Docs Home
Scaleway v1.26.0 published on Friday, Mar 28, 2025 by pulumiverse
scaleway.object.BucketPolicy
Explore with Pulumi AI
- Example Usage
- Example Usage with an IAM user
- Example with an IAM application
- Creating a bucket and delegating read access to an application
- Reading the bucket with the application
- Example with AWS provider
- Example with deprecated version 2012-10-17
- Create BucketPolicy Resource
- Constructor syntax
- Constructor example
- BucketPolicy Resource Properties
- Inputs
- Outputs
- Look up Existing BucketPolicy Resource
- Import
- Package Details
The scaleway.object.BucketPolicy resource allows you to create and manage bucket policies for Scaleway Object storage.
Refer to the dedicated documentation for more information on Object Storage bucket policies.
Example Usage
Example Usage with an IAM user
import * as pulumi from "@pulumi/pulumi";
import * as scaleway from "@pulumi/scaleway";
import * as scaleway from "@pulumiverse/scaleway";
// Project ID
const _default = scaleway.account.getProject({
name: "default",
});
// IAM configuration
const user = scaleway.iam.getUser({
email: "user@scaleway.com",
});
const policy = new scaleway.iam.Policy("policy", {
name: "object-storage-policy",
userId: user.then(user => user.id),
rules: [{
projectIds: [_default.then(_default => _default.id)],
permissionSetNames: ["ObjectStorageFullAccess"],
}],
});
// Object storage configuration
const bucket = new scaleway.object.Bucket("bucket", {name: "some-unique-name"});
const policyBucketPolicy = new scaleway.object.BucketPolicy("policy", {
bucket: bucket.name,
policy: pulumi.jsonStringify({
Version: "2023-04-17",
Id: "MyBucketPolicy",
Statement: [{
Effect: "Allow",
Action: ["s3:*"],
Principal: {
SCW: user.then(user => `user_id:${user.id}`),
},
Resource: [
bucket.name,
pulumi.interpolate`${bucket.name}/*`,
],
}],
}),
});
import pulumi
import json
import pulumi_scaleway as scaleway
import pulumiverse_scaleway as scaleway
# Project ID
default = scaleway.account.get_project(name="default")
# IAM configuration
user = scaleway.iam.get_user(email="user@scaleway.com")
policy = scaleway.iam.Policy("policy",
name="object-storage-policy",
user_id=user.id,
rules=[{
"project_ids": [default.id],
"permission_set_names": ["ObjectStorageFullAccess"],
}])
# Object storage configuration
bucket = scaleway.object.Bucket("bucket", name="some-unique-name")
policy_bucket_policy = scaleway.object.BucketPolicy("policy",
bucket=bucket.name,
policy=pulumi.Output.json_dumps({
"Version": "2023-04-17",
"Id": "MyBucketPolicy",
"Statement": [{
"Effect": "Allow",
"Action": ["s3:*"],
"Principal": {
"SCW": f"user_id:{user.id}",
},
"Resource": [
bucket.name,
bucket.name.apply(lambda name: f"{name}/*"),
],
}],
}))
package main
import (
"encoding/json"
"fmt"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
"github.com/pulumiverse/pulumi-scaleway/sdk/go/scaleway/account"
"github.com/pulumiverse/pulumi-scaleway/sdk/go/scaleway/iam"
"github.com/pulumiverse/pulumi-scaleway/sdk/go/scaleway/object"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
// Project ID
_default, err := account.LookupProject(ctx, &account.LookupProjectArgs{
Name: pulumi.StringRef("default"),
}, nil)
if err != nil {
return err
}
// IAM configuration
user, err := iam.LookupUser(ctx, &iam.LookupUserArgs{
Email: pulumi.StringRef("user@scaleway.com"),
}, nil)
if err != nil {
return err
}
_, err = iam.NewPolicy(ctx, "policy", &iam.PolicyArgs{
Name: pulumi.String("object-storage-policy"),
UserId: pulumi.String(user.Id),
Rules: iam.PolicyRuleArray{
&iam.PolicyRuleArgs{
ProjectIds: pulumi.StringArray{
pulumi.String(_default.Id),
},
PermissionSetNames: pulumi.StringArray{
pulumi.String("ObjectStorageFullAccess"),
},
},
},
})
if err != nil {
return err
}
// Object storage configuration
bucket, err := object.NewBucket(ctx, "bucket", &object.BucketArgs{
Name: pulumi.String("some-unique-name"),
})
if err != nil {
return err
}
_, err = object.NewBucketPolicy(ctx, "policy", &object.BucketPolicyArgs{
Bucket: bucket.Name,
Policy: pulumi.All(bucket.Name, bucket.Name).ApplyT(func(_args []interface{}) (string, error) {
bucketName := _args[0].(string)
bucketName1 := _args[1].(string)
var _zero string
tmpJSON0, err := json.Marshal(map[string]interface{}{
"Version": "2023-04-17",
"Id": "MyBucketPolicy",
"Statement": []map[string]interface{}{
map[string]interface{}{
"Effect": "Allow",
"Action": []string{
"s3:*",
},
"Principal": map[string]interface{}{
"SCW": fmt.Sprintf("user_id:%v", user.Id),
},
"Resource": []string{
bucketName,
fmt.Sprintf("%v/*", bucketName1),
},
},
},
})
if err != nil {
return _zero, err
}
json0 := string(tmpJSON0)
return json0, nil
}).(pulumi.StringOutput),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using System.Text.Json;
using Pulumi;
using Scaleway = Pulumi.Scaleway;
using Scaleway = Pulumiverse.Scaleway;
return await Deployment.RunAsync(() =>
{
// Project ID
var @default = Scaleway.Account.GetProject.Invoke(new()
{
Name = "default",
});
// IAM configuration
var user = Scaleway.Iam.GetUser.Invoke(new()
{
Email = "user@scaleway.com",
});
