An BucketPolicy is a managed resource that represents an AWS Bucket policy.
Type
CRD
Group
s3.aws.crossplane.io
Version
v1alpha3
apiVersion: s3.aws.crossplane.io/v1alpha3
kind: BucketPolicy
An BucketPolicySpec defines the desired state of an BucketPolicy.
BucketPolicyParameters define the desired state of an AWS BucketPolicy.
BucketNameRef references to an S3Bucket to retrieve its bucketName
Policies for referencing.
BucketNameSelector selects a reference to an S3Bucket to retrieve its bucketName
Policies for selection.
Policy is a well defined type which can be parsed into an JSON S3 Bucket Policy either policy or rawPolicy must be specified in the policy
Statements is the list of statement this policy applies either jsonStatements or statements must be specified in the policy
Each element of the PolicyAction array describes the specific action or actions that will be allowed or denied with this PolicyStatement.
Condition specifies where conditions for policy are in effect. https://docs.aws.amazon.com/AmazonS3/latest/dev/amazon-s3-policy-keys.html
Conditions represents each of the key/value pairs for the operator key
ConditionListValue is the list value of the key from the parent condition
Each element of the NotPolicyAction array will allow the property to match all but the listed actions.
Used with the S3 policy to specify the users which are not included in this policy
This list contains the all of the AWS IAM users which are affected by the policy statement.
IAMRoleARNRef contains the reference to an IAMRole
Policies for referencing.
IAMRoleARNSelector queries for an IAM role to retrieve its userName
Policies for selection.
UserARNRef contains the reference to an User
Policies for referencing.
UserARNSelector queries for an User to retrieve its userName
Policies for selection.
Service define the services which can have access to this bucket
This will explicitly match all resource paths except the ones specified in this array
Used with the S3 policy to specify the principal that is allowed or denied access to a resource.
This list contains the all of the AWS IAM users which are affected by the policy statement.
IAMRoleARNRef contains the reference to an IAMRole
Policies for referencing.
IAMRoleARNSelector queries for an IAM role to retrieve its userName
Policies for selection.
UserARNRef contains the reference to an User
Policies for referencing.
UserARNSelector queries for an User to retrieve its userName
Policies for selection.
Service define the services which can have access to this bucket
The paths on which this resource will apply
THIS IS A BETA FIELD. It is on by default but can be opted out through a Crossplane feature flag. ManagementPolicies specify the array of actions Crossplane is allowed to take on the managed and external resources. This field is planned to replace the DeletionPolicy field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. If both are custom, the DeletionPolicy field will be ignored. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md
ProviderConfigReference specifies how the provider that will be used to create, observe, update, and delete this managed resource should be configured.
Policies for referencing.
PublishConnectionDetailsTo specifies the connection secret config which contains a name, metadata and a reference to secret store config to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource.
WriteConnectionSecretToReference specifies the namespace and name of a Secret to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. This field is planned to be replaced in a future release in favor of PublishConnectionDetailsTo. Currently, both could be set independently and connection details would be published to both without affecting each other.
An BucketPolicyStatus represents the observed state of an BucketPolicy.
Conditions of the resource.
bucketpolicy-public
apiVersion: s3.aws.crossplane.io/v1alpha3
kind: BucketPolicy
metadata:
name: bucketpolicy-public
spec:
forProvider:
bucketNameRef:
name: test-bucket
rawPolicy: |
{
"Statement": [
{
"Action":"s3:ListBucket",
"Effect":"Allow",
"Principal":"*",
"Resource":"arn:aws:s3:::crossplane-example-bucket"
}
],
"Version":"2012-10-17"
}
region: us-east-1
providerConfigRef:
name: example
bucketpolicy-public
apiVersion: s3.aws.crossplane.io/v1alpha3
kind: BucketPolicy
metadata:
name: bucketpolicy-public
spec:
forProvider:
bucketNameRef:
name: test-bucket
policy:
statements:
- action:
- s3:ListBucket
- s3:GetBucketLocation
- s3:ListBucketMultipartUploads
- s3:PutBucketCORS
condition:
- conditions:
- key: aws:Key1
stringValue: value1
- key: aws:Key2
stringValue: value2
operatorKey: StringEquals
- conditions:
- key: aws:SourceIp
stringValue: 192.0.2.0/24
operatorKey: IpAddress
- conditions:
- key: aws:SourceIp
stringValue: 192.0.2.188/32
operatorKey: NotIpAddress
effect: Allow
principal:
awsPrincipals:
- iamUserArnSelector:
matchLabels:
example: "true"
resource:
- arn:aws:s3:::crossplane-example-bucket
version: 2012-10-17
region: us-east-1
providerConfigRef:
name: example