# Applying Limitations with Bucket Policies We have support a subset of the Amazon s3 policy language applied to buckets. ## Policy Creation and Removal Bucket policies are managed through standard S3 operations. For example, I have created a policy to access objects inside the bucket. ``` { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Principal": {"AWS": ["arn:aws:iam:::user/4fe084dd-8531-4087-bc89-91cca2c9ea8d:Access"]}, "Action": "s3:GetObject", "Resource": [ "arn:aws:s3:::pankimages/*" ] }] } ``` ## Limitations Currently, we support only the following actions: * s3:AbortMultipartUpload * s3:CreateBucket * s3:DeleteBucketPolicy * s3:DeleteBucket * s3:DeleteBucketWebsite * s3:DeleteObject * s3:DeleteObjectVersion * s3:DeleteReplicationConfiguration * s3:GetAccelerateConfiguration * s3:GetBucketAcl * s3:GetBucketCORS * s3:GetBucketLocation * s3:GetBucketLogging * s3:GetBucketNotification * s3:GetBucketPolicy * s3:GetBucketRequestPayment * s3:GetBucketTagging * s3:GetBucketVersioning * s3:GetBucketWebsite * s3:GetLifecycleConfiguration * s3:GetObjectAcl * s3:GetObject * s3:GetObjectTorrent * s3:GetObjectVersionAcl * s3:GetObjectVersion * s3:GetObjectVersionTorrent * s3:GetReplicationConfiguration * s3:IPAddress * s3:NotIpAddress * s3:ListAllMyBuckets * s3:ListBucketMultipartUploads * s3:ListBucket * s3:ListBucketVersions * s3:ListMultipartUploadParts * s3:PutAccelerateConfiguration * s3:PutBucketAcl * s3:PutBucketCORS * s3:PutBucketLogging * s3:PutBucketNotification * s3:PutBucketPolicy * s3:PutBucketRequestPayment * s3:PutBucketTagging * s3:PutBucketVersioning * s3:PutBucketWebsite * s3:PutLifecycleConfiguration * s3:PutObjectAcl * s3:PutObject * s3:PutObjectVersionAcl * s3:PutReplicationConfiguration * s3:RestoreObject Instead of the Amazon twelve-digit account ID, we utilize the RGW 'tenant' identifier. In the future, assigning an account ID to a tenant may be possible. However, for now, when creating users for policies between AWS S3 and RGW S3, you must use the Amazon account ID as the tenant ID In AWS, a single namespace is shared by all tenants. RGW provides each tenant with a dedicated namespace for their buckets. In future releases, there might be a choice to activate a 'flat' bucket namespace similar to AWS. Currently, in order to reach a bucket owned by a different tenant, refer to it as "tenant:bucket" when making an S3 request In AWS, a bucket policy allows giving access to a different account, which can further grant access to specific users by assigning user permissions. As user, role, and group permissions are not yet supported, account owners must currently give access to individual users directly. Granting access to a bucket for an entire account will give access to all users in that account. String interpolation is not currently supported by bucket policies. The condition keys we support for all requests are: - aws:CurrentTime - aws:EpochTime - aws:PrincipalType - aws:Referer - aws:SecureTransport - aws:SourceIp - aws:UserAgent - aws:username We uphold specific s3 condition keys for requests related to buckets and objects. Functionality for the specified bucket operations has been included. ### Bucket Related Operations
PermissionCondition Keys
s3:createBuckets3:x-amz-acl s3:x-amz-grant-<perm> where perm is one of read/write/read-acp write-acp/ full-control

s3:ListBucket &

s3:ListBucketVersions

s3:prefix

s3:delimiter

s3:max-keys

s3:PutBucketAcls3:x-amz-acl s3:x-amz-grant-<perm>
### Object Related Operations
PermissionCondition KeysComments

s3:x-amz-acl & s3:x-amz-grant-<perm>

s3:x-amz-copy-source

s3:x-amz-server-side-encryption
s3:PutObjects3:x-amz-server-side-encryption-aws-kms-key-id
s3:x-amz-metadata-directivePUT & COPY to overwrite/preserve metadata in COPY requests
s3:RequestObjectTag/<tag-key>

s3:PutObjectAcl

s3:PutObjectVersionAcl

s3:x-amz-acl & s3-amz-grant-<perm>

s3:ExistingObjectTag/<tag-key>

s3:PutObjectTagging & s3:PutObjectVersionTagging

s3:RequestObjectTag/<tag-key>

s3:ExistingObjectTag/<tag-key>

s3:GetObject &

s3:GetObjectVersion

s3:ExistingObjectTag/<tag-key>

s3:GetObjectAcl &

s3:GetObjectVersionAcl

s3:ExistingObjectTag/<tag-key>
s3:GetObjectTagging & s3:GetObjectVersionTaggings3:ExistingObjectTag/<tag-key>
s3:DeleteObjectTagging & s3:DeleteObjectVersionTaggings3:ExistingObjectTag/<tag-key>
Additional support may be available in the near future as we merge with the recently revamped Authentication/Authorization subsystem. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.zata.ai/manage/bucket/applying-limitations-with-bucket-policies.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.