Skip to main content
Gcore Object Storage access control uses two mechanisms: ACLs for object and bucket-level permissions, and JSON policies for more granular rules. Both are configured through AWS CLI or S3cmd.

ACLs

ACLs (Access Control Lists) define who can access objects and what operations they can perform. They protect stored data by controlling read, write, and delete permissions at the object and bucket level.
The storage owner configures ACLs using AWS CLI or S3cmd commands.
The following ACL flags are available for AWS CLI (aws s3api put-object-acl or put-bucket-acl) and S3cmd (s3cmd setacl):
AWS CLIS3cmdDescription
—public-read—acl-publicMaking an object publicly accessible
—private—acl-privateMaking an object private
—grant-full-control—acl-grant=full-controlGranting full control over the bucket
—grant-read—acl-grant=readAllowing the listing of objects in the bucket
—grant-read-acp—acl-grant=read_acpAllowing the reading of ACLs
—grant-write—acl-grant=writeAllowing recording, overwriting, and deleting of objects

Policies

Policies are JSON documents that define access rules at a granular level — specifying which actions a user or all users can perform on objects and buckets. The maximum policy size is 20 KB.
The storage owner configures policies. The AWS reference lists all supported S3 actions, conditions, and resource types.

Configure access via ACLs and policies

All commands use AWS CLI and S3cmd interchangeably — choose whichever is already configured on the system. In all commands and JSON files, replace the following placeholders:
  • sample.jpg — the object name.
  • my_bucket — the bucket name.
  • s-ed1.cloud.gcore.lu — the storage hostname from the Details dialog; the service URLs reference lists all location endpoints.

Public object access via ACL

To allow all users to download an object, apply the public-read ACL (--acl public-read in AWS CLI or --acl-public in S3cmd). AWS CLI:
aws s3api put-object-acl --bucket my_bucket --key sample.jpg --acl public-read --endpoint-url=https://s-ed1.cloud.gcore.lu
S3cmd:
s3cmd setacl s3://my_bucket/sample.jpg --acl-public
The specified object becomes publicly accessible to all users.

Bucket listing via ACL

To allow all users to list objects in a bucket, apply the public-read ACL to the bucket. AWS CLI:
aws s3api put-bucket-acl --bucket my_bucket --acl public-read --endpoint-url=https://s-ed1.cloud.gcore.lu
S3cmd:
s3cmd setacl s3://my_bucket/ --acl-grant=read
Users can list objects in the bucket but cannot read or write individual objects without additional object-level ACLs.

Public object access via policy

1

Create the policy file

Create a JSON file with the following policy:
{
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::my_bucket/*"
    }
  ]
}
2

Apply the policy

Apply the policy to the bucket.AWS CLI:
aws s3api put-bucket-policy --policy file://policy.json --endpoint-url=https://s-ed1.cloud.gcore.lu --bucket my_bucket
S3cmd:
s3cmd setpolicy policy.json s3://my_bucket/
All objects in the bucket become publicly accessible for download.
This policy grants direct file access but does not allow listing the files in the bucket.

Directory access denial via policy

1

Create the policy file

Create a JSON file that allows public read on the bucket but denies access to the secret/ directory:
{
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::my_bucket/*"
    },
    {
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::my_bucket/secret/*"
    }
  ]
}
2

Apply the policy

Apply the policy to the bucket.AWS CLI:
aws s3api put-bucket-policy --policy file://policy.json --endpoint-url=https://s-ed1.cloud.gcore.lu --bucket my_bucket
S3cmd:
s3cmd setpolicy policy.json s3://my_bucket/

IP-based access via policy

1

Create the policy file

Create a JSON file that restricts access to a specific IP address or CIDR range. Replace 10.0.0.0/24 with the actual IP or range:
{
  "Statement": [
    {
      "Sid": "IPAllow",
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:*",
      "Resource": [
        "arn:aws:s3:::my_bucket",
        "arn:aws:s3:::my_bucket/*"
      ],
      "Condition": {
        "IpAddress": {"aws:SourceIp": "10.0.0.0/24"}
      }
    }
  ]
}
2

Apply the policy

Apply the policy to the bucket.AWS CLI:
aws s3api put-bucket-policy --policy file://policy.json --endpoint-url=https://s-ed1.cloud.gcore.lu --bucket my_bucket
S3cmd:
s3cmd setpolicy policy.json s3://my_bucket/

Referrer-based access via policy

1

Create the policy file

Create a JSON file that restricts access to requests originating from specific websites. Replace http://www.example.com/ and http://example.com/ with the actual URLs:
{
  "Statement": [
    {
      "Sid": "Allow get requests originating from www.example.com and example.com.",
      "Effect": "Allow",
      "Principal": "*",
      "Action": ["s3:GetObject", "s3:GetObjectVersion"],
      "Resource": "arn:aws:s3:::my_bucket/*",
      "Condition": {
        "StringLike": {"aws:Referer": ["http://www.example.com/*", "http://example.com/*"]}
      }
    }
  ]
}
2

Apply the policy

Apply the policy to the bucket.AWS CLI:
aws s3api put-bucket-policy --policy file://policy.json --endpoint-url=https://s-ed1.cloud.gcore.lu --bucket my_bucket
S3cmd:
s3cmd setpolicy policy.json s3://my_bucket/

User access grant via policy

1

Create the policy file

Create a JSON file that grants a specific user read and list access. Replace 1234-test with the storage username from the Details dialog:
{
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": ["arn:aws:iam:::user/1234-test"]
      },
      "Action": ["s3:GetObject", "s3:ListBucket"],
      "Resource": ["arn:aws:s3:::my_bucket/*", "arn:aws:s3:::my_bucket"]
    }
  ]
}
2

Apply the policy

Apply the policy to the bucket.AWS CLI:
aws s3api put-bucket-policy --policy file://policy.json --endpoint-url=https://s-ed1.cloud.gcore.lu --bucket my_bucket
S3cmd:
s3cmd setpolicy policy.json s3://my_bucket/