> ## Documentation Index
> Fetch the complete documentation index at: https://docs.gcore.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Configure access control on S3 storage with AWS CLI and S3cmd

Gcore Object Storage access control uses two mechanisms: ACLs for object and bucket-level permissions, and JSON policies for more granular rules. Both are configured through AWS CLI or S3cmd.

## ACLs

ACLs (Access Control Lists) define who can access objects and what operations they can perform. They protect stored data by controlling read, write, and delete permissions at the object and bucket level.

<Info>
  The storage owner configures ACLs using [AWS CLI](https://docs.aws.amazon.com/cli/latest/reference/s3api/index.html#cli-aws-s3api) or [S3cmd](https://s3tools.org/usage) commands.
</Info>

The following ACL flags are available for AWS CLI (`aws s3api put-object-acl` or `put-bucket-acl`) and S3cmd (`s3cmd setacl`):

| AWS CLI              | S3cmd                    | Description                                              |
| -------------------- | ------------------------ | -------------------------------------------------------- |
| --public-read        | --acl-public             | Making an object publicly accessible                     |
| --private            | --acl-private            | Making an object private                                 |
| --grant-full-control | --acl-grant=full-control | Granting full control over the bucket                    |
| --grant-read         | --acl-grant=read         | Allowing the listing of objects in the bucket            |
| --grant-read-acp     | --acl-grant=read\_acp    | Allowing the reading of ACLs                             |
| --grant-write        | --acl-grant=write        | Allowing recording, overwriting, and deleting of objects |

## Policies

Policies are JSON documents that define access rules at a granular level — specifying which actions a user or all users can perform on objects and buckets. The maximum policy size is 20 KB.

<Note>The storage owner configures policies. The [AWS reference](https://docs.aws.amazon.com/AmazonS3/latest/userguide/list_amazons3.html) lists all supported S3 actions, conditions, and resource types.</Note>

## Configure access via ACLs and policies

All commands use AWS CLI and S3cmd interchangeably — choose whichever is already configured on the system.

In all commands and JSON files, replace the following placeholders:

* `sample.jpg` — the object name.
* `my_bucket` — the bucket name.
* `s-ed1.cloud.gcore.lu` — the storage hostname from the Details dialog; the [service URLs](/storage/manage-object-storage/s3-service-urls-and-default-region-names) reference lists all location endpoints.

### Public object access via ACL

To allow all users to download an object, apply the `public-read` ACL (`--acl public-read` in AWS CLI or `--acl-public` in S3cmd).

AWS CLI:

```sh theme={null}
aws s3api put-object-acl --bucket my_bucket --key sample.jpg --acl public-read --endpoint-url=https://s-ed1.cloud.gcore.lu
```

S3cmd:

```sh theme={null}
s3cmd setacl s3://my_bucket/sample.jpg --acl-public
```

The specified object becomes publicly accessible to all users.

### Bucket listing via ACL

To allow all users to list objects in a bucket, apply the `public-read` ACL to the bucket.

AWS CLI:

```sh theme={null}
aws s3api put-bucket-acl --bucket my_bucket --acl public-read --endpoint-url=https://s-ed1.cloud.gcore.lu
```

S3cmd:

```sh theme={null}
s3cmd setacl s3://my_bucket/ --acl-grant=read
```

Users can list objects in the bucket but cannot read or write individual objects without additional object-level ACLs.

### Public object access via policy

<Steps>
  <Step title="Create the policy file">
    Create a JSON file with the following policy:

    ```json theme={null}
    {
      "Statement": [
        {
          "Effect": "Allow",
          "Principal": "*",
          "Action": "s3:GetObject",
          "Resource": "arn:aws:s3:::my_bucket/*"
        }
      ]
    }
    ```
  </Step>

  <Step title="Apply the policy">
    Apply the policy to the bucket.

    AWS CLI:

    ```sh theme={null}
    aws s3api put-bucket-policy --policy file://policy.json --endpoint-url=https://s-ed1.cloud.gcore.lu --bucket my_bucket
    ```

    S3cmd:

    ```sh theme={null}
    s3cmd setpolicy policy.json s3://my_bucket/
    ```

    All objects in the bucket become publicly accessible for download.

