Docs Home
Scaleway v1.27.0 published on Monday, Apr 21, 2025 by pulumiverse
scaleway.ObjectBucketPolicy
Explore with Pulumi AI
Deprecated: scaleway.index/objectbucketpolicy.ObjectBucketPolicy has been deprecated in favor of scaleway.object/bucketpolicy.BucketPolicy
The scaleway.object.BucketPolicy resource allows you to create and manage bucket policies for Scaleway Object storage.
Refer to the dedicated documentation for more information on Object Storage bucket policies.
Example Usage
Example Usage with an IAM user
import * as pulumi from "@pulumi/pulumi";
import * as scaleway from "@pulumi/scaleway";
import * as scaleway from "@pulumiverse/scaleway";
// Project ID
const _default = scaleway.account.getProject({
name: "default",
});
// IAM configuration
const user = scaleway.iam.getUser({
email: "user@scaleway.com",
});
const policy = new scaleway.iam.Policy("policy", {
name: "object-storage-policy",
userId: user.then(user => user.id),
rules: [{
projectIds: [_default.then(_default => _default.id)],
permissionSetNames: ["ObjectStorageFullAccess"],
}],
});
// Object storage configuration
const bucket = new scaleway.object.Bucket("bucket", {name: "some-unique-name"});
const policyBucketPolicy = new scaleway.object.BucketPolicy("policy", {
bucket: bucket.name,
policy: pulumi.jsonStringify({
Version: "2023-04-17",
Id: "MyBucketPolicy",
Statement: [{
Effect: "Allow",
Action: ["s3:*"],
Principal: {
SCW: user.then(user => `user_id:${user.id}`),
},
Resource: [
bucket.name,
pulumi.interpolate`${bucket.name}/*`,
],
}],
}),
});
import pulumi
import json
import pulumi_scaleway as scaleway
import pulumiverse_scaleway as scaleway
# Project ID
default = scaleway.account.get_project(name="default")
# IAM configuration
user = scaleway.iam.get_user(email="user@scaleway.com")
policy = scaleway.iam.Policy("policy",
name="object-storage-policy",
user_id=user.id,
rules=[{
"project_ids": [default.id],
"permission_set_names": ["ObjectStorageFullAccess"],
}])
# Object storage configuration
bucket = scaleway.object.Bucket("bucket", name="some-unique-name")
policy_bucket_policy = scaleway.object.BucketPolicy("policy",
bucket=bucket.name,
policy=pulumi.Output.json_dumps({
"Version": "2023-04-17",
"Id": "MyBucketPolicy",
"Statement": [{
"Effect": "Allow",
"Action": ["s3:*"],
"Principal": {
"SCW": f"user_id:{user.id}",
},
"Resource": [
bucket.name,
bucket.name.apply(lambda name: f"{name}/*"),
],
}],
}))
package main
import (
"encoding/json"
"fmt"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
"github.com/pulumiverse/pulumi-scaleway/sdk/go/scaleway/account"
"github.com/pulumiverse/pulumi-scaleway/sdk/go/scaleway/iam"
"github.com/pulumiverse/pulumi-scaleway/sdk/go/scaleway/object"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
// Project ID
_default, err := account.LookupProject(ctx, &account.LookupProjectArgs{
Name: pulumi.StringRef("default"),
}, nil)
if err != nil {
return err
}
// IAM configuration
user, err := iam.LookupUser(ctx, &iam.LookupUserArgs{
Email: pulumi.StringRef("user@scaleway.com"),
}, nil)
if err != nil {
return err
}
_, err = iam.NewPolicy(ctx, "policy", &iam.PolicyArgs{
Name: pulumi.String("object-storage-policy"),
UserId: pulumi.String(user.Id),
Rules: iam.PolicyRuleArray{
&iam.PolicyRuleArgs{
ProjectIds: pulumi.StringArray{
pulumi.String(_default.Id),
},
PermissionSetNames: pulumi.StringArray{
pulumi.String("ObjectStorageFullAccess"),
},
},
},
})
if err != nil {
return err
}
// Object storage configuration
bucket, err := object.NewBucket(ctx, "bucket", &object.BucketArgs{
Name: pulumi.String("some-unique-name"),
})
if err != nil {
return err
}
_, err = object.NewBucketPolicy(ctx, "policy", &object.BucketPolicyArgs{
Bucket: bucket.Name,
Policy: pulumi.All(bucket.Name, bucket.Name).ApplyT(func(_args []interface{}) (string, error) {
bucketName := _args[0].(string)
bucketName1 := _args[1].(string)
var _zero string
tmpJSON0, err := json.Marshal(map[string]interface{}{
"Version": "2023-04-17",
"Id": "MyBucketPolicy",
"Statement": []map[string]interface{}{
map[string]interface{}{
"Effect": "Allow",
"Action": []string{
"s3:*",
},
"Principal": map[string]interface{}{
"SCW": fmt.Sprintf("user_id:%v", user.Id),
},
"Resource": []string{
bucketName,
fmt.Sprintf("%v/*", bucketName1),
},
},
},
})
if err != nil {
return _zero, err
}
json0 := string(tmpJSON0)
return json0, nil
}).(pulumi.StringOutput),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using System.Text.Json;
using Pulumi;
using Scaleway = Pulumi.Scaleway;
using Scaleway = Pulumiverse.Scaleway;
return await Deployment.RunAsync(() =>
{
// Project ID
var @default = Scaleway.Account.GetProject.Invoke(new()
