For those who responded to me directly with some helpful tips, thank you! I thought I'd answer my own question here, since it might be useful to others. I actually did not find useful examples, but maybe I was not looking for the right things... First off, s3cmd kept giving me HTTP 405 errors. But Minio Client (https://docs.min.io/docs/minio-client-quickstart-guide.html) worked great for me. I took the following steps to figure out how policies are set: 1. Create a bucket, then make it public ACL so it'll have a policy set 2. Retrieve the JSON policy 3. Modify the JSON file 4. Apply the policy to some other bucket if desired. So my example below uses Minio Client and is such: # Set a bucket to "public" ACL - which means rw for anyone $ mc policy set public bbox-sre-rw/public # Then retrieve the policy $ mc policy get-json bbox-sre-rw/public > policy.json Modify the JSON file - remove Delete access and dangerous stuff: { "Statement": [ { "Action": [ "s3:GetBucketLocation", "s3:ListBucket", "s3:ListBucketMultipartUploads" ], "Effect": "Allow", "Principal": { "AWS": [ "*" ] }, "Resource": [ "arn:aws:s3:::public" ], "Sid": "" }, { "Action": [ "s3:GetObject", "s3:ListMultipartUploadParts" ], "Effect": "Allow", "Principal": { "AWS": [ "*" ] }, "Resource": [ "arn:aws:s3:::public/*" ], "Sid": "" } ], "Version": "2012-10-17" } Apply the JSON policy to bucket: $ mc policy set-json policy.json bbox-sre-rw/public Then you can anonymously fetch an arbitrary file from the bucket: curl http://<s3 bucket url>/public/hosts.txt But DELETE is denied: $ curl -s -X DELETE http://<s3 bucket url>/public/hosts.txt <?xml version="1.0" encoding="UTF-8"?><Error><Code>AccessDenied</Code><BucketName>public</BucketName><RequestId>tx000000000000000000007-005ef13363-1b9e1-dc1</RequestId><HostId>1b9e1-...</HostId></Error> _______________________________________________ ceph-users mailing list -- ceph-users@xxxxxxx To unsubscribe send an email to ceph-users-leave@xxxxxxx
 |