DigitalOcean

Question

DigitalOcean Spaces put-bucket-policy no effect

I’m trying to set a folder in a bucket as public via aws s3api cli. aws configured with access key and secret for All Permissions.

//policy.json
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Public Images",
            "Effect": "Allow",
            "Principal": "*",
            "Action": [
                "s3:GetObject"
            ],
            "Resource": [
                "arn:aws:s3:::my-bucket/uploads/images/*"
            ]
        }
    ]
}


 aws s3api put-bucket-policy --policy file://./policy.json --endpoint=https://my-bucket.sfo3.digitaloceanspaces.com --bucket my-bucket

The command runs without error. Also, I get a my-bucket file at the root of the bucket with the same contents as the policy.json file. But I still get Access Denied when trying to acces files in https://my-bucket.sfo3.digitaloceanspaces.com/uploads/images/

Am I missing something?

Thank you Mat

Show comments
Submit an answer


This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Bobby Iliev
Site Moderator
Site Moderator badge
January 10, 2025

Hey Mat!

I believe that the --endpoint you’re using (https://my-bucket.sfo3.digitaloceanspaces.com) points to the bucket itself. For bucket policies, you need to use the Spaces API endpoint instead:

--endpoint https://sfo3.digitaloceanspaces.com

So, your command should be:

aws s3api put-bucket-policy --policy file://./policy.json --endpoint https://sfo3.digitaloceanspaces.com --bucket my-bucket

Let me know if this works!

- Bobby

alexdo
Site Moderator
Site Moderator badge
January 10, 2025

Heya, @astatec

As Bobby mentioned, you seem to be including the bucket’s endpoint in the --endpoint parameter. For DigitalOcean Spaces, the --endpoint should target the regional endpoint, not the bucket’s endpoint. For sfo3, use:

aws s3api put-bucket-policy --bucket my-bucket --policy file://policy.json --endpoint=https://sfo3.digitaloceanspaces.com

You can test accessing the URL of a file, such as:

https://my-bucket.sfo3.digitaloceanspaces.com/uploads/images/your-file.jpg

If it still shows Access Denied, check the policy and ACL settings again.

Regards

ASTATECJanuary 21, 2025

I ended up deleting the bucket a creating a new one and now it’s working. I think the problem came because first I had setup a Read/Write/Delete access key for that specific bucket and apparently they are not compatible with ACL policies.

Thank you for you support

Become a contributor for community

Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.

Sign Up

DigitalOcean Documentation

Full documentation for every DigitalOcean product.

Learn more

Resources for startups and SMBs

The Wave has everything you need to know about building a business, from raising funding to marketing your product.

Learn more

Get our newsletter

Stay up to date by signing up for DigitalOcean’s Infrastructure as a Newsletter.

New accounts only. By submitting your email you agree to our Privacy Policy

The developer cloud

Scale up as you grow — whether you're running one virtual machine or ten thousand.

Get started for free

Sign up and get $200 in credit for your first 60 days with DigitalOcean.*

*This promotional offer applies to new accounts only.

© 2025 DigitalOcean, LLC.Sitemap.