{
Name = "default",
});
// IAM configuration
var user = Scaleway.Iam.GetUser.Invoke(new()
{
Email = "user@scaleway.com",
});
var policy = new Scaleway.Iam.Policy("policy", new()
{
Name = "object-storage-policy",
UserId = user.Apply(getUserResult => getUserResult.Id),
Rules = new[]
{
new Scaleway.Iam.Inputs.PolicyRuleArgs
{
ProjectIds = new[]
{
@default.Apply(@default => @default.Apply(getProjectResult => getProjectResult.Id)),
},
PermissionSetNames = new[]
{
"ObjectStorageFullAccess",
},
},
},
});
// Object storage configuration
var bucket = new Scaleway.Object.Bucket("bucket", new()
{
Name = "some-unique-name",
});
var policyBucketPolicy = new Scaleway.Object.BucketPolicy("policy", new()
{
Bucket = bucket.Name,
Policy = Output.JsonSerialize(Output.Create(new Dictionary<string, object?>
{
["Version"] = "2023-04-17",
["Id"] = "MyBucketPolicy",
["Statement"] = new[]
{
new Dictionary<string, object?>
{
["Effect"] = "Allow",
["Action"] = new[]
{
"s3:*",
},
["Principal"] = new Dictionary<string, object?>
{
["SCW"] = $"user_id:{user.Apply(getUserResult => getUserResult.Id)}",
},
["Resource"] = new[]
{
bucket.Name,
bucket.Name.Apply(name => $"{name}/*"),
},
},
},
})),
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.scaleway.account.AccountFunctions;
import com.pulumi.scaleway.account.inputs.GetProjectArgs;
import com.pulumi.scaleway.iam.IamFunctions;
import com.pulumi.scaleway.iam.inputs.GetUserArgs;
import com.pulumi.scaleway.iam.Policy;
import com.pulumi.scaleway.iam.PolicyArgs;
import com.pulumi.scaleway.iam.inputs.PolicyRuleArgs;
import com.pulumi.scaleway.object.Bucket;
import com.pulumi.scaleway.object.BucketArgs;
import com.pulumi.scaleway.object.BucketPolicy;
import com.pulumi.scaleway.object.BucketPolicyArgs;
import static com.pulumi.codegen.internal.Serialization.*;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
// Project ID
final var default = AccountFunctions.getProject(GetProjectArgs.builder()
.name("default")
.build());
// IAM configuration
final var user = IamFunctions.getUser(GetUserArgs.builder()
.email("user@scaleway.com")
.build());
var policy = new Policy("policy", PolicyArgs.builder()
.name("object-storage-policy")
.userId(user.applyValue(getUserResult -> getUserResult.id()))
.rules(PolicyRuleArgs.builder()
.projectIds(default_.id())
.permissionSetNames("ObjectStorageFullAccess")
.build())
.build());
// Object storage configuration
var bucket = new Bucket("bucket", BucketArgs.builder()
.name("some-unique-name")
.build());
var policyBucketPolicy = new BucketPolicy("policyBucketPolicy", BucketPolicyArgs.builder()
.bucket(bucket.name())
.policy(Output.tuple(bucket.name(), bucket.name()).applyValue(values -> {
var bucketName = values.t1;
var bucketName1 = values.t2;
return serializeJson(
jsonObject(
jsonProperty("Version", "2023-04-17"),
jsonProperty("Id", "MyBucketPolicy"),
jsonProperty("Statement", jsonArray(jsonObject(
jsonProperty("Effect", "Allow"),
jsonProperty("Action", jsonArray("s3:*")),
jsonProperty("Principal", jsonObject(
jsonProperty("SCW", String.format("user_id:%s", user.applyValue(getUserResult -> getUserResult.id())))
)),
jsonProperty("Resource", jsonArray(
bucketName,
String.format("%s/*", bucketName1)
))
)))
));
}))
.build());
}
}
resources:
policy:
type: scaleway:iam:Policy
properties:
name: object-storage-policy
userId: ${user.id}
rules:
- projectIds:
- ${default.id}
permissionSetNames:
- ObjectStorageFullAccess
# Object storage configuration
bucket:
type: scaleway:object:Bucket
properties:
name: some-unique-name
policyBucketPolicy:
type: scaleway:object:BucketPolicy
name: policy
properties:
bucket: ${bucket.name}
policy:
fn::toJSON:
Version: 2023-04-17
Id: MyBucketPolicy
Statement:
- Effect: Allow
Action:
- s3:*
Principal:
SCW: user_id:${user.id}
Resource:
- ${bucket.name}
- ${bucket.name}/*
variables:
# Project ID
default:
fn::invoke:
function: scaleway:account:getProject
arguments:
name: default
# IAM configuration
user:
fn::invoke:
function: scaleway:iam:getUser
arguments:
email: user@scaleway.com
Example with an IAM application
Creating a bucket and delegating read access to an application
import * as pulumi from "@pulumi/pulumi";
import * as scaleway from "@pulumi/scaleway";
import * as scaleway from "@pulumiverse/scaleway";
// Project ID
const _default = scaleway.account.getProject({
name: "default",
});
// IAM configuration
const reading_app = new scaleway.iam.Application("reading-app", {name: "reading-app"});
const policy = new scaleway.iam.Policy("policy", {
name: "object-storage-policy",
applicationId: reading_app.id,
rules: [{
projectIds: [_default.then(_default => _default.id)],
