Can I restrict users to specific buckets in Contabo's Object Storage?

You can restrict users to specific buckets to allow a specific user to use one bucket while another bucket should only be accessible to another user.

The following describes how to allow access to buckets to a limited number of users.

The following assumes that aws cli is installed and properly configured and that you have access to Contabo's Object Storage Panel to create users.

How do I restrict users to specific buckets in Contabo's Object Storage?

You need to set up a bucket policy. A bucket policy allows or denies access to buckets in the form of specific actions, and is used to control which users have what access to a bucket.

Below is an example of how to set this up:

1. This step denies user user2@example.com any action on any resource in bucket-for-user-1.
   
   With the given data, we can create a policy for bucket-for-user-1 and store it in the file bucket-for-user-1-policy.json with the following content

   {
   "Version": "2012-10-17",
   "Statement": [
   {
   "Action": "*",
   "Effect": "Deny",
   "Resource": "*",
   "Principal": {
   "AWS": [
   "arn:aws:iam::5c37e60c3ee04f1eb116c436b1afadca:user/12345:3368c22e-08da-446f-a470-1928e58457a2"
   ]
   }
   }
   ]
   }

   Please note that in here s3TenantId=5c37e60c3ee04f1eb116c436b1afadca, customerId=12345 and userId=3368c22e-08da-446f-a470-1928e58457a2. Thus the format is arn:aws:iam::<s3TenantId>:user/<customerId>:<userId>. To apply it, please run the following API:
   
   

   aws --profile eu2 --endpoint-url https://eu2.contabostorage.com s3api put-bucket-policy --bucket bucket-for-user-1 --policy file://bucket-for-user-1-policy.json

2. This step denies any action on any resource in bucket-for-user-2 for the user user1@example.com.
   
   

   {
   "Version": "2012-10-17",
   "Statement": [
   {
   "Action": "*",
   "Effect": "Deny",
   "Resource": "*",
   "Principal": {
   "AWS": [
   "arn:aws:iam::5c37e60c3ee04f1eb116c436b1afadca:user/12345:6299cbdd-ef72-486b-b088-c34181fc20f1"
   ]
   }
   }
   ]
   }

3. Please note that in here s3TenantId=5c37e60c3ee04f1eb116c436b1afadca, customerId=12345 and userId=6299cbdd-ef72-486b-b088-c34181fc20f1, so the format is arn:aws:iam::<s3TenantId>:user/<customerId>:<userId>. To apply it, please run the following API:
   
   

   aws --profile eu2 --endpoint-url https://eu2.contabostorage.com s3api put-bucket-policy --bucket bucket-for-user-2 --policy file://bucket-for-user-2-policy.json

The example above is based on two buckets:

• bucket-for-user-1
• bucket-for-user-2
  
  

Also two existing users who set their password to access Contabo's Object Storage Panel:

• user1@example.com with S3 Read and Write role
• user2@example.com with S3 Read and Write role
  
  

The usage should be restricted as follows:

• only user1@example.com has access to bucket for user-1
• only user2@example.com can access bucket-for-user-2

Of course, in your actual scenario, the bucket names and user names will be different. Please adjust them accordingly. You could have any number of buckets or users with different policies, and even more fine-grained control over actions. But that is not covered here.

Furthermore you will need the internal representation of the users in the S3 Object Storage. To get them please use the Contabo API or the cntb cli via cntb get users. Please use the value of the userId field.

You will also need the so called s3TenantId for the given Object Storage. You can get it with cntb get objectStorages -o=json.

How do I remove restrictions for users from a bucket?

By removing the policies, both users will have full access to the buckets again. Please follow these steps:

aws --profile eu2 --endpoint-url https://eu2.contabostorage.com s3api delete-bucket-policy --bucket bucket-for-user-1
aws --profile eu2 --endpoint-url https://eu2.contabostorage.com s3api delete-bucket-policy --bucket bucket-for-user-2