Skip to content

Object Storage - add support for whitelist ips #8269

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 4 commits into
base: develop
Choose a base branch
from
Open

Object Storage - add support for whitelist ips #8269

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
7ffeb0c
Update guide.en-gb.md
lason-ovh Aug 11, 2025
9030e05
Update guide.fr-fr.md
lason-ovh Aug 11, 2025
dce1f93
Proofreading & duplication
Y0Coss Aug 13, 2025
995e281
minor update FR versions
benchbzh Aug 14, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
91 changes: 90 additions & 1 deletion ...rage_and_backup/object_storage/s3_identity_and_access_management/guide.de-de.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
---
title: Object Storage - Identitäts- und Zugriffsverwaltung (EN)
excerpt: The purpose of this guide is to show you how to manage your identities and access your Object Storage resources
updated: 2025-03-21
updated: 2025-08-25
---

## Objective
Expand Down Expand Up @@ -120,6 +120,24 @@ Some examples of JSON configuration files:
}
```

**Deny listing of all buckets owned by the parent account**

> [!primary]
>
> The (`s3:ListAllMyBuckets`) action is allowed by default for a given user. Add the `deny`{.action} effect if you want to explictly refuse the use of the `ListBuckets`{.action} API operation.
>

```json
{
"Statement":[{
"Sid": "DenyListBucket",
"Effect": "Deny",
"Action":["s3:ListAllMyBuckets"],
"Resource":["*"]
}]
}
```

**Allow all operations on all project resources**

```json
Expand All @@ -146,6 +164,76 @@ Some examples of JSON configuration files:
}
```


**Allow read access to objects only to specific IPs**

```json
{
"Statement": {
"Sid": "ExampleStatement01",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:ListBucket",
"s3:ListBucketVersions"
],
"Resource": [
"arn:aws:s3:::companybucket/*"
],
"Condition": {
"IpAddress": {
"aws:SourceIp": "10.0.0.5/16"
}
}
}
}
```

**Allow all operations to specific IPs by whitelisting authorized IPs**

```json
{
"Statement": {
"Sid": "ExampleStatement01",
"Effect": "Deny",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::companybucket",
"arn:aws:s3:::companybucket/*"
],
"Condition": {
"NotIpAddress": {
"aws:SourceIp": "10.0.0.5/16"
}
}
}
}
```

**Deny read access to objects to specific IPs by blacklisting unauthorized IPs**

```json
{
"Statement": {
"Sid": "ExampleStatement01",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:ListBucket",
"s3:ListBucketVersions"
],
"Resource": [
"arn:aws:s3:::companybucket/*"
],
"Condition": {
"NotIpAddress": {
"aws:SourceIp": "10.0.0.5/16"
}
}
}
}
```

### List of supported actions

| Action | Scope |
Expand Down Expand Up @@ -176,6 +264,7 @@ Some examples of JSON configuration files:
| s3:GetObjectRetention | Object |
| s3:GetObjectTagging | Object |
| s3:GetReplicationConfiguration | Bucket |
| s3:ListAllMyBuckets | Bucket |
| s3:ListBucket | Bucket |
| s3:ListBucketMultipartUploads | Bucket |
| s3:ListMultipartUploadParts | Object |
Expand Down
91 changes: 90 additions & 1 deletion ...ge_and_backup/object_storage/s3_identity_and_access_management/guide.en-asia.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
---
title: Object Storage - Identity and access management
excerpt: The purpose of this guide is to show you how to manage your identities and access your Object Storage resources
updated: 2025-03-21
updated: 2025-08-25
---

## Objective
Expand Down Expand Up @@ -120,6 +120,24 @@ Some examples of JSON configuration files:
}
```

**Deny listing of all buckets owned by the parent account**

> [!primary]
>
> The (`s3:ListAllMyBuckets`) action is allowed by default for a given user. Add the `deny`{.action} effect if you want to explictly refuse the use of the `ListBuckets`{.action} API operation.
>

```json
{
"Statement":[{
"Sid": "DenyListBucket",
"Effect": "Deny",
"Action":["s3:ListAllMyBuckets"],
"Resource":["*"]
}]
}
```

**Allow all operations on all project resources**

```json
Expand All @@ -146,6 +164,76 @@ Some examples of JSON configuration files:
}
```


