public/date.txt --body date.txt
    % aws \
    --endpoint https://core.fuga.cloud:8080 \
    --region '' \
    s3api put-object --bucket mybucket --key private/date.txt --body date.txt

    Or use the dashboard to upload your files, see my.fuga.cloud/object-store

     

    4. Create a file policy.json containing the following S3 bucket policy with your current IP address in CIDR notation:

    {
    "Version": "2012-10-17",
    "Id": "S3PolicyId1",
    "Statement": [
    {
    "Sid": "PublicAllow",
    "Effect": "Allow",
    "Principal": "*",
    "Action": [
    "s3:GetObject"
    ],
    "Resource": [
    "arn:aws:s3:::mybucket/public/*"
    ]
    },
    {
    "Sid": "PrivateAllow",
    "Effect": "Allow",
    "Principal": "*",
    "Action": [
    "s3:GetObject"
    ],
    "Resource": [
    "arn:aws:s3:::mybucket/private/*"
    ],
    "Condition": {
    "IpAddress": {
    "aws:SourceIp": [
    "1.2.3.4/32"
    ]
    }
    }
    }
    ]
    }

    Use a JSON Validator to confirm a valid syntax; replace the IP address and object paths to match your own setup.

     

    5. Activate the bucket policy on the new bucket:

    % aws \
    --endpoint https://core.fuga.cloud:8080 \
    --region '' \
    s3api put-bucket-policy --bucket mybucket --policy file://policy.json

    Objects will be available at URLs with syntax:

    https://core.fuga.cloud:8080/<your project id>:<your bucket name>/<object key>

     

    6. Access the objects within your browser or from the terminal with either the curl or wget command, replace your Project ID:

    $ curl https://core.fuga.cloud:8080/<your project id>:mybucket/public/date.txt
    Mon Apr 26 11:07:26 UTC 2021

    $ curl https://core.fuga.cloud:8080/<your project id>:mybucket/private/date.txt
    Mon Apr 26 11:07:26 UTC 2021


    The object with key public/date.txt should be accessible from anywhere and the object with key private/date.txt should only be accessible from the IP address configured in the bucket policy. 


    Bucket Policies are very powerful and very versatile. This is just one simple example showing one of the Bucket Policy features.