var policy = new Scaleway.Iam.Policy("policy", new()
{
Name = "object-storage-policy",
UserId = user.Apply(getUserResult => getUserResult.Id),
Rules = new[]
{
new Scaleway.Iam.Inputs.PolicyRuleArgs
{
ProjectIds = new[]
{
@default.Apply(@default => @default.Apply(getProjectResult => getProjectResult.Id)),
},
PermissionSetNames = new[]
{
"ObjectStorageFullAccess",
},
},
},
});
// Object storage configuration
var bucket = new Scaleway.Object.Bucket("bucket", new()
{
Name = "some-unique-name",
});
var policyBucketPolicy = new Scaleway.Object.BucketPolicy("policy", new()
{
Bucket = bucket.Name,
Policy = Output.JsonSerialize(Output.Create(new Dictionary<string, object?>
{
["Version"] = "2023-04-17",
["Id"] = "MyBucketPolicy",
["Statement"] = new[]
{
new Dictionary<string, object?>
{
["Effect"] = "Allow",
["Action"] = new[]
{
"s3:*",
},
["Principal"] = new Dictionary<string, object?>
{
["SCW"] = $"user_id:{user.Apply(getUserResult => getUserResult.Id)}",
},
["Resource"] = new[]
{
bucket.Name,
bucket.Name.Apply(name => $"{name}/*"),
},
},
},
})),
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.scaleway.account.AccountFunctions;
import com.pulumi.scaleway.account.inputs.GetProjectArgs;
import com.pulumi.scaleway.iam.IamFunctions;
import com.pulumi.scaleway.iam.inputs.GetUserArgs;
import com.pulumi.scaleway.iam.Policy;
import com.pulumi.scaleway.iam.PolicyArgs;
import com.pulumi.scaleway.iam.inputs.PolicyRuleArgs;
import com.pulumi.scaleway.object.Bucket;
import com.pulumi.scaleway.object.BucketArgs;
import com.pulumi.scaleway.object.BucketPolicy;
import com.pulumi.scaleway.object.BucketPolicyArgs;
import static com.pulumi.codegen.internal.Serialization.*;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
// Project ID
final var default = AccountFunctions.getProject(GetProjectArgs.builder()
.name("default")
.build());
// IAM configuration
final var user = IamFunctions.getUser(GetUserArgs.builder()
.email("user@scaleway.com")
.build());
var policy = new Policy("policy", PolicyArgs.builder()
.name("object-storage-policy")
.userId(user.applyValue(getUserResult -> getUserResult.id()))
.rules(PolicyRuleArgs.builder()
.projectIds(default_.id())
.permissionSetNames("ObjectStorageFullAccess")
.build())
.build());
// Object storage configuration
var bucket = new Bucket("bucket", BucketArgs.builder()
.name("some-unique-name")
.build());
var policyBucketPolicy = new BucketPolicy("policyBucketPolicy", BucketPolicyArgs.builder()
.bucket(bucket.name())
.policy(Output.tuple(bucket.name(), bucket.name()).applyValue(values -> {
var bucketName = values.t1;
var bucketName1 = values.t2;
return serializeJson(
jsonObject(
jsonProperty("Version", "2023-04-17"),
jsonProperty("Id", "MyBucketPolicy"),
jsonProperty("Statement", jsonArray(jsonObject(
jsonProperty("Effect", "Allow"),
jsonProperty("Action", jsonArray("s3:*")),
jsonProperty("Principal", jsonObject(
jsonProperty("SCW", String.format("user_id:%s", user.applyValue(getUserResult -> getUserResult.id())))
)),
jsonProperty("Resource", jsonArray(
bucketName,
String.format("%s/*", bucketName1)
))
)))
));
}))
.build());
}
}
resources:
policy:
type: scaleway:iam:Policy
properties:
name: object-storage-policy
userId: ${user.id}
rules:
- projectIds:
- ${default.id}
permissionSetNames:
- ObjectStorageFullAccess
# Object storage configuration
bucket:
type: scaleway:object:Bucket
properties:
name: some-unique-name
policyBucketPolicy:
type: scaleway:object:BucketPolicy
name: policy
properties:
bucket: ${bucket.name}
policy:
fn::toJSON:
Version: 2023-04-17
Id: MyBucketPolicy
Statement:
- Effect: Allow
Action:
- s3:*
Principal:
SCW: user_id:${user.id}
Resource:
- ${bucket.name}
- ${bucket.name}/*
variables:
# Project ID
default:
fn::invoke:
function: scaleway:account:getProject
arguments:
name: default
# IAM configuration
user:
fn::invoke:
function: scaleway:iam:getUser
arguments:
email: user@scaleway.com
Example with an IAM application
Creating a bucket and delegating read access to an application
import * as pulumi from "@pulumi/pulumi";
import * as scaleway from "@pulumi/scaleway";
import * as scaleway from "@pulumiverse/scaleway";
// Project ID
const _default = scaleway.account.getProject({
name: "default",
});
// IAM configuration
const reading_app = new scaleway.iam.Application("reading-app", {name: "reading-app"});
const policy = new scaleway.iam.Policy("policy", {
name: "object-storage-policy",
applicationId: reading_app.id,
rules: [{
projectIds: [_default.then(_default => _default.id)],
permissionSetNames: ["ObjectStorageBucketsRead"],
}],
});
// Object storage configuration
const bucket = new scaleway.object.Bucket("bucket", {name: "some-unique-name"});
const policyBucketPolicy = new scaleway.object.BucketPolicy("policy", {
bucket: bucket.id,
policy: pulumi.jsonStringify({
Version: "2023-04-17",
Statement: [{
Sid: "Delegate read access",
Effect: "Allow",
Principal: {
SCW: pulumi.interpolate`application_id:${reading_app.id}`,
},
Action: [
"s3:ListBucket",
"s3:GetObject",
],
Resource: [
bucket.name,
pulumi.interpolate`${bucket.name}/*`,
],
}],
}),
});
import pulumi
import json
