Skip to main content

IONOS Cloud S3 Bucket Policy configuration

· 3 min read
Stephan Hochdörfer
Stephan Hochdörfer
Head of IT Business Operations

When creating a new S3 bucket in IONOS Cloud, you have the choice to creating a user-owned or contract-owned bucket. What's the difference?

  1. Contract-owned bucket:
  • Preferred option for users within a single organization.
  • Every contract user can see the list of contract-owned buckets.
  • Only the contract owner or admins can grant access to view or manage these buckets.
  1. User-owned bucket
  • Your bucket list is not accessible to other contract users.
  • You can grant others permission to manage your buckets.
  • Others must use third-party applications to access buckets.

IONOS Cloud recommends using the newer contract-owned bucket type, which leverages the latest S3 infrastructure.

Here's the catch: Although all contract users can view these buckets, access is restricted unless explicitly authorized.

To grant access, you can use a Bucket Policy, which allows you to control user permissions and ensure secure data management.

The Bucket Policy is a JSON-based access policy language that allows you to create fine-grained permissions for your Object Storage buckets and looks like this:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Grant Full Control",
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam:::user/25343991:2ce8c123-cfd2-4827-9df1-c7ab82c45611"
        ]
      },
      "Action": "s3:*",
      "Resource": [
        "arn:aws:s3:::my-bucket",
        "arn:aws:s3:::my-bucket/*"
      ]
    }
  ]
}

To grant access to your bucket, you'll need to specify the ARN of the user in the Principal section of the Bucket Policy. But where can you find this ARN?

To locate the ARN for a specific user, follow these steps:

  • Open the User Manager and select the user you want to grant access to.
  • Navigate to the Object Storage tab and click on the Object storage link.
  • A popup window will appear, displaying the Contract User ID. This ID is generated automatically when you create an object storage key for the user for the first time.

Additionally, we have to configure which bucket the user should have access to. In the Resource section of the Bucket Policy, replace my-bucket with the actual name of the bucket you've created. This will ensure that the defined users have access to the bucket.

Once you pasted your Bucket Policy into the Bucket Policy editor of the S3 bucket, the changes should be applied immediately.