permissionSetNames: ["ObjectStorageBucketsRead"],
}],
});
// Object storage configuration
const bucket = new scaleway.object.Bucket("bucket", {name: "some-unique-name"});
const policyBucketPolicy = new scaleway.object.BucketPolicy("policy", {
bucket: bucket.id,
policy: pulumi.jsonStringify({
Version: "2023-04-17",
Statement: [{
Sid: "Delegate read access",
Effect: "Allow",
Principal: {
SCW: pulumi.interpolate`application_id:${reading_app.id}`,
},
Action: [
"s3:ListBucket",
"s3:GetObject",
],
Resource: [
bucket.name,
pulumi.interpolate`${bucket.name}/*`,
],
}],
}),
});
import pulumi
import json
import pulumi_scaleway as scaleway
import pulumiverse_scaleway as scaleway
# Project ID
default = scaleway.account.get_project(name="default")
# IAM configuration
reading_app = scaleway.iam.Application("reading-app", name="reading-app")
policy = scaleway.iam.Policy("policy",
name="object-storage-policy",
application_id=reading_app.id,
rules=[{
"project_ids": [default.id],
"permission_set_names": ["ObjectStorageBucketsRead"],
}])
# Object storage configuration
bucket = scaleway.object.Bucket("bucket", name="some-unique-name")
policy_bucket_policy = scaleway.object.BucketPolicy("policy",
bucket=bucket.id,
policy=pulumi.Output.json_dumps({
"Version": "2023-04-17",
"Statement": [{
"Sid": "Delegate read access",
"Effect": "Allow",
"Principal": {
"SCW": reading_app.id.apply(lambda id: f"application_id:{id}"),
},
"Action": [
"s3:ListBucket",
"s3:GetObject",
],
"Resource": [
bucket.name,
bucket.name.apply(lambda name: f"{name}/*"),
],
}],
}))
package main
import (
"encoding/json"
"fmt"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
"github.com/pulumiverse/pulumi-scaleway/sdk/go/scaleway/account"
"github.com/pulumiverse/pulumi-scaleway/sdk/go/scaleway/iam"
"github.com/pulumiverse/pulumi-scaleway/sdk/go/scaleway/object"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
// Project ID
_default, err := account.LookupProject(ctx, &account.LookupProjectArgs{
Name: pulumi.StringRef("default"),
}, nil)
if err != nil {
return err
}
// IAM configuration
reading_app, err := iam.NewApplication(ctx, "reading-app", &iam.ApplicationArgs{
Name: pulumi.String("reading-app"),
})
if err != nil {
return err
}
_, err = iam.NewPolicy(ctx, "policy", &iam.PolicyArgs{
Name: pulumi.String("object-storage-policy"),
ApplicationId: reading_app.ID(),
Rules: iam.PolicyRuleArray{
&iam.PolicyRuleArgs{
ProjectIds: pulumi.StringArray{
pulumi.String(_default.Id),
},
PermissionSetNames: pulumi.StringArray{
pulumi.String("ObjectStorageBucketsRead"),
},
},
},
})
if err != nil {
return err
}
// Object storage configuration
bucket, err := object.NewBucket(ctx, "bucket", &object.BucketArgs{
Name: pulumi.String("some-unique-name"),
})
if err != nil {
return err
}
_, err = object.NewBucketPolicy(ctx, "policy", &object.BucketPolicyArgs{
Bucket: bucket.ID(),
Policy: pulumi.All(reading_app.ID(), bucket.Name, bucket.Name).ApplyT(func(_args []interface{}) (string, error) {
id := _args[0].(string)
bucketName := _args[1].(string)
bucketName1 := _args[2].(string)
var _zero string
tmpJSON0, err := json.Marshal(map[string]interface{}{
"Version": "2023-04-17",
"Statement": []map[string]interface{}{
map[string]interface{}{
"Sid": "Delegate read access",
"Effect": "Allow",
"Principal": map[string]interface{}{
"SCW": fmt.Sprintf("application_id:%v", id),
},
"Action": []string{
"s3:ListBucket",
"s3:GetObject",
},
"Resource": []string{
bucketName,
fmt.Sprintf("%v/*", bucketName1),
},
},
},
})
if err != nil {
return _zero, err
}
json0 := string(tmpJSON0)
return json0, nil
}).(pulumi.StringOutput),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using System.Text.Json;
using Pulumi;
using Scaleway = Pulumi.Scaleway;
using Scaleway = Pulumiverse.Scaleway;
return await Deployment.RunAsync(() =>
{
// Project ID
var @default = Scaleway.Account.GetProject.Invoke(new()
{
Name = "default",
});
// IAM configuration
var reading_app = new Scaleway.Iam.Application("reading-app", new()
{
Name = "reading-app",
});
var policy = new Scaleway.Iam.Policy("policy", new()
{
Name = "object-storage-policy",
ApplicationId = reading_app.Id,
Rules = new[]
{
new Scaleway.Iam.Inputs.PolicyRuleArgs
{
ProjectIds = new[]
{
@default.Apply(@default => @default.Apply(getProjectResult => getProjectResult.Id)),
},
PermissionSetNames = new[]
{
"ObjectStorageBucketsRead",
},
},
},
});
// Object storage configuration
var bucket = new Scaleway.Object.Bucket("bucket", new()
{
Name = "some-unique-name",
});
var policyBucketPolicy = new Scaleway.Object.BucketPolicy("policy", new()
{
Bucket = bucket.Id,
Policy = Output.JsonSerialize(Output.Create(new Dictionary<string, object?>