import pulumi_scaleway as scaleway
import pulumiverse_scaleway as scaleway
# Project ID
default = scaleway.account.get_project(name="default")
# IAM configuration
reading_app = scaleway.iam.Application("reading-app", name="reading-app")
policy = scaleway.iam.Policy("policy",
name="object-storage-policy",
application_id=reading_app.id,
rules=[{
"project_ids": [default.id],
"permission_set_names": ["ObjectStorageBucketsRead"],
}])
# Object storage configuration
bucket = scaleway.object.Bucket("bucket", name="some-unique-name")
policy_bucket_policy = scaleway.object.BucketPolicy("policy",
bucket=bucket.id,
policy=pulumi.Output.json_dumps({
"Version": "2023-04-17",
"Statement": [{
"Sid": "Delegate read access",
"Effect": "Allow",
"Principal": {
"SCW": reading_app.id.apply(lambda id: f"application_id:{id}"),
},
"Action": [
"s3:ListBucket",
"s3:GetObject",
],
"Resource": [
bucket.name,
bucket.name.apply(lambda name: f"{name}/*"),
],
}],
}))
package main
import (
"encoding/json"
"fmt"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
"github.com/pulumiverse/pulumi-scaleway/sdk/go/scaleway/account"
"github.com/pulumiverse/pulumi-scaleway/sdk/go/scaleway/iam"
"github.com/pulumiverse/pulumi-scaleway/sdk/go/scaleway/object"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
// Project ID
_default, err := account.LookupProject(ctx, &account.LookupProjectArgs{
Name: pulumi.StringRef("default"),
}, nil)
if err != nil {
return err
}
// IAM configuration
reading_app, err := iam.NewApplication(ctx, "reading-app", &iam.ApplicationArgs{
Name: pulumi.String("reading-app"),
})
if err != nil {
return err
}
_, err = iam.NewPolicy(ctx, "policy", &iam.PolicyArgs{
Name: pulumi.String("object-storage-policy"),
ApplicationId: reading_app.ID(),
Rules: iam.PolicyRuleArray{
&iam.PolicyRuleArgs{
ProjectIds: pulumi.StringArray{
pulumi.String(_default.Id),
},
PermissionSetNames: pulumi.StringArray{
pulumi.String("ObjectStorageBucketsRead"),
},
},
},
})
if err != nil {
return err
}
// Object storage configuration
bucket, err := object.NewBucket(ctx, "bucket", &object.BucketArgs{
Name: pulumi.String("some-unique-name"),
})
if err != nil {
return err
}
_, err = object.NewBucketPolicy(ctx, "policy", &object.BucketPolicyArgs{
Bucket: bucket.ID(),
Policy: pulumi.All(reading_app.ID(), bucket.Name, bucket.Name).ApplyT(func(_args []interface{}) (string, error) {
id := _args[0].(string)
bucketName := _args[1].(string)
bucketName1 := _args[2].(string)
var _zero string
tmpJSON0, err := json.Marshal(map[string]interface{}{
"Version": "2023-04-17",
"Statement": []map[string]interface{}{
map[string]interface{}{
"Sid": "Delegate read access",
"Effect": "Allow",
"Principal": map[string]interface{}{
"SCW": fmt.Sprintf("application_id:%v", id),
},
"Action": []string{
"s3:ListBucket",
"s3:GetObject",
},
"Resource": []string{
bucketName,
fmt.Sprintf("%v/*", bucketName1),
},
},
},
})
if err != nil {
return _zero, err
}
json0 := string(tmpJSON0)
return json0, nil
}).(pulumi.StringOutput),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using System.Text.Json;
using Pulumi;
using Scaleway = Pulumi.Scaleway;
using Scaleway = Pulumiverse.Scaleway;
return await Deployment.RunAsync(() =>
{
// Project ID
var @default = Scaleway.Account.GetProject.Invoke(new()
{
Name = "default",
});
// IAM configuration
var reading_app = new Scaleway.Iam.Application("reading-app", new()
{
Name = "reading-app",
});
var policy = new Scaleway.Iam.Policy("policy", new()
{
Name = "object-storage-policy",
ApplicationId = reading_app.Id,
Rules = new[]
{
new Scaleway.Iam.Inputs.PolicyRuleArgs
{
ProjectIds = new[]
{
@default.Apply(@default => @default.Apply(getProjectResult => getProjectResult.Id)),
},
PermissionSetNames = new[]
{
"ObjectStorageBucketsRead",
},
},
},
});
// Object storage configuration
var bucket = new Scaleway.Object.Bucket("bucket", new()
{
Name = "some-unique-name",
});
var policyBucketPolicy = new Scaleway.Object.BucketPolicy("policy", new()
{
Bucket = bucket.Id,
Policy = Output.JsonSerialize(Output.Create(new Dictionary<string, object?>
{
["Version"] = "2023-04-17",
["Statement"] = new[]
{
new Dictionary<string, object?>
{
["Sid"] = "Delegate read access",
["Effect"] = "Allow",
["Principal"] = new Dictionary<string, object?>
{
["SCW"] = reading_app.Id.Apply(id => $"application_id:{id}"),
},
["Action"] = new[]
{
"s3:ListBucket",
"s3:GetObject",
},
["Resource"] = new[]
{
bucket.Name,
bucket.Name.Apply(name => $"{name}/*"),
},
},
},
})),
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.scaleway.account.AccountFunctions;
import com.pulumi.scaleway.account.inputs.GetProjectArgs;
import com.pulumi.scaleway.iam.Application;
import com.pulumi.scaleway.iam.ApplicationArgs;
import com.pulumi.scaleway.iam.Policy;
import com.pulumi.scaleway.iam.PolicyArgs;
import com.pulumi.scaleway.iam.inputs.PolicyRuleArgs;
import com.pulumi.scaleway.object.Bucket;
import com.pulumi.scaleway.object.BucketArgs;
import com.pulumi.scaleway.object.BucketPolicy;
import com.pulumi.scaleway.object.BucketPolicyArgs;
import static com.pulumi.codegen.internal.Serialization.*;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
