Give an developer or script access to one Object Storage bucket only
I have enabled Object Storage and created several buckets. I have someone helping me create a script that accesses a particular bucket. How do I give that person and script access to this bucket only and not the others?
Rather than granting access, you would be looking to restrict access to acheive this. There are a few ways to restrict access to Object Storage buckets, including editing bucket permissions between user accounts, using Nginx as a reverse proxy to restrict endpoints, and/or IP approval and denial.
If you're able to create buckets from different customer accounts, you could use Access Control Lists (ACLs) and/or bucket policies to specify which users have access to the buckets. This utilizes the cononical ID of each user trying to gain access:
If you want to go the Nginx route, there's some really good documentation here about how to use both Nginx and Oauth2 proxy to set up a reverse proxy that restricts different S3/Object Storage URLs/endpoints:
In that article, there is a lot of editing done to configuration files, so that would need to be built into your script.
If you'd like to go the IP approval/denial route (which might be best for scripting purposes), you would create a policy to deny actions coming from outside a specific IP range. This can be done using the
aws:SourceIp condition key as referenced in this AWS article:
Of note: Our team tested this method on our platform and made sure it was compatible.
Hopefully this gives you some things to try!