{
["Version"] = "2023-04-17",
["Statement"] = new[]
{
new Dictionary<string, object?>
{
["Sid"] = "Delegate read access",
["Effect"] = "Allow",
["Principal"] = new Dictionary<string, object?>
{
["SCW"] = reading_app.Id.Apply(id => $"application_id:{id}"),
},
["Action"] = new[]
{
"s3:ListBucket",
"s3:GetObject",
},
["Resource"] = new[]
{
bucket.Name,
bucket.Name.Apply(name => $"{name}/*"),
},
},
},
})),
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.scaleway.account.AccountFunctions;
import com.pulumi.scaleway.account.inputs.GetProjectArgs;
import com.pulumi.scaleway.iam.Application;
import com.pulumi.scaleway.iam.ApplicationArgs;
import com.pulumi.scaleway.iam.Policy;
import com.pulumi.scaleway.iam.PolicyArgs;
import com.pulumi.scaleway.iam.inputs.PolicyRuleArgs;
import com.pulumi.scaleway.object.Bucket;
import com.pulumi.scaleway.object.BucketArgs;
import com.pulumi.scaleway.object.BucketPolicy;
import com.pulumi.scaleway.object.BucketPolicyArgs;
import static com.pulumi.codegen.internal.Serialization.*;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
// Project ID
final var default = AccountFunctions.getProject(GetProjectArgs.builder()
.name("default")
.build());
// IAM configuration
var reading_app = new Application("reading-app", ApplicationArgs.builder()
.name("reading-app")
.build());
var policy = new Policy("policy", PolicyArgs.builder()
.name("object-storage-policy")
.applicationId(reading_app.id())
.rules(PolicyRuleArgs.builder()
.projectIds(default_.id())
.permissionSetNames("ObjectStorageBucketsRead")
.build())
.build());
// Object storage configuration
var bucket = new Bucket("bucket", BucketArgs.builder()
.name("some-unique-name")
.build());
var policyBucketPolicy = new BucketPolicy("policyBucketPolicy", BucketPolicyArgs.builder()
.bucket(bucket.id())
.policy(Output.tuple(reading_app.id(), bucket.name(), bucket.name()).applyValue(values -> {
var id = values.t1;
var bucketName = values.t2;
var bucketName1 = values.t3;
return serializeJson(
jsonObject(
jsonProperty("Version", "2023-04-17"),
jsonProperty("Statement", jsonArray(jsonObject(
jsonProperty("Sid", "Delegate read access"),
jsonProperty("Effect", "Allow"),
jsonProperty("Principal", jsonObject(
jsonProperty("SCW", String.format("application_id:%s", id))
)),
jsonProperty("Action", jsonArray(
"s3:ListBucket",
"s3:GetObject"
)),
jsonProperty("Resource", jsonArray(
bucketName,
String.format("%s/*", bucketName1)
))
)))
));
}))
.build());
}
}
resources:
# IAM configuration
reading-app:
type: scaleway:iam:Application
properties:
name: reading-app
policy:
type: scaleway:iam:Policy
properties:
name: object-storage-policy
applicationId: ${["reading-app"].id}
rules:
- projectIds:
- ${default.id}
permissionSetNames:
- ObjectStorageBucketsRead
# Object storage configuration
bucket:
type: scaleway:object:Bucket
properties:
name: some-unique-name
policyBucketPolicy:
type: scaleway:object:BucketPolicy
name: policy
properties:
bucket: ${bucket.id}
policy:
fn::toJSON:
Version: 2023-04-17
Statement:
- Sid: Delegate read access
Effect: Allow
Principal:
SCW: application_id:${["reading-app"].id}
Action:
- s3:ListBucket
- s3:GetObject
Resource:
- ${bucket.name}
- ${bucket.name}/*
variables:
# Project ID
default:
fn::invoke:
function: scaleway:account:getProject
arguments:
name: default
Reading the bucket with the application
import * as pulumi from "@pulumi/pulumi";
import * as scaleway from "@pulumi/scaleway";
import * as scaleway from "@pulumiverse/scaleway";
const reading_app = scaleway.iam.getApplication({
name: "reading-app",
});
const reading_api_key = new scaleway.iam.ApiKey("reading-api-key", {applicationId: reading_app.then(reading_app => reading_app.id)});
const bucket = scaleway.object.getBucket({
name: "some-unique-name",
});
import pulumi
import pulumi_scaleway as scaleway
import pulumiverse_scaleway as scaleway
reading_app = scaleway.iam.get_application(name="reading-app")
reading_api_key = scaleway.iam.ApiKey("reading-api-key", application_id=reading_app.id)
bucket = scaleway.object.get_bucket(name="some-unique-name")
package main
import (
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
"github.com/pulumiverse/pulumi-scaleway/sdk/go/scaleway/iam"
"github.com/pulumiverse/pulumi-scaleway/sdk/go/scaleway/object"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
reading_app, err := iam.LookupApplication(ctx, &iam.LookupApplicationArgs{
Name: pulumi.StringRef("reading-app"),
}, nil)
if err != nil {
return err
}
_, err = iam.NewApiKey(ctx, "reading-api-key", &iam.ApiKeyArgs{
ApplicationId: pulumi.String(reading_app.Id),
})
if err != nil {
