Allow object operations only under a certain prefix inside a DO Space

I’m trying to use the bucket policies to allow certain operations only if they are performed under a certain prefix.

Unfortunately it seems like the support for prefix conditions in DO Spaces is broken/only partially implemented. It seems like it is not possible to prevent operations from the root of the bucket while allowing them on a prefix.

For example I wish to apply a policy like:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": [
                "s3:ListBucket",
            ],
            "Condition": {
                "StringLike": {
                    "s3:prefix": "????????-????-????-????-????????????/*",
                },
            },
            "Resource": "arn:aws:s3:::my-bucket",
        },
    ],
}

The idea here is that of multi-tenacy: I assign one UUID to each “client”, they should be able to list the objects available under their own context by specifying the UUID as prefix, however they shouldn’t be able to list objects from the root of the Space by omitting Prefix or specifying an empty Prefix string. AWS S3 given this policy will return AccessDenied for any ListObjects operation that either doesn’t provide a Prefix or for which the Prefix does not start with a UUID plus /, which is what I want.

Currently this policy is accepted by DO Spaces, but no error is given if trying to call ListObjects without a Prefix parameter and it does return all objects from the root.

Switching from Allow to Deny seem to work, in the sense that I can list from the root, but trying to specify a Prefix matching the condition fails with AccessDenied.

I tried to then use Deny + StringNotLike :

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Principal": "*",
            "Action": [
                "s3:ListBucket",
            ],
            "Condition": {
                "StringNotLike": {
                    "s3:prefix": "????????-????-????-????-????????????/*",
                },
            },
            "Resource": f"arn:aws:s3:::{name}",
        },
    ],
}

This “works” in the sense that it does allow ListObjects specifying a Prefix using a UUID as prefix, it prevents specifying a different non-empty prefix (e.g. trying a as Prefix fails with AccessDenied), but crucially it still allows an empty or missing Prefix argument to list all objects from the root!

Is there a way to write a DO Spaces policy that would achieve what can be done in AWS S3 with the first policy listed here? I.e. only allow ListObjects if a Prefix is provided and that Prefix matches the given condition?

Moreover is there some Spaces-specific documentation for the supported conditions in a Bucket Policy (since the behaviour is different from AWS S3)?

---

Note that this is not restricted to s3:ListBucket permission and ListObjects API. It seems like all permissions don’t really work well with prefixes. To give a different example, if you want to limit s3:GetObject to fetching object under a prefix it doesn’t work:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": [
                "s3:GetObject",
            ],
            "Resource": f"arn:aws:s3:::my-bucket/prefix/*",
        },
    ],
}

This will still allow calling GetObject outside the given prefix. Switching to using Deny will correctly deny operations for the specified prefix, but there seem to be no way to allowing the operation only in a prefix, you either prevent the operation completely or it is always allowed from the root.