How to Configure Bucket Policies Using Automation

Validated on 2 Apr 2026 • Last edited on 13 Apr 2026

Spaces Object Storage is an S3-compatible service for storing and serving large amounts of data. The built-in Spaces CDN minimizes page load times, improves performance, and reduces bandwidth and infrastructure costs.

Copy page as Markdown View page as Markdown

Bucket policies define access rules for a Space with a JSON policy document. You can use a bucket policy to control who can access a bucket and what actions they can perform on the bucket and its objects.

Use bucket policies when you need more specific access rules than Access Control Lists (ACLs) provide. ACLs work well for simple predefined permissions. Bucket policies work better for more detailed or conditional access rules.

Warning

Spaces Cold Storage buckets don’t support bucket policies. Requests to Spaces Cold Storage buckets must use signed S3 requests with valid access keys.

Limited-access Spaces keys aren’t compatible with PutBucketPolicy. You can’t apply a bucket policy to a bucket that already uses a limited-access key, and you can’t create a limited-access key for a bucket that already uses a bucket policy.

Before you begin, make sure you have:

Configure a Bucket Policy Using the DigitalOcean API

To configure a bucket policy via the API, send a PUT request to the bucket policy endpoint using the S3-compatible API. Include the bucket policy as a JSON document in the request body. For more details, see Configure a Bucket’s Bucket Policies.

Configure a Bucket Policy Using AWS CLI

To configure a bucket policy with the AWS CLI, use the put-bucket-policy command. For example:

aws s3api put-bucket-policy \
  --bucket <your-space-name> \
  --policy file://<policy-file>.json \
  --endpoint-url https://nyc3.digitaloceanspaces.com

Replace <your-space-name> with your Space name, <policy-file>.json with your policy file, and the endpoint URL with your Space’s region endpoint.

For AWS CLI syntax and options, see the AWS CLI put-bucket-policy reference.

Configure a Bucket Policy Using s3cmd

You can also configure a bucket policy with s3cmd.

Configure a Public Bucket Policy

To allow public read access to all objects in a Space, create a file named public-policy.json:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::<your-space-name>/*"
    }
  ]
}

Apply the policy:

s3cmd setpolicy public-policy.json s3://<your-space-name>

This policy allows anyone to read objects in the Space.

Configure a Private Bucket Policy

To deny public read access to all objects in a Space, create a file named private-policy.json:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::<your-space-name>/*"
    }
  ]
}

Apply the policy:

s3cmd setpolicy private-policy.json s3://<your-space-name>

This policy denies public read access to objects in the Space.

For more information about s3cmd, see the s3cmd reference.

We can't find any results for your search.

Try using different keywords or simplifying your search terms.