return err
}
_, err = object.LookupBucket(ctx, &object.LookupBucketArgs{
Name: pulumi.StringRef("some-unique-name"),
}, nil)
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Scaleway = Pulumi.Scaleway;
using Scaleway = Pulumiverse.Scaleway;
return await Deployment.RunAsync(() =>
{
var reading_app = Scaleway.Iam.GetApplication.Invoke(new()
{
Name = "reading-app",
});
var reading_api_key = new Scaleway.Iam.ApiKey("reading-api-key", new()
{
ApplicationId = reading_app.Apply(reading_app => reading_app.Apply(getApplicationResult => getApplicationResult.Id)),
});
var bucket = Scaleway.Object.GetBucket.Invoke(new()
{
Name = "some-unique-name",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.scaleway.iam.IamFunctions;
import com.pulumi.scaleway.iam.inputs.GetApplicationArgs;
import com.pulumi.scaleway.iam.ApiKey;
import com.pulumi.scaleway.iam.ApiKeyArgs;
import com.pulumi.scaleway.object.ObjectFunctions;
import com.pulumi.scaleway.object.inputs.GetBucketArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var reading-app = IamFunctions.getApplication(GetApplicationArgs.builder()
.name("reading-app")
.build());
var reading_api_key = new ApiKey("reading-api-key", ApiKeyArgs.builder()
.applicationId(reading_app.id())
.build());
final var bucket = ObjectFunctions.getBucket(GetBucketArgs.builder()
.name("some-unique-name")
.build());
}
}
resources:
reading-api-key:
type: scaleway:iam:ApiKey
properties:
applicationId: ${["reading-app"].id}
variables:
reading-app:
fn::invoke:
function: scaleway:iam:getApplication
arguments:
name: reading-app
bucket:
fn::invoke:
function: scaleway:object:getBucket
arguments:
name: some-unique-name
Example with AWS provider
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
import * as scaleway from "@pulumi/scaleway";
import * as scaleway from "@pulumiverse/scaleway";
// Scaleway project ID
const _default = scaleway.account.getProject({
name: "default",
});
// Object storage configuration
const bucket = new scaleway.object.Bucket("bucket", {name: "some-unique-name"});
// AWS data source
const policy = aws.iam.getPolicyDocumentOutput({
version: "2012-10-17",
statements: [{
sid: "Delegate access",
effect: "Allow",
principals: [{
type: "SCW",
identifiers: [_default.then(_default => `project_id:${_default.id}`)],
}],
actions: ["s3:ListBucket"],
resources: [
bucket.name,
pulumi.interpolate`${bucket.name}/*`,
],
}],
});
const main = new scaleway.object.BucketPolicy("main", {
bucket: bucket.id,
policy: policy.apply(policy => policy.json),
});
import pulumi
import pulumi_aws as aws
import pulumi_scaleway as scaleway
import pulumiverse_scaleway as scaleway
# Scaleway project ID
default = scaleway.account.get_project(name="default")
# Object storage configuration
bucket = scaleway.object.Bucket("bucket", name="some-unique-name")
# AWS data source
policy = aws.iam.get_policy_document_output(version="2012-10-17",
statements=[{
"sid": "Delegate access",
"effect": "Allow",
"principals": [{
"type": "SCW",
"identifiers": [f"project_id:{default.id}"],
}],
"actions": ["s3:ListBucket"],
"resources": [
bucket.name,
bucket.name.apply(lambda name: f"{name}/*"),
],
}])
main = scaleway.object.BucketPolicy("main",
bucket=bucket.id,
policy=policy.json)
package main
import (
"fmt"
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/iam"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
"github.com/pulumiverse/pulumi-scaleway/sdk/go/scaleway/account"
"github.com/pulumiverse/pulumi-scaleway/sdk/go/scaleway/object"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
// Scaleway project ID
_default, err := account.LookupProject(ctx, &account.LookupProjectArgs{
Name: pulumi.StringRef("default"),
}, nil)
if err != nil {
return err
}
// Object storage configuration
bucket, err := object.NewBucket(ctx, "bucket", &object.BucketArgs{
Name: pulumi.String("some-unique-name"),
})
if err != nil {
return err
}
// AWS data source
policy := iam.GetPolicyDocumentOutput(ctx, iam.GetPolicyDocumentOutputArgs{
Version: pulumi.String("2012-10-17"),
Statements: iam.GetPolicyDocumentStatementArray{
&iam.GetPolicyDocumentStatementArgs{
Sid: pulumi.String("Delegate access"),
Effect: pulumi.String("Allow"),
Principals: iam.GetPolicyDocumentStatementPrincipalArray{
&iam.GetPolicyDocumentStatementPrincipalArgs{
Type: pulumi.String("SCW"),
Identifiers: pulumi.StringArray{
pulumi.Sprintf("project_id:%v", _default.Id),
},
},
},
Actions: pulumi.StringArray{
pulumi.String("s3:ListBucket"),
},
Resources: pulumi.StringArray{
bucket.Name,
bucket.Name.ApplyT(func(name string) (string, error) {
return fmt.Sprintf("%v/*", name), nil
}).(pulumi.StringOutput),
},
},
},
}, nil)