// Project ID
final var default = AccountFunctions.getProject(GetProjectArgs.builder()
.name("default")
.build());
// IAM configuration
var reading_app = new Application("reading-app", ApplicationArgs.builder()
.name("reading-app")
.build());
var policy = new Policy("policy", PolicyArgs.builder()
.name("object-storage-policy")
.applicationId(reading_app.id())
.rules(PolicyRuleArgs.builder()
.projectIds(default_.id())
.permissionSetNames("ObjectStorageBucketsRead")
.build())
.build());
// Object storage configuration
var bucket = new Bucket("bucket", BucketArgs.builder()
.name("some-unique-name")
.build());
var policyBucketPolicy = new BucketPolicy("policyBucketPolicy", BucketPolicyArgs.builder()
.bucket(bucket.id())
.policy(Output.tuple(reading_app.id(), bucket.name(), bucket.name()).applyValue(values -> {
var id = values.t1;
var bucketName = values.t2;
var bucketName1 = values.t3;
return serializeJson(
jsonObject(
jsonProperty("Version", "2023-04-17"),
jsonProperty("Statement", jsonArray(jsonObject(
jsonProperty("Sid", "Delegate read access"),
jsonProperty("Effect", "Allow"),
jsonProperty("Principal", jsonObject(
jsonProperty("SCW", String.format("application_id:%s", id))
)),
jsonProperty("Action", jsonArray(
"s3:ListBucket",
"s3:GetObject"
)),
jsonProperty("Resource", jsonArray(
bucketName,
String.format("%s/*", bucketName1)
))
)))
));
}))
.build());
}
}
resources:
# IAM configuration
reading-app:
type: scaleway:iam:Application
properties:
name: reading-app
policy:
type: scaleway:iam:Policy
properties:
name: object-storage-policy
applicationId: ${["reading-app"].id}
rules:
- projectIds:
- ${default.id}
permissionSetNames:
- ObjectStorageBucketsRead
# Object storage configuration
bucket:
type: scaleway:object:Bucket
properties:
name: some-unique-name
policyBucketPolicy:
type: scaleway:object:BucketPolicy
name: policy
properties:
bucket: ${bucket.id}
policy:
fn::toJSON:
Version: 2023-04-17
Statement:
- Sid: Delegate read access
Effect: Allow
Principal:
SCW: application_id:${["reading-app"].id}
Action:
- s3:ListBucket
- s3:GetObject
Resource:
- ${bucket.name}
- ${bucket.name}/*
variables:
# Project ID
default:
fn::invoke:
function: scaleway:account:getProject
arguments:
name: default
Reading the bucket with the application
import * as pulumi from "@pulumi/pulumi";
import * as scaleway from "@pulumi/scaleway";
import * as scaleway from "@pulumiverse/scaleway";
const reading_app = scaleway.iam.getApplication({
name: "reading-app",
});
const reading_api_key = new scaleway.iam.ApiKey("reading-api-key", {applicationId: reading_app.then(reading_app => reading_app.id)});
const bucket = scaleway.object.getBucket({
name: "some-unique-name",
});
import pulumi
import pulumi_scaleway as scaleway
import pulumiverse_scaleway as scaleway
reading_app = scaleway.iam.get_application(name="reading-app")
reading_api_key = scaleway.iam.ApiKey("reading-api-key", application_id=reading_app.id)
bucket = scaleway.object.get_bucket(name="some-unique-name")
package main
import (
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
"github.com/pulumiverse/pulumi-scaleway/sdk/go/scaleway/iam"
"github.com/pulumiverse/pulumi-scaleway/sdk/go/scaleway/object"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
reading_app, err := iam.LookupApplication(ctx, &iam.LookupApplicationArgs{
Name: pulumi.StringRef("reading-app"),
}, nil)
if err != nil {
return err
}
_, err = iam.NewApiKey(ctx, "reading-api-key", &iam.ApiKeyArgs{
ApplicationId: pulumi.String(reading_app.Id),
})
if err != nil {
return err
}
_, err = object.LookupBucket(ctx, &object.LookupBucketArgs{
Name: pulumi.StringRef("some-unique-name"),
}, nil)
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Scaleway = Pulumi.Scaleway;
using Scaleway = Pulumiverse.Scaleway;
return await Deployment.RunAsync(() =>
{
var reading_app = Scaleway.Iam.GetApplication.Invoke(new()
{
Name = "reading-app",
});
var reading_api_key = new Scaleway.Iam.ApiKey("reading-api-key", new()
{
ApplicationId = reading_app.Apply(reading_app => reading_app.Apply(getApplicationResult => getApplicationResult.Id)),
});
var bucket = Scaleway.Object.GetBucket.Invoke(new()
{
Name = "some-unique-name",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.scaleway.iam.IamFunctions;
import com.pulumi.scaleway.iam.inputs.GetApplicationArgs;
import com.pulumi.scaleway.iam.ApiKey;
import com.pulumi.scaleway.iam.ApiKeyArgs;
import com.pulumi.scaleway.object.ObjectFunctions;
import com.pulumi.scaleway.object.inputs.GetBucketArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var reading-app = IamFunctions.getApplication(GetApplicationArgs.builder()
.name("reading-app")
.build());
var reading_api_key = new ApiKey("reading-api-key", ApiKeyArgs.builder()
.applicationId(reading_app.id())
.build());
final var bucket = ObjectFunctions.getBucket(GetBucketArgs.builder()
.name("some-unique-name")
.build());
}
}
resources:
reading-api-key:
type: scaleway:iam:ApiKey
properties:
applicationId: ${["reading-app"].id}
variables:
reading-app:
fn::invoke:
function: scaleway:iam:getApplication
