Provides a bucket policy resource for Spaces, DigitalOcean’s object storage product. The digitalocean_spaces_bucket_policy resource allows Terraform to attach bucket policy to Spaces.

The Spaces API was designed to be interoperable with Amazon’s AWS S3 API. This allows users to interact with the service while using the tools they already know. Spaces mirrors S3’s authentication framework and requests to Spaces require a key pair similar to Amazon’s Access ID and Secret Key.

The authentication requirement can be met by either setting the SPACES_ACCESS_KEY_ID and SPACES_SECRET_ACCESS_KEY environment variables or the provider’s spaces_access_id and spaces_secret_key arguments to the access ID and secret you generate via the DigitalOcean control panel. For example:

provider "digitalocean" {
  token             = var.digitalocean_token

  spaces_access_id  = var.access_id
  spaces_secret_key = var.secret_key

resource "digitalocean_spaces_bucket" "static-assets" {
  # ...

For more information, See An Introduction to DigitalOcean Spaces

Example Usage

Limiting access to specific IP addresses

resource "digitalocean_spaces_bucket" "foobar" {
  name   = "foobar"
  region = "nyc3"

resource "digitalocean_spaces_bucket_policy" "foobar" {
  region = digitalocean_spaces_bucket.foobar.region
  bucket =
  policy = jsonencode({
    "Version" : "2012-10-17",
    "Statement" : [
        "Sid" : "IPAllow",
        "Effect" : "Deny",
        "Principal" : "*",
        "Action" : "s3:*",
        "Resource" : [
        "Condition" : {
          "NotIpAddress" : {
            "aws:SourceIp" : ""

!> Warning: Before using this policy, replace the IP address range in this example with an appropriate value for your use case. Otherwise, you will lose the ability to access your bucket.

Argument Reference

The following arguments are supported:

  • region - (Required) The region where the bucket resides.
  • bucket - (Required) The name of the bucket to which to apply the policy.
  • policy - (Required) The text of the policy.

Attributes Reference

No additional attributes are exported.


Bucket policies can be imported using the region and bucket attributes (delimited by a comma):

terraform import digitalocean_spaces_bucket_policy.foobar `region`,`bucket`