- 最新
- 投票最多
- 评论最多
Hi,
Thank you for your answers! We want to integrate this while setup with an IAM identity provider. Are the IPs which query the endpoints well known? Or is there maybe a special principal we could allow access to the bucket (a bit like with the custom origin for cloudfront)?
Best, Patrick
It depends on the definition of public bucket. You could use aws:sourceIp
condition key in the bucket policy to allow only known IPs to access your bucket without authentication. In that sense, according to the AWS documentation, the bucket might not be considered anymore as public.
Hi,
From the case notes I understand that you would like to know if it would be possible to have a public S3 bucket that only grants access to an OIDC provider.
It would be possible to scope down principals that can access a bucket however this would no longer be a public bucket as a public bucket would be one that can be accessed by any principal rather than only a specific one. The following would be examples of how you can restrict s3 access to a specific IPv4 or IPv6 address [1]. You can allow the specific IP address for your OIDC provider in order to limit access to only that provider.
I hope you have a great rest of your day!
References [1] https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-bucket-policies.html#example-bucket-policies-use-case-4