**Allow read access to objects only to specific IPs**

```json
{
"Statement": {
"Sid": "ExampleStatement01",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:ListBucket",
"s3:ListBucketVersions"
],
"Resource": [
"arn:aws:s3:::companybucket/*"
],
"Condition": {
"IpAddress": {
"aws:SourceIp": "10.0.0.5/16"
}
}
}
}
```

**Allow all operations to specific IPs by whitelisting authorized IPs**

```json
{
"Statement": {
"Sid": "ExampleStatement01",
"Effect": "Deny",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::companybucket",
"arn:aws:s3:::companybucket/*"
],
"Condition": {
"NotIpAddress": {
"aws:SourceIp": "10.0.0.5/16"
}
}
}
}
```

**Deny read access to objects to specific IPs by blacklisting unauthorized IPs**

```json
{
"Statement": {
"Sid": "ExampleStatement01",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:ListBucket",
"s3:ListBucketVersions"
],
"Resource": [
"arn:aws:s3:::companybucket/*"
],
"Condition": {
"NotIpAddress": {
"aws:SourceIp": "10.0.0.5/16"
}
}
}
}
```

### List of supported actions

| Action | Scope |
Expand Down Expand Up @@ -176,6 +264,7 @@ Some examples of JSON configuration files:
| s3:GetObjectRetention | Object |
| s3:GetObjectTagging | Object |
| s3:GetReplicationConfiguration | Bucket |
| s3:ListAllMyBuckets | Bucket |
| s3:ListBucket | Bucket |
| s3:ListBucketMultipartUploads | Bucket |
| s3:ListMultipartUploadParts | Object |
Expand Down
91 changes: 90 additions & 1 deletion ...rage_and_backup/object_storage/s3_identity_and_access_management/guide.en-au.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
---
title: Object Storage - Identity and access management
excerpt: The purpose of this guide is to show you how to manage your identities and access your Object Storage resources
updated: 2025-03-21
updated: 2025-08-25
---

## Objective
Expand Down Expand Up @@ -120,6 +120,24 @@ Some examples of JSON configuration files:
}
```

**Deny listing of all buckets owned by the parent account**

> [!primary]
>
> The (`s3:ListAllMyBuckets`) action is allowed by default for a given user. Add the `deny`{.action} effect if you want to explictly refuse the use of the `ListBuckets`{.action} API operation.
>

```json
{
"Statement":[{
"Sid": "DenyListBucket",
"Effect": "Deny",
"Action":["s3:ListAllMyBuckets"],
"Resource":["*"]
}]
}
```

**Allow all operations on all project resources**

```json
Expand All @@ -146,6 +164,76 @@ Some examples of JSON configuration files:
}
```


**Allow read access to objects only to specific IPs**

```json
{
"Statement": {
"Sid": "ExampleStatement01",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:ListBucket",
"s3:ListBucketVersions"
],
"Resource": [
"arn:aws:s3:::companybucket/*"
],
"Condition": {
"IpAddress": {
"aws:SourceIp": "10.0.0.5/16"
}
}
}
}
```

**Allow all operations to specific IPs by whitelisting authorized IPs**

```json
{
"Statement": {
"Sid": "ExampleStatement01",
"Effect": "Deny",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::companybucket",
"arn:aws:s3:::companybucket/*"
],
"Condition": {
"NotIpAddress": {
"aws:SourceIp": "10.0.0.5/16"
}
}
}
}
```

**Deny read access to objects to specific IPs by blacklisting unauthorized IPs**

```json
{
"Statement": {
"Sid": "ExampleStatement01",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:ListBucket",
"s3:ListBucketVersions"
],
"Resource": [
"arn:aws:s3:::companybucket/*"
],
"Condition": {
"NotIpAddress": {
"aws:SourceIp": "10.0.0.5/16"
}
}
}
}
```

### List of supported actions

| Action | Scope |
Expand Down Expand Up @@ -176,6 +264,7 @@ Some examples of JSON configuration files:
| s3:GetObjectRetention | Object |
| s3:GetObjectTagging | Object |
| s3:GetReplicationConfiguration | Bucket |
| s3:ListAllMyBuckets | Bucket |
| s3:ListBucket | Bucket |
| s3:ListBucketMultipartUploads | Bucket |
| s3:ListMultipartUploadParts | Object |
Expand Down
Loading