Introduction
This quick example shows how we can update the bucket access policy in StorageGRID in order to allow anonymous access. This allows access to the bucket without S3 credentials, e.g. through a browser.
Instructions
In this example, we utilize s3cmd
to connect to StorageGRID Webscale. In order to get s3cmd
talking to StorageGRID, update the following fields in ~/.s3cfg
as shown below. Please note that it is not advised to disable SSL for production workloads, but rather set the ca_certs_file
field.
$ cat ~/.s3cfg (only important fields shown) access_key = <S3 access key> access_token = <S3 secret access key> check_ssl_certificate = False check_ssl_hostname = False host_base = <StorageGRID address>:8082 host_bucket = <StorageGRID address>:8082/%(bucket)
Next, we create a JSON document to enable access to a bucket “public-bucket1
” which we will expose to the public:
$ cat anonymous_access.json { "Statement": [ { "Effect": "Allow", "Principal": "*", "Action": [ "s3:GetObject", "s3:ListBucket" ], "Resource": [ "urn:sgws:s3:::public-bucket1", "urn:sgws:s3:::public-bucket1/*" ] } ] }
Lastly, we use s3cmd
to apply the policy to the bucket:
$ s3cmd setpolicy anonymous_access.json s3://public-bucket1 s3://public-bucket1/: Policy updated
We are now able to point a browser to an object and download it without requiring credentials, e.g. via https://:8082/public-bucket1/objectkey
Conclusion
Anonymous access is a simple way to share content in an S3 bucket with people at large. You can enable anonymous access to collaborate on projects, use an S3 bucket as a content repository within your organization or build a simple web-based catalogue of a bucket. You can further develop the S3 bucket policy framework within StorageGRID to have conditional access to buckets based on IP ranges and also tweak actions to allow more than just read and list operations.
If you have questions, feel free to reach out via email to thePub