Give an developer or script access to one Object Storage bucket only
I have enabled Object Storage and created several buckets. I have someone helping me create a script that accesses a particular bucket. How do I give that person and script access to this bucket only and not the others?
1 Reply
jdutton
Linode Staff
Rather than granting access, you would be looking to restrict access to acheive this. There are a few ways to restrict access to Object Storage buckets, including editing bucket permissions between user accounts, using Nginx as a reverse proxy to restrict endpoints, and/or IP approval and denial.
If you're able to create buckets from different customer accounts, you could use Access Control Lists (ACLs) and/or bucket policies to specify which users have access to the buckets. This utilizes the cononical ID of each user trying to gain access:
Enacting Access Control Lists (ACLs) and Bucket Policies with Linode Object Storage
If you want to go the Nginx route, there's some really good documentation here about how to use both Nginx and Oauth2 proxy to set up a reverse proxy that restricts different S3/Object Storage URLs/endpoints:
In that article, there is a lot of editing done to configuration files, so that would need to be built into your script.
If you'd like to go the IP approval/denial route (which might be best for scripting purposes), you would create a policy to deny actions coming from outside a specific IP range. This can be done using the aws:SourceIp condition key as referenced in this AWS article:
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_aws_deny-ip.html
Of note: Our team tested this method on our platform and made sure it was compatible.
Hopefully this gives you some things to try!