_, err = object.NewBucketPolicy(ctx, "main", &object.BucketPolicyArgs{
Bucket: bucket.ID(),
Policy: pulumi.String(policy.ApplyT(func(policy iam.GetPolicyDocumentResult) (*string, error) {
return &policy.Json, nil
}).(pulumi.StringPtrOutput)),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
using Scaleway = Pulumi.Scaleway;
using Scaleway = Pulumiverse.Scaleway;
return await Deployment.RunAsync(() =>
{
// Scaleway project ID
var @default = Scaleway.Account.GetProject.Invoke(new()
{
Name = "default",
});
// Object storage configuration
var bucket = new Scaleway.Object.Bucket("bucket", new()
{
Name = "some-unique-name",
});
// AWS data source
var policy = Aws.Iam.GetPolicyDocument.Invoke(new()
{
Version = "2012-10-17",
Statements = new[]
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
{
Sid = "Delegate access",
Effect = "Allow",
Principals = new[]
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementPrincipalInputArgs
{
Type = "SCW",
Identifiers = new[]
{
$"project_id:{@default.Apply(getProjectResult => getProjectResult.Id)}",
},
},
},
Actions = new[]
{
"s3:ListBucket",
},
Resources = new[]
{
bucket.Name,
$"{bucket.Name}/*",
},
},
},
});
var main = new Scaleway.Object.BucketPolicy("main", new()
{
Bucket = bucket.Id,
Policy = policy.Apply(getPolicyDocumentResult => getPolicyDocumentResult.Json),
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.scaleway.account.AccountFunctions;
import com.pulumi.scaleway.account.inputs.GetProjectArgs;
import com.pulumi.scaleway.object.Bucket;
import com.pulumi.scaleway.object.BucketArgs;
import com.pulumi.aws.iam.IamFunctions;
import com.pulumi.aws.iam.inputs.GetPolicyDocumentArgs;
import com.pulumi.scaleway.object.BucketPolicy;
import com.pulumi.scaleway.object.BucketPolicyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
// Scaleway project ID
final var default = AccountFunctions.getProject(GetProjectArgs.builder()
.name("default")
.build());
// Object storage configuration
var bucket = new Bucket("bucket", BucketArgs.builder()
.name("some-unique-name")
.build());
// AWS data source
final var policy = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
.version("2012-10-17")
.statements(GetPolicyDocumentStatementArgs.builder()
.sid("Delegate access")
.effect("Allow")
.principals(GetPolicyDocumentStatementPrincipalArgs.builder()
.type("SCW")
.identifiers(String.format("project_id:%s", default_.id()))
.build())
.actions("s3:ListBucket")
.resources(
bucket.name(),
bucket.name().applyValue(name -> String.format("%s/*", name)))
.build())
.build());
var main = new BucketPolicy("main", BucketPolicyArgs.builder()
.bucket(bucket.id())
.policy(policy.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult).applyValue(policy -> policy.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult.json())))
.build());
}
}
resources:
# Object storage configuration
bucket:
type: scaleway:object:Bucket
properties:
name: some-unique-name
main:
type: scaleway:object:BucketPolicy
properties:
bucket: ${bucket.id}
policy: ${policy.json}
variables:
# Scaleway project ID
default:
fn::invoke:
function: scaleway:account:getProject
arguments:
name: default
# AWS data source
policy:
fn::invoke:
function: aws:iam:getPolicyDocument
arguments:
version: 2012-10-17
statements:
- sid: Delegate access
effect: Allow
principals:
- type: SCW
identifiers:
- project_id:${default.id}
actions:
- s3:ListBucket
resources:
- ${bucket.name}
- ${bucket.name}/*
Example with deprecated version 2012-10-17
import * as pulumi from "@pulumi/pulumi";
import * as scaleway from "@pulumi/scaleway";
import * as scaleway from "@pulumiverse/scaleway";
// Project ID
const _default = scaleway.account.getProject({
name: "default",
});
// Object storage configuration
const bucket = new scaleway.object.Bucket("bucket", {
name: "mia-cross-crash-tests",
region: "fr-par",
});
const policy = new scaleway.object.BucketPolicy("policy", {
bucket: bucket.name,
policy: pulumi.jsonStringify({
Version: "2012-10-17",
Statement: [{
Effect: "Allow",
Action: [
"s3:ListBucket",
"s3:GetObjectTagging",
],
Principal: {
SCW: _default.then(_default => `project_id:${_default.id}`),
},
Resource: [
bucket.name,
pulumi.interpolate`${bucket.name}/*`,
],
}],
}),
});
import pulumi
import json
import pulumi_scaleway as scaleway
import pulumiverse_scaleway as scaleway
# Project ID
default = scaleway.account.get_project(name="default")
# Object storage configuration
bucket = scaleway.object.Bucket("bucket",
name="mia-cross-crash-tests",
region="fr-par")
policy = scaleway.object.BucketPolicy("policy",
bucket=bucket.name,
policy=pulumi.Output.json_dumps({
