# Bucket Policy
Bucket Policy is a JSON-based access policy language that allows you to create fine-grained permissions for your Object Storage buckets. With Bucket Policy, you can specify which users or services can access specific objects and what actions users can perform.
{% hint style="info" %}
**Note:** Bucket Policy is supported for both contract-owned buckets and user-owned buckets. The maximum allowed Bucket Policy size for a contract-owned bucket is 1 MB, and for a user-owned bucket is 20 KB. For more information, see [Bucket Types](https://docs.ionos.com/sections-test/guides/storage-and-backup/ionos-object-storage/concepts/bucket-types).
{% endhint %}
{% hint style="info" %}
**Note:** Granting access of a user-owned bucket to another IONOS Cloud user does not make the bucket appear in the user's Object Storage in the DCD as the granted access does not translate to interface visibility due to the S3 protocol's architecture. To access the bucket, the user must utilize other [S3 Tools](https://docs.ionos.com/sections-test/guides/storage-and-backup/ionos-object-storage/s3-tools).
{% endhint %}
## Use cases
* Use this feature to grant access to a specific user or group to only a subset of the objects in your bucket.
* Restrict access to certain operations on your bucket, for example, list objects or remove object lock.
* Using Bucket Policy, you can grant access based on conditions, such as the IP address of the user.
* Create fine-grained access control rules to allow a user to put objects to a specific prefix in your bucket, but not to get objects from that prefix.
## Bucket Policy alternatives
* Use [Bucket ACL](https://docs.ionos.com/sections-test/guides/storage-and-backup/ionos-object-storage/settings/access-control-list/access-control-list-buckets) and [Object ACL](https://docs.ionos.com/sections-test/guides/storage-and-backup/ionos-object-storage/settings/access-control-list/access-control-list-objects) instead of Bucket Policy if you need to define different sets of permissions such as `READ`, `WRITE`, or `FULL CONTROL` to many objects.
* Use [Share Objects with Pre-Signed URLs](https://docs.ionos.com/sections-test/guides/storage-and-backup/ionos-object-storage/how-tos/share-objects-pre-signed-urls) to grant temporary access to authorized users for a specified period, after which the URL and the access to the object expire.
## Policy format
A JSON-formatted bucket policy contains one or more policy statements. Within a policy's statement blocks, space.vars.ionos\_cloud\_object\_storage support for policy statement elements and their values is as follows:
* **Id (optional):** A unique identifier for the policy. Example: `SamplePolicyID`.
* **Version (required):** Specifies the policy language version. The current version is `2012-10-17`.
* **Statement (required):** An array of individual statements, each specifying a permission.
* **Sid (optional):** Custom string identifying the statement. For example, `Delegate certain actions to another user`.
* **Action (required):** Specifies the action(s) that are allowed or denied by the statement. See the *Action* section in the [Request](#request) for the supported values. Example: `s3:GetObject` for allowing read access to objects.
* **Effect (required):** Specifies the effect of the statement. Possible values: `Allow`, `Deny`.
* **Resource (required):** Must be one of the following:
* `arn:aws:s3:::` – For bucket actions (such as s3:ListBucket) and bucket subresource actions (such as `s3:GetBucketAcl`).
* `arn:aws:s3:::/*` or `arn:aws:s3:::/` – For object actions (such as `s3:PutObject`).
* **Condition (optional):** Specifies conditions for when the statement is in effect. See the *Condition* section in the [Request](#request) for the supported values. Example: `{"aws:SourceIp": "123.123.123.0/24"}` restricts access to the specified IP range. For the list of supported bucket and object actions and condition values, see [Supported Action Values](https://api.ionos.com/docs/s3/v2/#tag/Policy/operation/PutBucketPolicy).
* **Principal (required):** Specifies the user, account, service, or other entity to which the statement applies. For information specific to the bucket types, see the following:
{% tabs %}
{% tab title="Contract-owned Buckets" %}
* `"AWS": “*”` – Statement applies to all users (also known as 'anonymous access').
* `"AWS": "arn:aws:iam:::user/"` – Statement applies to the specified contract number.
* `"AWS": ["arn:aws:iam:::user/:", "arn:aws:iam:::user/:", …]` – Statement applies to the specified space.vars.ionos\_cloud\_object\_storage users.
{% endtab %}
{% tab title="User-owned Buckets" %}
* `{"CanonicalUser": "*"}` – Statement applies to all users (also known as 'anonymous access').
* `"CanonicalUser": ["", "",...]` – Statement applies to the specified space.vars.ionos\_cloud\_object\_storage users.
