How to limit bucket access by IP address

Estimated time to read: 2 minutes

The following example denies permissions to objects unless the request originates from the predefined IP addresses

Prerequisites:

• aws-cli (install via package manager or use the Docker image amazon/aws-cli
• EC2/S3 credentials (available at my.fuga.cloud/account/credentials))
• Project ID (available at my.fuga.cloud/account/credentials)
• IP Address in CIDR notation (in this example we will use 1.2.3.4/32)

The Fuga Object Store is S3 compatible and therefore can be managed with the official AWS CLI client.

Make sure you have all the prerequisites and open a new terminal window.

1. Setup your environment, set environment variables:

   $ export AWS_ACCESS_KEY_ID=<your access id>
   $ export AWS_SECRET_ACCESS_KEY=<your secret key>
   

   Validate the aws-cli works:

   $ aws \
     --endpoint https://core.fuga.cloud:8080 \
     --region '' \
     s3api list-buckets
   

2. Create a new bucket:

   $ aws \
     --endpoint https://core.fuga.cloud:8080 \
     --region '' \
     s3api create-bucket --bucket mybucket
   

   Or use the dashboard to create a bucket, see

3. Upload two objects; each with a different key:

   % date > date.txt
   % aws \
     --endpoint https://core.fuga.cloud:8080 \
     --region '' \
     s3api put-object --bucket mybucket --key public/date.txt --body date.txt
   % aws \
     --endpoint https://core.fuga.cloud:8080 \
     --region '' \
     s3api put-object --bucket mybucket --key private/date.txt --body date.txt
   

   Or use the dashboard to upload your files, see

4. Create a file policy.json containing the following S3 bucket policy with your current IP address in CIDR notation:

   {
     "Version": "2012-10-17",
     "Id": "S3PolicyId1",
     "Statement": [
       {
         "Sid": "PublicAllow",
         "Effect": "Allow",
         "Principal": "*",
         "Action": [
           "s3:GetObject"
         ],
         "Resource": [
           "arn:aws:s3:::mybucket/public/*"
         ]
       },
       {
         "Sid": "PrivateAllow",
         "Effect": "Allow",
         "Principal": "*",
         "Action": [
           "s3:GetObject"
         ],
         "Resource": [
           "arn:aws:s3:::mybucket/private/*"
         ],
         "Condition": {
           "IpAddress": {
             "aws:SourceIp": [
               "1.2.3.4/32"
             ]
           }
         }
       }
     ]
   }
   

   Use a JSON Validator to confirm a valid syntax; replace the IP address and object paths to match your own setup.

5. Activate the bucket policy on the new bucket:

   % aws \
     --endpoint https://core.fuga.cloud:8080 \
     --region '' \
     s3api put-bucket-policy --bucket mybucket --policy file://policy.json
   

   Objects will be available at URLs with syntax:

   https://core.fuga.cloud:8080/<your project id>:<your bucket name>/<object key>
   

6. Access the objects within your browser or from the terminal with either the curl or wget command, replace your Project ID:

   $ curl https://core.fuga.cloud:8080/<your project id>:mybucket/public/date.txt
   Mon Apr 26 11:07:26 UTC 2021
   
   $ curl https://core.fuga.cloud:8080/<your project id>:mybucket/private/date.txt
   Mon Apr 26 11:07:26 UTC 2021
   

The object with key public/date.txt should be accessible from anywhere and the object with key private/date.txt should only be accessible from the IP address configured in the bucket policy.

Bucket Policies are very powerful and very versatile. This is just one simple example showing one of the Bucket Policy features.