arguments:
name: reading-app
bucket:
fn::invoke:
function: scaleway:object:getBucket
arguments:
name: some-unique-name
Example with AWS provider
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
import * as scaleway from "@pulumi/scaleway";
import * as scaleway from "@pulumiverse/scaleway";
// Scaleway project ID
const _default = scaleway.account.getProject({
name: "default",
});
// Object storage configuration
const bucket = new scaleway.object.Bucket("bucket", {name: "some-unique-name"});
// AWS data source
const policy = aws.iam.getPolicyDocumentOutput({
version: "2012-10-17",
statements: [{
sid: "Delegate access",
effect: "Allow",
principals: [{
type: "SCW",
identifiers: [_default.then(_default => `project_id:${_default.id}`)],
}],
actions: ["s3:ListBucket"],
resources: [
bucket.name,
pulumi.interpolate`${bucket.name}/*`,
],
}],
});
const main = new scaleway.object.BucketPolicy("main", {
bucket: bucket.id,
policy: policy.apply(policy => policy.json),
});
import pulumi
import pulumi_aws as aws
import pulumi_scaleway as scaleway
import pulumiverse_scaleway as scaleway
# Scaleway project ID
default = scaleway.account.get_project(name="default")
# Object storage configuration
bucket = scaleway.object.Bucket("bucket", name="some-unique-name")
# AWS data source
policy = aws.iam.get_policy_document_output(version="2012-10-17",
statements=[{
"sid": "Delegate access",
"effect": "Allow",
"principals": [{
"type": "SCW",
"identifiers": [f"project_id:{default.id}"],
}],
"actions": ["s3:ListBucket"],
"resources": [
bucket.name,
bucket.name.apply(lambda name: f"{name}/*"),
],
}])
main = scaleway.object.BucketPolicy("main",
bucket=bucket.id,
policy=policy.json)
package main
import (
"fmt"
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/iam"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
"github.com/pulumiverse/pulumi-scaleway/sdk/go/scaleway/account"
"github.com/pulumiverse/pulumi-scaleway/sdk/go/scaleway/object"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
// Scaleway project ID
_default, err := account.LookupProject(ctx, &account.LookupProjectArgs{
Name: pulumi.StringRef("default"),
}, nil)
if err != nil {
return err
}
// Object storage configuration
bucket, err := object.NewBucket(ctx, "bucket", &object.BucketArgs{
Name: pulumi.String("some-unique-name"),
})
if err != nil {
return err
}
// AWS data source
policy := iam.GetPolicyDocumentOutput(ctx, iam.GetPolicyDocumentOutputArgs{
Version: pulumi.String("2012-10-17"),
Statements: iam.GetPolicyDocumentStatementArray{
&iam.GetPolicyDocumentStatementArgs{
Sid: pulumi.String("Delegate access"),
Effect: pulumi.String("Allow"),
Principals: iam.GetPolicyDocumentStatementPrincipalArray{
&iam.GetPolicyDocumentStatementPrincipalArgs{
Type: pulumi.String("SCW"),
Identifiers: pulumi.StringArray{
pulumi.Sprintf("project_id:%v", _default.Id),
},
},
},
Actions: pulumi.StringArray{
pulumi.String("s3:ListBucket"),
},
Resources: pulumi.StringArray{
bucket.Name,
bucket.Name.ApplyT(func(name string) (string, error) {
return fmt.Sprintf("%v/*", name), nil
}).(pulumi.StringOutput),
},
},
},
}, nil)
_, err = object.NewBucketPolicy(ctx, "main", &object.BucketPolicyArgs{
Bucket: bucket.ID(),
Policy: pulumi.String(policy.ApplyT(func(policy iam.GetPolicyDocumentResult) (*string, error) {
return &policy.Json, nil
}).(pulumi.StringPtrOutput)),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
using Scaleway = Pulumi.Scaleway;
using Scaleway = Pulumiverse.Scaleway;
return await Deployment.RunAsync(() =>
{
// Scaleway project ID
var @default = Scaleway.Account.GetProject.Invoke(new()
{
Name = "default",
});
// Object storage configuration
var bucket = new Scaleway.Object.Bucket("bucket", new()
{
Name = "some-unique-name",
});
// AWS data source
var policy = Aws.Iam.GetPolicyDocument.Invoke(new()
{
Version = "2012-10-17",
Statements = new[]
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
{
Sid = "Delegate access",
Effect = "Allow",
Principals = new[]
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementPrincipalInputArgs
{
Type = "SCW",
Identifiers = new[]
{
$"project_id:{@default.Apply(getProjectResult => getProjectResult.Id)}",
},
},
},
Actions = new[]
{
"s3:ListBucket",
},
Resources = new[]
{
bucket.Name,
$"{bucket.Name}/*",
},
},
},
});
var main = new Scaleway.Object.BucketPolicy("main", new()
{
Bucket = bucket.Id,
Policy = policy.Apply(getPolicyDocumentResult => getPolicyDocumentResult.Json),
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.scaleway.account.AccountFunctions;
import com.pulumi.scaleway.account.inputs.GetProjectArgs;
import com.pulumi.scaleway.object.Bucket;
import com.pulumi.scaleway.object.BucketArgs;
import com.pulumi.aws.iam.IamFunctions;
import com.pulumi.aws.iam.inputs.GetPolicyDocumentArgs;
import com.pulumi.scaleway.object.BucketPolicy;
import com.pulumi.scaleway.object.BucketPolicyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
// Scaleway project ID
final var default = AccountFunctions.getProject(GetProjectArgs.builder()
.name("default")
.build());
// Object storage configuration
