{"id":22226,"date":"2024-09-23T15:46:24","date_gmt":"2024-09-23T13:46:24","guid":{"rendered":"https:\/\/contabo.com\/blog\/kb\/103000282920-can-i-restrict-users-to-specific-buckets-in-contabo-s-object-storage\/"},"modified":"2025-04-10T18:05:19","modified_gmt":"2025-04-10T16:05:19","slug":"103000282920-can-i-restrict-users-to-specific-buckets-in-contabo-s-object-storage","status":"publish","type":"kb","link":"https:\/\/contabo.com\/blog\/kb\/103000282920-can-i-restrict-users-to-specific-buckets-in-contabo-s-object-storage\/","title":{"rendered":"Can I Restrict Users to Specific Buckets in Contabo’s Object Storage?"},"content":{"rendered":"

Can I restrict users to specific buckets in Contabo’s Object Storage?<\/strong><\/h4>\n

You can restrict users to specific buckets to allow a specific user to use one bucket while another bucket should only be accessible to another user.<\/p>\n

The following describes how to allow access to buckets to a limited number of users.<\/p>\n


<\/p>\n

The following assumes that aws cli is installed and properly configured and that you have access to Contabo’s Object Storage Panel<\/a><\/u> to create users.<\/p>\n


<\/p>\n

How do I restrict users to specific buckets in Contabo’s Object Storage?<\/strong><\/h4>\n

You need to set up a bucket policy. A bucket policy allows or denies access to buckets in the form of specific actions, and is used to control which users have what access to a bucket.<\/p>\n


<\/p>\n

Below is an example of how to set this up:<\/p>\n

    \n
  1. This step denies user [email protected]<\/a> any action on any resource in bucket-for-user-1.\n

    With the given data, we can create a policy for bucket-for-user-1 and store it in the file bucket-for-user-1-policy.json with the following content<\/p>\n

    {
    \"Version\": \"2012-10-17\",
    \"Statement\": [
    {
    \"Action\": \"*\",
    \"Effect\": \"Deny\",
    \"Resource\": \"*\",
    \"Principal\": {
    \"AWS\": [
    \"arn:aws:iam::5c37e60c3ee04f1eb116c436b1afadca:user\/12345:3368c22e-08da-446f-a470-1928e58457a2\"
    ]
    }
    }
    ]
    }<\/pre>\n
    Please note that in here s3TenantId=5c37e60c3ee04f1eb116c436b1afadca, customerId=12345 and userId=3368c22e-08da-446f-a470-1928e58457a2. Thus the format is arn:aws:iam::<s3TenantId>:user\/<customerId>:<userId>. To apply it, please run the following API:

    <\/p>\n
    aws --profile eu2 --endpoint-url https:\/\/eu2.contabostorage.com s3api put-bucket-policy --bucket bucket-for-user-1 --policy file:\/\/bucket-for-user-1-policy.json<\/pre>\n<\/li>\n
  2. This step denies any action on any resource in bucket-for-user-2 for the user [email protected]<\/a>.

    \n
    {
    \"Version\": \"2012-10-17\",
    \"Statement\": [
    {
    \"Action\": \"*\",
    \"Effect\": \"Deny\",
    \"Resource\": \"*\",
    \"Principal\": {
    \"AWS\": [
    \"arn:aws:iam::5c37e60c3ee04f1eb116c436b1afadca:user\/12345:6299cbdd-ef72-486b-b088-c34181fc20f1\"
    ]
    }
    }
    ]
    }<\/pre>\n<\/li>\n
  3. Please note that in here s3TenantId=5c37e60c3ee04f1eb116c436b1afadca, customerId=12345 and userId=6299cbdd-ef72-486b-b088-c34181fc20f1, so the format is arn:aws:iam::<s3TenantId>:user\/<customerId>:<userId>. To apply it, please run the following API:

    \n
    aws --profile eu2 --endpoint-url https:\/\/eu2.contabostorage.com s3api put-bucket-policy --bucket bucket-for-user-2 --policy file:\/\/bucket-for-user-2-policy.json<\/pre>\n<\/li>\n<\/ol>\n
    The example above is based on two buckets:<\/p>\n