# Examples
Following are a few examples of common use cases and their corresponding bucket policy configurations.
{% hint style="info" %}
**Prerequisite:** You can retrieve the **Contract User ID** and **Canonical User ID** from the **Key Management** section by following the steps in the [Retrieve User ID](https://docs.ionos.com/sections-test/guides/storage-and-backup/ionos-object-storage/how-tos/retrieve-user-id).
{% endhint %}
## Grant full control of the bucket to other users
To grant full control over a contract-owned bucket or a user-owned bucket and its objects to other space.vars.ionos\_cloud\_object\_storage users:
{% tabs %}
{% tab title="Contract-owned Buckets" %}
```bash
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Grant Full Control",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam:::user/CONTRACT_USER_ID1",
"arn:aws:iam:::user/CONTRACT_USER_ID2"
]
},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::my-bucket",
"arn:aws:s3:::my-bucket/*"
]
}
]
}
```
{% endtab %}
{% tab title="User-owned Buckets" %}
```bash
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Grant Full Control",
"Effect": "Allow",
"Principal": {
"CanonicalUser": ["CANONICAL_USER_ID_1", "CANONICAL_USER_ID_2"]
},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::my-bucket",
"arn:aws:s3:::my-bucket/*"
]
}
]
}
```
{% endtab %}
{% endtabs %}
## Grant read-only access to a specific prefix
{% tabs %}
{% tab title="Contract-owned Buckets" %}
To grant read-only access to objects within a specific prefix of a contract-owned bucket to other space.vars.ionos\_cloud\_object\_storage users:
```bash
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "GrantReadOnlyAccessToPrefix",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam:::user/CONTRACT_USER_ID1",
"arn:aws:iam:::user/CONTRACT_USER_ID2"
]
},
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::my-bucket/prefix/*",
"arn:aws:s3:::my-bucket"
],
"Condition": {
"StringLike": {
"s3:prefix": [
"prefix/*"
]
}
}
}
]
}
```
{% endtab %}
{% tab title="User-owned Buckets" %}
To grant read-only access to objects within a specific prefix of a user-owned bucket to other space.vars.ionos\_cloud\_object\_storage users:
```bash
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "GrantReadOnlyAccessToPrefix",
"Effect": "Allow",
"Principal": {
"CanonicalUser": ["CANONICAL_USER_ID_1", "CANONICAL_USER_ID_2"]
},
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::my-bucket/prefix/*",
"arn:aws:s3:::my-bucket"
],
"Condition": {
"StringLike": {
"s3:prefix": [
"prefix/*"
]
}
}
}
]
}
```
{% endtab %}
{% endtabs %}
## Public read access
To allow read access to certain objects within a contract-owned bucket or a user-owned bucket while keeping other objects private:
```bash
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PublicRead",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::example-bucket/public/*"
}
]
}
```
## Restrict access to specific IP addresses
To restrict all users from performing any S3 operations within the designated bucket type, unless the request is initiated from the specified range of IP addresses:
```bash
{
"Id": "SourceIp",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "SourceIp",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::my-bucket",
"arn:aws:s3:::my-bucket/*"
],
"Condition": {
"NotIpAddress": {
"aws:SourceIp": [
"123.123.123.0/24"
]
}
}
}
]
}
```
For more information on bucket policy configurations, see [Bucket Policy](https://docs.ionos.com/sections-test/guides/storage-and-backup/ionos-object-storage/settings/bucket-policy), supported bucket and object [actions and condition values](https://api.ionos.com/docs/s3/v2/#tag/Policy/operation/PutBucketPolicy), and [Retrieve user ID](https://docs.ionos.com/sections-test/guides/storage-and-backup/how-tos/retrieve-user-id#retrieve-user-id).