var bucket = new Bucket("bucket", BucketArgs.builder()
.name("some-unique-name")
.build());
// AWS data source
final var policy = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
.version("2012-10-17")
.statements(GetPolicyDocumentStatementArgs.builder()
.sid("Delegate access")
.effect("Allow")
.principals(GetPolicyDocumentStatementPrincipalArgs.builder()
.type("SCW")
.identifiers(String.format("project_id:%s", default_.id()))
.build())
.actions("s3:ListBucket")
.resources(
bucket.name(),
bucket.name().applyValue(name -> String.format("%s/*", name)))
.build())
.build());
var main = new BucketPolicy("main", BucketPolicyArgs.builder()
.bucket(bucket.id())
.policy(policy.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult).applyValue(policy -> policy.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult.json())))
.build());
}
}
resources:
# Object storage configuration
bucket:
type: scaleway:object:Bucket
properties:
name: some-unique-name
main:
type: scaleway:object:BucketPolicy
properties:
bucket: ${bucket.id}
policy: ${policy.json}
variables:
# Scaleway project ID
default:
fn::invoke:
function: scaleway:account:getProject
arguments:
name: default
# AWS data source
policy:
fn::invoke:
function: aws:iam:getPolicyDocument
arguments:
version: 2012-10-17
statements:
- sid: Delegate access
effect: Allow
principals:
- type: SCW
identifiers:
- project_id:${default.id}
actions:
- s3:ListBucket
resources:
- ${bucket.name}
- ${bucket.name}/*
Example with deprecated version 2012-10-17
import * as pulumi from "@pulumi/pulumi";
import * as scaleway from "@pulumi/scaleway";
import * as scaleway from "@pulumiverse/scaleway";
// Project ID
const _default = scaleway.account.getProject({
name: "default",
});
// Object storage configuration
const bucket = new scaleway.object.Bucket("bucket", {
name: "mia-cross-crash-tests",
region: "fr-par",
});
const policy = new scaleway.object.BucketPolicy("policy", {
bucket: bucket.name,
policy: pulumi.jsonStringify({
Version: "2012-10-17",
Statement: [{
Effect: "Allow",
Action: [
"s3:ListBucket",
"s3:GetObjectTagging",
],
Principal: {
SCW: _default.then(_default => `project_id:${_default.id}`),
},
Resource: [
bucket.name,
pulumi.interpolate`${bucket.name}/*`,
],
}],
}),
});
import pulumi
import json
import pulumi_scaleway as scaleway
import pulumiverse_scaleway as scaleway
# Project ID
default = scaleway.account.get_project(name="default")
# Object storage configuration
bucket = scaleway.object.Bucket("bucket",
name="mia-cross-crash-tests",
region="fr-par")
policy = scaleway.object.BucketPolicy("policy",
bucket=bucket.name,
policy=pulumi.Output.json_dumps({
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetObjectTagging",
],
"Principal": {
"SCW": f"project_id:{default.id}",
},
"Resource": [
bucket.name,
bucket.name.apply(lambda name: f"{name}/*"),
],
}],
}))
package main
import (
"encoding/json"
"fmt"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
"github.com/pulumiverse/pulumi-scaleway/sdk/go/scaleway/account"
"github.com/pulumiverse/pulumi-scaleway/sdk/go/scaleway/object"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
// Project ID
_default, err := account.LookupProject(ctx, &account.LookupProjectArgs{
Name: pulumi.StringRef("default"),
}, nil)
if err != nil {
return err
}
// Object storage configuration
bucket, err := object.NewBucket(ctx, "bucket", &object.BucketArgs{
Name: pulumi.String("mia-cross-crash-tests"),
Region: pulumi.String("fr-par"),
})
if err != nil {
return err
}
_, err = object.NewBucketPolicy(ctx, "policy", &object.BucketPolicyArgs{
Bucket: bucket.Name,
Policy: pulumi.All(bucket.Name, bucket.Name).ApplyT(func(_args []interface{}) (string, error) {
bucketName := _args[0].(string)
bucketName1 := _args[1].(string)
var _zero string
tmpJSON0, err := json.Marshal(map[string]interface{}{
"Version": "2012-10-17",
"Statement": []map[string]interface{}{
map[string]interface{}{
"Effect": "Allow",
"Action": []string{
"s3:ListBucket",
"s3:GetObjectTagging",
},
"Principal": map[string]interface{}{
"SCW": fmt.Sprintf("project_id:%v", _default.Id),
},
"Resource": []string{
bucketName,
fmt.Sprintf("%v/*", bucketName1),
},
},
},
})
if err != nil {
return _zero, err
}
json0 := string(tmpJSON0)
return json0, nil
}).(pulumi.StringOutput),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using System.Text.Json;
using Pulumi;
using Scaleway = Pulumi.Scaleway;
using Scaleway = Pulumiverse.Scaleway;
return await Deployment.RunAsync(() =>
{
// Project ID
var @default = Scaleway.Account.GetProject.Invoke(new()
{
Name = "default",
});
// Object storage configuration
var bucket = new Scaleway.Object.Bucket("bucket", new()
{
Name = "mia-cross-crash-tests",
Region = "fr-par",
});
var policy = new Scaleway.Object.BucketPolicy("policy", new()
{
Bucket = bucket.Name,
Policy = Output.JsonSerialize(Output.Create(new Dictionary<string, object?>
{
["Version"] = "2012-10-17",
["Statement"] = new[]
{
new Dictionary<string, object?>
{
["Effect"] = "Allow",
["Action"] = new[]
{
"s3:ListBucket",
"s3:GetObjectTagging",
},
["Principal"] = new Dictionary<string, object?>
{
