How to limit bucket access by IP address
Estimated time to read: 2 minutes
The following example denies permissions to objects unless the request originates from the predefined IP addresses
Prerequisites:
- aws-cli (install via package manager or use the Docker image amazon/aws-cli
- EC2/S3 credentials (available at my.fuga.cloud/account/credentials))
- Project ID (available at my.fuga.cloud/account/credentials)
- IP Address in CIDR notation (in this example we will use 1.2.3.4/32)
The Fuga Object Store is S3 compatible and therefore can be managed with the official AWS CLI client.
Make sure you have all the prerequisites and open a new terminal window.
- Setup your environment, set environment variables: Validate the aws-cli works:
-
Create a new bucket:
Or use the dashboard to create a bucket, see$ aws \ --endpoint https://core.fuga.cloud:8080 \ --region '' \ s3api create-bucket --bucket mybucket
-
Upload two objects; each with a different key:
Or use the dashboard to upload your files, see% date > date.txt % aws \ --endpoint https://core.fuga.cloud:8080 \ --region '' \ s3api put-object --bucket mybucket --key public/date.txt --body date.txt % aws \ --endpoint https://core.fuga.cloud:8080 \ --region '' \ s3api put-object --bucket mybucket --key private/date.txt --body date.txt
-
Create a file policy.json containing the following S3 bucket policy with your current IP address in CIDR notation:
Use a JSON Validator to confirm a valid syntax; replace the IP address and object paths to match your own setup.{ "Version": "2012-10-17", "Id": "S3PolicyId1", "Statement": [ { "Sid": "PublicAllow", "Effect": "Allow", "Principal": "*", "Action": [ "s3:GetObject" ], "Resource": [ "arn:aws:s3:::mybucket/public/*" ] }, { "Sid": "PrivateAllow", "Effect": "Allow", "Principal": "*", "Action": [ "s3:GetObject" ], "Resource": [ "arn:aws:s3:::mybucket/private/*" ], "Condition": { "IpAddress": { "aws:SourceIp": [ "1.2.3.4/32" ] } } } ] }
-
Activate the bucket policy on the new bucket:
Objects will be available at URLs with syntax: -
Access the objects within your browser or from the terminal with either the curl or wget command, replace your Project ID:
The object with key public/date.txt should be accessible from anywhere and the object with key private/date.txt should only be accessible from the IP address configured in the bucket policy.
Bucket Policies are very powerful and very versatile. This is just one simple example showing one of the Bucket Policy features.