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetObjectTagging",
],
"Principal": {
"SCW": f"project_id:{default.id}",
},
"Resource": [
bucket.name,
bucket.name.apply(lambda name: f"{name}/*"),
],
}],
}))
package main
import (
"encoding/json"
"fmt"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
"github.com/pulumiverse/pulumi-scaleway/sdk/go/scaleway/account"
"github.com/pulumiverse/pulumi-scaleway/sdk/go/scaleway/object"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
// Project ID
_default, err := account.LookupProject(ctx, &account.LookupProjectArgs{
Name: pulumi.StringRef("default"),
}, nil)
if err != nil {
return err
}
// Object storage configuration
bucket, err := object.NewBucket(ctx, "bucket", &object.BucketArgs{
Name: pulumi.String("mia-cross-crash-tests"),
Region: pulumi.String("fr-par"),
})
if err != nil {
return err
}
_, err = object.NewBucketPolicy(ctx, "policy", &object.BucketPolicyArgs{
Bucket: bucket.Name,
Policy: pulumi.All(bucket.Name, bucket.Name).ApplyT(func(_args []interface{}) (string, error) {
bucketName := _args[0].(string)
bucketName1 := _args[1].(string)
var _zero string
tmpJSON0, err := json.Marshal(map[string]interface{}{
"Version": "2012-10-17",
"Statement": []map[string]interface{}{
map[string]interface{}{
"Effect": "Allow",
"Action": []string{
"s3:ListBucket",
"s3:GetObjectTagging",
},
"Principal": map[string]interface{}{
"SCW": fmt.Sprintf("project_id:%v", _default.Id),
},
"Resource": []string{
bucketName,
fmt.Sprintf("%v/*", bucketName1),
},
},
},
})
if err != nil {
return _zero, err
}
json0 := string(tmpJSON0)
return json0, nil
}).(pulumi.StringOutput),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using System.Text.Json;
using Pulumi;
using Scaleway = Pulumi.Scaleway;
using Scaleway = Pulumiverse.Scaleway;
return await Deployment.RunAsync(() =>
{
// Project ID
var @default = Scaleway.Account.GetProject.Invoke(new()
{
Name = "default",
});
// Object storage configuration
var bucket = new Scaleway.Object.Bucket("bucket", new()
{
Name = "mia-cross-crash-tests",
Region = "fr-par",
});
var policy = new Scaleway.Object.BucketPolicy("policy", new()
{
Bucket = bucket.Name,
Policy = Output.JsonSerialize(Output.Create(new Dictionary<string, object?>
{
["Version"] = "2012-10-17",
["Statement"] = new[]
{
new Dictionary<string, object?>
{
["Effect"] = "Allow",
["Action"] = new[]
{
"s3:ListBucket",
"s3:GetObjectTagging",
},
["Principal"] = new Dictionary<string, object?>
{
["SCW"] = @default.Apply(@default => $"project_id:{@default.Apply(getProjectResult => getProjectResult.Id)}"),
},
["Resource"] = new[]
{
bucket.Name,
bucket.Name.Apply(name => $"{name}/*"),
},
},
},
})),
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.scaleway.account.AccountFunctions;
import com.pulumi.scaleway.account.inputs.GetProjectArgs;
import com.pulumi.scaleway.object.Bucket;
import com.pulumi.scaleway.object.BucketArgs;
import com.pulumi.scaleway.object.BucketPolicy;
import com.pulumi.scaleway.object.BucketPolicyArgs;
import static com.pulumi.codegen.internal.Serialization.*;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
// Project ID
final var default = AccountFunctions.getProject(GetProjectArgs.builder()
.name("default")
.build());
// Object storage configuration
var bucket = new Bucket("bucket", BucketArgs.builder()
.name("mia-cross-crash-tests")
.region("fr-par")
.build());
var policy = new BucketPolicy("policy", BucketPolicyArgs.builder()
.bucket(bucket.name())
.policy(Output.tuple(bucket.name(), bucket.name()).applyValue(values -> {
var bucketName = values.t1;
var bucketName1 = values.t2;
return serializeJson(
jsonObject(
jsonProperty("Version", "2012-10-17"),
jsonProperty("Statement", jsonArray(jsonObject(
jsonProperty("Effect", "Allow"),
jsonProperty("Action", jsonArray(
"s3:ListBucket",
"s3:GetObjectTagging"
)),
jsonProperty("Principal", jsonObject(
jsonProperty("SCW", String.format("project_id:%s", default_.id()))
)),
jsonProperty("Resource", jsonArray(
bucketName,
String.format("%s/*", bucketName1)
))
)))
));
}))
.build());
}
}
resources:
# Object storage configuration
bucket:
type: scaleway:object:Bucket
properties:
name: mia-cross-crash-tests
region: fr-par
policy:
type: scaleway:object:BucketPolicy
properties:
bucket: ${bucket.name}
policy:
fn::toJSON:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- s3:ListBucket
- s3:GetObjectTagging
Principal:
SCW: project_id:${default.id}
Resource:
- ${bucket.name}
- ${bucket.name}/*
variables:
# Project ID
default:
fn::invoke:
function: scaleway:account:getProject
arguments:
name: default
NB: To configure the AWS provider with Scaleway credentials, refer to the dedicated documentation.
