Introduction

This quick example shows how we can update the bucket access policy in StorageGRID in order to allow anonymous access. This allows access to the bucket without S3 credentials, e.g. through a browser.

Instructions

In this example, we utilize s3cmd to connect to StorageGRID Webscale. In order to get s3cmd talking to StorageGRID, update the following fields in ~/.s3cfg as shown below. Please note that it is not advised to disable SSL for production workloads, but rather set the ca_certs_file field.

$ cat ~/.s3cfg (only important fields shown)
access_key = <S3 access key>
access_token = <S3 secret access key>
check_ssl_certificate = False
check_ssl_hostname = False
host_base = <StorageGRID address>:8082
host_bucket = <StorageGRID address>:8082/%(bucket)

Next, we create a JSON document to enable access to a bucket “public-bucket1” which we will expose to the public:

$ cat anonymous_access.json
{
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": [
                "s3:GetObject",
                "s3:ListBucket"
            ],
            "Resource": [
                "urn:sgws:s3:::public-bucket1",
                "urn:sgws:s3:::public-bucket1/*"
            ]
        }
    ]
}

Lastly, we use s3cmd to apply the policy to the bucket:

$ s3cmd setpolicy anonymous_access.json s3://public-bucket1 
s3://public-bucket1/: Policy updated

We are now able to point a browser to an object and download it without requiring credentials, e.g. via https://:8082/public-bucket1/objectkey

Conclusion
Anonymous access is a simple way to share content in an S3 bucket with people at large. You can enable anonymous access to collaborate on projects, use an S3 bucket as a content repository within your organization or build a simple web-based catalogue of a bucket. You can further develop the S3 bucket policy framework within StorageGRID to have conditional access to buckets based on IP ranges and also tweak actions to allow more than just read and list operations.

If you have questions, feel free to reach out via email to thePub

Clemens Siebler on GithubClemens Siebler on LinkedinClemens Siebler on Twitter
Clemens Siebler
Manager Solution Architects EMEA
Clemens is leading a technical team of Solution Architects in EMEA. In his current role, he and his team are evangelizing upcoming market trends like Containers, Object Storage, OpenStack, and NFV. His current passion is enabling customers to transition their large scale workloads to Object Storage. Before, he worked as a Software Engineer on NetApp’s software products, where he published multiple patents on plug-in frameworks.

Pin It on Pinterest