{% endtab %}
{% endtabs %}
### Request
```bash
{
"Id": "Delegate certain actions to another user",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Delegate certain actions to another user",
"Action": [
"s3:ListBucket",
"s3:PutObject",
"s3:GetObject"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::my-bucket",
"arn:aws:s3:::my-bucket/*"
],
"Condition": {
"IpAddress": {
"aws:SourceIp": [
"123.123.123.123/32"
]
}
},
"Principal": {
"AWS": "arn:aws:iam:::user/31000000:9acd8251-2857-410e-b1fd-ca86462bdcec"
}
}
]
}
```
```bash
{
"Id": "Delegate certain actions to another user",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Delegate certain actions to another user",
"Action": [
"s3:ListBucket",
"s3:PutObject",
"s3:GetObject"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::my-bucket",
"arn:aws:s3:::my-bucket/*"
],
"Condition": {
"IpAddress": {
"aws:SourceIp": [
"123.123.123.123/32"
]
}
},
"Principal": {
"CanonicalUser": "783fa49356820b211a4283526fe24343"
}
}
]
}
```
For more information, see Bucket Policy [Examples](https://docs.ionos.com/sections-test/guides/storage-and-backup/ionos-object-storage/settings/bucket-policy/examples) and supported bucket and object [actions and condition values](https://api.ionos.com/docs/s3/v2/#tag/Policy/operation/PutBucketPolicy).
## Manage Bucket Policy
You can manage the Bucket Policy using the DCD, API, and CLI.
### DCD
#### Apply a Bucket Policy
You can apply Bucket Policy using the DCD by following these steps:
1\. In the **DCD**, go to **Menu** > **Storage & Backup** > **IONOS Object Storage**.
2\. From the drop-down list in the **Buckets** tab, choose either **Show user-owned buckets** or **Show contract-owned buckets** depending on the bucket type you want to view.
3\. From the **Buckets** list, choose the required bucket and click the **Bucket settings**.
4\. Go to the **Bucket Policy** setting under the **Access management** section and click **Edit**.
5\. Copy and paste the provided JSON policy by replacing `BUCKET_NAME` and `USER_ID` with the actual values. Depending on the [Bucket Types](https://docs.ionos.com/sections-test/guides/storage-and-backup/ionos-object-storage/concepts/bucket-types), replace the `USER_ID` as follows:
* Use Contract user ID for contract-owned buckets.
* Use Canonical user ID for user-owned buckets.
**Info:** You can retrieve your user ID from the **Key management** section. For more information, see [Retrieve User ID](https://docs.ionos.com/sections-test/guides/storage-and-backup/ionos-object-storage/how-tos/retrieve-user-id).
6\. Click **Save**.
{% tabs %}
{% tab title="Contract-owned Buckets" %}
```bash
{
"Id": "Share access to the bucket",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Share access to the bucket",
"Action": [
"s3:*"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::BUCKET_NAME",
"arn:aws:s3:::BUCKET_NAME/*"
],
"Principal": {
"AWS": "arn:aws:iam:::user/31000000:9acd8251-2857-410e-b1fd-ca86462bdcec"
}
}
]
}
```
{% endtab %}
{% tab title="User-owned Buckets" %}
```bash
{
"Id": "Share access to the bucket",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Share access to the bucket",
"Action": [
"s3:*"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::BUCKET_NAME",
"arn:aws:s3:::BUCKET_NAME/*"
],
"Principal": {
"CanonicalUser": "CANONICAL_USER_ID"
}
}
]
}
```
{% endtab %}
{% endtabs %}
{% hint style="success" %}
**Result:** This action grants the specified user full access to your bucket.
{% endhint %}
{% hint style="info" %}
**Info:** You have the option to restrict actions, define the scope of access, or incorporate conditions into the Bucket Policy for more tailored control. For more information, see [Examples](https://docs.ionos.com/sections-test/guides/storage-and-backup/ionos-object-storage/settings/bucket-policy/examples).
{% endhint %}
#### Delete a Bucket Policy
You can delete a Bucket Policy at any time using the **Bucket Policy** section in the **Bucket settings** and click **Delete**.
{% hint style="info" %}
**Info:** Removing a bucket policy is irreversible and it is advised to create a backup policy before deleting it.
{% endhint %}
### API
Use the [API](https://api.ionos.com/docs/s3/v2/#tag/Policy/operation/PutBucketPolicy) to manage the Bucket Policy configuration.
### CLI
Use the [CLI](https://docs.ionos.com/sections-test/guides/storage-and-backup/ionos-object-storage/s3-tools/awscli/awscli-bucket-policy) to manage Bucket Policy.
## Related feature
### Block Public Access
If you have defined a bucket policy to grant public access, activating the **Block Public Access** feature will revoke these permissions, ensuring your data remains private. This feature is invaluable in scenarios where ensuring data privacy is paramount, or when you want to enforce a blanket no-public-access rule, irrespective of Bucket Policy settings. Currently, Block Public Access is available only via the [API](https://api.ionos.com/docs/s3/v2/).