Documentation

Search...
CTRL K
  • Search documentation
to select
to navigate
ESC to close
Documentation home
Products
Object Storage
Tutorials
How to set up a public read bucket

How to set up a public read bucket

By default the bucket and all the objects inside it are private. This means they are only accessible to users created for the bucket. A pre-signed URL, like we saw earlier, is handy for securely sharing individual objects on a one-off basis. However, there might be scenarios where you would want to set up a storage bucket to allow public read access to all the objects within. This setup enables anyone to view or download the files, but not modify or delete them.

For example, a public read bucket can be useful for hosting website assets like images and videos, that need to be publicly accessible for the website to function correctly, yet should not be altered or deleted by the public.

This level of access is achieved by assigning a specific policy to the bucket. The steps oulined below describe how to set it up.

Creating a bucket 

**aws s3api create-bucket --bucket {bucket-name} --profile={profile}**

aws s3api create-bucket --bucket publicread --profile=objectstorage-v2

This creates a new Object Storage bucket named publicread using a profile named objectstorage-v2. This step can be skipped if you plan on using an existing bucket.

Adding a policy 

aws s3api put-bucket-policy --bucket {bucket-name} --policy file://{path-of-policy-file} --profile={profile}

aws s3api put-bucket-policy --bucket publicread --policy file://public-read-policy.json --profile=objectstorage-v2

This sets a policy for the publicread bucket, where the policy is defined in a file named public-read-policy.json - the content of which can be found below. Be sure to create the file if it doesn’t already exist.

Policy Content 

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "PublicReadForNewObjects",
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::publicread/*"
    }
  ]
}

The content of the public-read-policy.json file contains a statement that allows any user (Principal: "*") to perform the s3:GetObject action. This action permits users to retrieve objects from the publicread bucket. The "Resource": "arn:aws:s3:::publicread/*" line specifies that this permission applies to all objects within the publicread bucket.

The Sid (statement ID) is an optional field, and its main purpose is to give a unique identifier to individual policy statements. It helps when you’ve got multiple statements in a single policy and you want to easily distinguish between them. For example, if you’re looking through logs or debugging, the Sid can help you quickly identify which part of the policy is doing what.

Uploading files 

aws s3 cp {path-of-file-to-upload} s3://{bucket-name} --profile={profile}

aws s3 cp bucket.jpg s3://publicread --profile=objectstorage-v2

This uploads a file named bucket.jpg from the current directory to the publicread bucket using the objectstorage-v2 profile. Once uploaded, due to the policy set earlier, this file is now publicly readable using the link below:

https://{endpoint}/{bucket-name}/{object}, or

https://{bucket-name}.{endpoint}/{object}

https://jifb2.upcloudobjects.com/publicread/bucket.jpg, or

https://publicread.jifb2.upcloudobjects.com/bucket.jpg