Create ObjectBucketPolicy Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new ObjectBucketPolicy(name: string, args: ObjectBucketPolicyArgs, opts?: CustomResourceOptions);@overload
def ObjectBucketPolicy(resource_name: str,
args: ObjectBucketPolicyArgs,
opts: Optional[ResourceOptions] = None)
@overload
def ObjectBucketPolicy(resource_name: str,
opts: Optional[ResourceOptions] = None,
bucket: Optional[str] = None,
policy: Optional[str] = None,
project_id: Optional[str] = None,
region: Optional[str] = None)func NewObjectBucketPolicy(ctx *Context, name string, args ObjectBucketPolicyArgs, opts ...ResourceOption) (*ObjectBucketPolicy, error)public ObjectBucketPolicy(string name, ObjectBucketPolicyArgs args, CustomResourceOptions? opts = null)
public ObjectBucketPolicy(String name, ObjectBucketPolicyArgs args)
public ObjectBucketPolicy(String name, ObjectBucketPolicyArgs args, CustomResourceOptions options)
type: scaleway:ObjectBucketPolicy
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args ObjectBucketPolicyArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args ObjectBucketPolicyArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args ObjectBucketPolicyArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args ObjectBucketPolicyArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args ObjectBucketPolicyArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
ObjectBucketPolicy Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.
The ObjectBucketPolicy resource accepts the following input properties:
- bucket str
- The bucket's name or regional ID.
- policy str
- The text of the policy.
- project_
id str - The project_id you want to attach the resource to
- region str
- The Scaleway region this bucket resides in.
Outputs
All input properties are implicitly available as output properties. Additionally, the ObjectBucketPolicy resource produces the following output properties:
- Id string
- The provider-assigned unique ID for this managed resource.
- Id string
- The provider-assigned unique ID for this managed resource.
- id String
- The provider-assigned unique ID for this managed resource.
- id string
- The provider-assigned unique ID for this managed resource.
- id str
- The provider-assigned unique ID for this managed resource.
- id String
- The provider-assigned unique ID for this managed resource.
Look up Existing ObjectBucketPolicy Resource
Get an existing ObjectBucketPolicy resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: ObjectBucketPolicyState, opts?: CustomResourceOptions): ObjectBucketPolicy@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
bucket: Optional[str] = None,
policy: Optional[str] = None,
project_id: Optional[str] = None,
region: Optional[str] = None) -> ObjectBucketPolicyfunc GetObjectBucketPolicy(ctx *Context, name string, id IDInput, state *ObjectBucketPolicyState, opts ...ResourceOption) (*ObjectBucketPolicy, error)public static ObjectBucketPolicy Get(string name, Input<string> id, ObjectBucketPolicyState? state, CustomResourceOptions? opts = null)public static ObjectBucketPolicy get(String name, Output<String> id, ObjectBucketPolicyState state, CustomResourceOptions options)resources: _: type: scaleway:ObjectBucketPolicy get: id: ${id}- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- bucket str
- The bucket's name or regional ID.
- policy str
- The text of the policy.
- project_
id str - The project_id you want to attach the resource to
- region str
- The Scaleway region this bucket resides in.
Import
Bucket policies can be imported using the {region}/{bucketName} identifier, as shown below:
bash
$ pulumi import scaleway:index/objectBucketPolicy:ObjectBucketPolicy some_bucket fr-par/some-bucket
~> Important: The project_id attribute has a particular behavior with s3 products because the s3 API is scoped by project.
If you are using a project different from the default one, you have to specify the project ID at the end of the import command.
bash
$ pulumi import scaleway:index/objectBucketPolicy:ObjectBucketPolicy some_bucket fr-par/some-bucket@xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxx
To learn more about importing existing cloud resources, see Importing resources.
Package Details
- Repository
- scaleway pulumiverse/pulumi-scaleway
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
scalewayTerraform Provider.