    <Note>This policy grants direct file access but does not allow listing the files in the bucket.</Note>
  </Step>
</Steps>

### Directory access denial via policy

<Steps>
  <Step title="Create the policy file">
    Create a JSON file that allows public read on the bucket but denies access to the `secret/` directory:

    ```json theme={null}
    {
      "Statement": [
        {
          "Effect": "Allow",
          "Principal": "*",
          "Action": "s3:GetObject",
          "Resource": "arn:aws:s3:::my_bucket/*"
        },
        {
          "Effect": "Deny",
          "Principal": "*",
          "Action": "s3:GetObject",
          "Resource": "arn:aws:s3:::my_bucket/secret/*"
        }
      ]
    }
    ```
  </Step>

  <Step title="Apply the policy">
    Apply the policy to the bucket.

    AWS CLI:

    ```sh theme={null}
    aws s3api put-bucket-policy --policy file://policy.json --endpoint-url=https://s-ed1.cloud.gcore.lu --bucket my_bucket
    ```

    S3cmd:

    ```sh theme={null}
    s3cmd setpolicy policy.json s3://my_bucket/
    ```
  </Step>
</Steps>

### IP-based access via policy

<Steps>
  <Step title="Create the policy file">
    Create a JSON file that restricts access to a specific IP address or CIDR range. Replace `10.0.0.0/24` with the actual IP or range:

    ```json theme={null}
    {
      "Statement": [
        {
          "Sid": "IPAllow",
          "Effect": "Allow",
          "Principal": "*",
          "Action": "s3:*",
          "Resource": [
            "arn:aws:s3:::my_bucket",
            "arn:aws:s3:::my_bucket/*"
          ],
          "Condition": {
            "IpAddress": {"aws:SourceIp": "10.0.0.0/24"}
          }
        }
      ]
    }
    ```
  </Step>

  <Step title="Apply the policy">
    Apply the policy to the bucket.

    AWS CLI:

    ```sh theme={null}
    aws s3api put-bucket-policy --policy file://policy.json --endpoint-url=https://s-ed1.cloud.gcore.lu --bucket my_bucket
    ```

    S3cmd:

    ```sh theme={null}
    s3cmd setpolicy policy.json s3://my_bucket/
    ```
  </Step>
</Steps>

### Referrer-based access via policy

<Steps>
  <Step title="Create the policy file">
    Create a JSON file that restricts access to requests originating from specific websites. Replace `http://www.example.com/` and `http://example.com/` with the actual URLs:

    ```json theme={null}
    {
      "Statement": [
        {
          "Sid": "Allow get requests originating from www.example.com and example.com.",
          "Effect": "Allow",
          "Principal": "*",
          "Action": ["s3:GetObject", "s3:GetObjectVersion"],
          "Resource": "arn:aws:s3:::my_bucket/*",
          "Condition": {
            "StringLike": {"aws:Referer": ["http://www.example.com/*", "http://example.com/*"]}
          }
        }
      ]
    }
    ```
  </Step>

  <Step title="Apply the policy">
    Apply the policy to the bucket.

    AWS CLI:

    ```sh theme={null}
    aws s3api put-bucket-policy --policy file://policy.json --endpoint-url=https://s-ed1.cloud.gcore.lu --bucket my_bucket
    ```

    S3cmd:

    ```sh theme={null}
    s3cmd setpolicy policy.json s3://my_bucket/
    ```
  </Step>
</Steps>

### User access grant via policy

<Steps>
  <Step title="Create the policy file">
    Create a JSON file that grants a specific user read and list access. Replace `1234-test` with the storage username from the Details dialog:

    ```json theme={null}
    {
      "Statement": [
        {
          "Effect": "Allow",
          "Principal": {
            "AWS": ["arn:aws:iam:::user/1234-test"]
          },
          "Action": ["s3:GetObject", "s3:ListBucket"],
          "Resource": ["arn:aws:s3:::my_bucket/*", "arn:aws:s3:::my_bucket"]
        }
      ]
    }
    ```
  </Step>

  <Step title="Apply the policy">
    Apply the policy to the bucket.

    AWS CLI:

    ```sh theme={null}
    aws s3api put-bucket-policy --policy file://policy.json --endpoint-url=https://s-ed1.cloud.gcore.lu --bucket my_bucket
    ```

    S3cmd:

    ```sh theme={null}
    s3cmd setpolicy policy.json s3://my_bucket/
    ```
  </Step>
</Steps>