["SCW"] = @default.Apply(@default => $"project_id:{@default.Apply(getProjectResult => getProjectResult.Id)}"),
},
["Resource"] = new[]
{
bucket.Name,
bucket.Name.Apply(name => $"{name}/*"),
},
},
},
})),
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.scaleway.account.AccountFunctions;
import com.pulumi.scaleway.account.inputs.GetProjectArgs;
import com.pulumi.scaleway.object.Bucket;
import com.pulumi.scaleway.object.BucketArgs;
import com.pulumi.scaleway.object.BucketPolicy;
import com.pulumi.scaleway.object.BucketPolicyArgs;
import static com.pulumi.codegen.internal.Serialization.*;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
// Project ID
final var default = AccountFunctions.getProject(GetProjectArgs.builder()
.name("default")
.build());
// Object storage configuration
var bucket = new Bucket("bucket", BucketArgs.builder()
.name("mia-cross-crash-tests")
.region("fr-par")
.build());
var policy = new BucketPolicy("policy", BucketPolicyArgs.builder()
.bucket(bucket.name())
.policy(Output.tuple(bucket.name(), bucket.name()).applyValue(values -> {
var bucketName = values.t1;
var bucketName1 = values.t2;
return serializeJson(
jsonObject(
jsonProperty("Version", "2012-10-17"),
jsonProperty("Statement", jsonArray(jsonObject(
jsonProperty("Effect", "Allow"),
jsonProperty("Action", jsonArray(
"s3:ListBucket",
"s3:GetObjectTagging"
)),
jsonProperty("Principal", jsonObject(
jsonProperty("SCW", String.format("project_id:%s", default_.id()))
)),
jsonProperty("Resource", jsonArray(
bucketName,
String.format("%s/*", bucketName1)
))
)))
));
}))
.build());
}
}
resources:
# Object storage configuration
bucket:
type: scaleway:object:Bucket
properties:
name: mia-cross-crash-tests
region: fr-par
policy:
type: scaleway:object:BucketPolicy
properties:
bucket: ${bucket.name}
policy:
fn::toJSON:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- s3:ListBucket
- s3:GetObjectTagging
Principal:
SCW: project_id:${default.id}
Resource:
- ${bucket.name}
- ${bucket.name}/*
variables:
# Project ID
default:
fn::invoke:
function: scaleway:account:getProject
arguments:
name: default
NB: To configure the AWS provider with Scaleway credentials, refer to the dedicated documentation.
Create BucketPolicy Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new BucketPolicy(name: string, args: BucketPolicyArgs, opts?: CustomResourceOptions);@overload
def BucketPolicy(resource_name: str,
args: BucketPolicyArgs,
opts: Optional[ResourceOptions] = None)
@overload
def BucketPolicy(resource_name: str,
opts: Optional[ResourceOptions] = None,
bucket: Optional[str] = None,
policy: Optional[str] = None,
project_id: Optional[str] = None,
region: Optional[str] = None)func NewBucketPolicy(ctx *Context, name string, args BucketPolicyArgs, opts ...ResourceOption) (*BucketPolicy, error)public BucketPolicy(string name, BucketPolicyArgs args, CustomResourceOptions? opts = null)public BucketPolicy(String name, BucketPolicyArgs args)
public BucketPolicy(String name, BucketPolicyArgs args, CustomResourceOptions options)
type: scaleway:object:BucketPolicy
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name
This property is required. string - The unique name of the resource.
- args
This property is required. BucketPolicyArgs - The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name
This property is required. str - The unique name of the resource.
- args
This property is required. BucketPolicyArgs - The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name
This property is required. string - The unique name of the resource.
- args
This property is required. BucketPolicyArgs - The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name
This property is required. string - The unique name of the resource.
- args
This property is required. BucketPolicyArgs - The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name
This property is required. String - The unique name of the resource.
- args
This property is required. BucketPolicyArgs - The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var bucketPolicyResource = new Scaleway.Object.BucketPolicy("bucketPolicyResource", new()
{
Bucket = "string",
Policy = "string",
ProjectId = "string",
Region = "string",
});
example, err := object.NewBucketPolicy(ctx, "bucketPolicyResource", &object.BucketPolicyArgs{
Bucket: pulumi.String("string"),
Policy: pulumi.String("string"),
ProjectId: pulumi.String("string"),
Region: pulumi.String("string"),
})
var bucketPolicyResource = new BucketPolicy("bucketPolicyResource", BucketPolicyArgs.builder()
.bucket("string")
.policy("string")
.projectId("string")
.region("string")
.build());
bucket_policy_resource = scaleway.object.BucketPolicy("bucketPolicyResource",
bucket="string",
policy="string",
project_id="string",
region="string")
const bucketPolicyResource = new scaleway.object.BucketPolicy("bucketPolicyResource", {
bucket: "string",
policy: "string",
projectId: "string",
region: "string",
});
type: scaleway:object:BucketPolicy
properties:
bucket: string
policy: string
projectId: string
region: string
BucketPolicy Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.
The BucketPolicy resource accepts the following input properties:
- Bucket
This property is required. string - The bucket's name or regional ID.
- Policy
This property is required. string - The text of the policy.
- Project
Id 
Changes to this property will trigger replacement. - The project_id you want to attach the resource to
- Region
- The Scaleway region this bucket resides in.
- Bucket
This property is required. string - The bucket's name or regional ID.
- Policy
This property is required. string - The text of the policy.
- Project
Id - The project_id you want to attach the resource to
- Region
- The Scaleway region this bucket resides in.
- bucket
This property is required. String - The bucket's name or regional ID.
- policy
This property is required. String - The text of the policy.
- project
Id - The project_id you want to attach the resource to
- region
- The Scaleway region this bucket resides in.
- bucket
This property is required. string - The bucket's name or regional ID.
- policy
This property is required. string - The text of the policy.
- project
Id - The project_id you want to attach the resource to
- region
- The Scaleway region this bucket resides in.
- bucket
This property is required. str - The bucket's name or regional ID.
- policy
This property is required. str - The text of the policy.
- project_
id - The project_id you want to attach the resource to
- region
- The Scaleway region this bucket resides in.
- bucket
This property is required. String - The bucket's name or regional ID.
- policy
This property is required. String - The text of the policy.
- project
Id - The project_id you want to attach the resource to
- region
- The Scaleway region this bucket resides in.
Outputs
All input properties are implicitly available as output properties. Additionally, the BucketPolicy resource produces the following output properties:
- Id string
- The provider-assigned unique ID for this managed resource.
- Id string
- The provider-assigned unique ID for this managed resource.
- id String
- The provider-assigned unique ID for this managed resource.
- id string
- The provider-assigned unique ID for this managed resource.
- id str
- The provider-assigned unique ID for this managed resource.
- id String
- The provider-assigned unique ID for this managed resource.
Look up Existing BucketPolicy Resource
Get an existing BucketPolicy resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: BucketPolicyState, opts?: CustomResourceOptions): BucketPolicy@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
bucket: Optional[str] = None,
policy: Optional[str] = None,
project_id: Optional[str] = None,
region: Optional[str] = None) -> BucketPolicyfunc GetBucketPolicy(ctx *Context, name string, id IDInput, state *BucketPolicyState, opts ...ResourceOption) (*BucketPolicy, error)public static BucketPolicy Get(string name, Input<string> id, BucketPolicyState? state, CustomResourceOptions? opts = null)public static BucketPolicy get(String name, Output<String> id, BucketPolicyState state, CustomResourceOptions options)resources: _: type: scaleway:object:BucketPolicy get: id: ${id}- name
This property is required. - The unique name of the resulting resource.
- id
This property is required. - The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
This property is required. - The unique name of the resulting resource.
- id
This property is required. - The unique provider ID of the resource to lookup.
- name
This property is required. - The unique name of the resulting resource.
- id
This property is required. - The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
This property is required. - The unique name of the resulting resource.
- id
This property is required. - The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
This property is required. - The unique name of the resulting resource.
- id
This property is required. - The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
The following state arguments are supported:
- Bucket string
- The bucket's name or regional ID.
- Policy string
- The text of the policy.
- Project
Id - The project_id you want to attach the resource to
- Region
- The Scaleway region this bucket resides in.
- Bucket string
- The bucket's name or regional ID.
- Policy string
- The text of the policy.
- Project
Id - The project_id you want to attach the resource to
- Region
- The Scaleway region this bucket resides in.
- bucket String
- The bucket's name or regional ID.
- policy String
- The text of the policy.
- project
Id - The project_id you want to attach the resource to
- region
- The Scaleway region this bucket resides in.
- bucket string
- The bucket's name or regional ID.
- policy string
- The text of the policy.
- project
Id - The project_id you want to attach the resource to
- region
- The Scaleway region this bucket resides in.
- bucket str
- The bucket's name or regional ID.
- policy str
- The text of the policy.
- project_
id - The project_id you want to attach the resource to
- region
- The Scaleway region this bucket resides in.
- bucket String
- The bucket's name or regional ID.
- policy String
- The text of the policy.
- project
Id - The project_id you want to attach the resource to
- region
- The Scaleway region this bucket resides in.
Import
Bucket policies can be imported using the {region}/{bucketName} identifier, as shown below:
bash
$ pulumi import scaleway:object/bucketPolicy:BucketPolicy some_bucket fr-par/some-bucket
~> Important: The project_id attribute has a particular behavior with s3 products because the s3 API is scoped by project.
If you are using a project different from the default one, you have to specify the project ID at the end of the import command.
bash
$ pulumi import scaleway:object/bucketPolicy:BucketPolicy some_bucket fr-par/some-bucket@xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxx
To learn more about importing existing cloud resources, see Importing resources.
Package Details
- Repository
- scaleway pulumiverse/pulumi-scaleway
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
scalewayTerraform Provider.
- Example Usage
- Example Usage with an IAM user
- Example with an IAM application
- Creating a bucket and delegating read access to an application
- Reading the bucket with the application
- Example with AWS provider
- Example with deprecated version 2012-10-17
- Create BucketPolicy Resource
- Constructor syntax
- Constructor example
- BucketPolicy Resource Properties
- Inputs
- Outputs
- Look up Existing BucketPolicy Resource
- Import
- Package Details