Anonymous access via bucket policy for specific objects — is it supported?

[metoant]

Environment

• RustFS version: rustfs/rustfs:latest
• Client: AWS SDK for Go v2

Question

I'm trying to allow anonymous public access to specific objects in a bucket
while keeping others private, without using presigned URLs.

I've tried two approaches and neither works:

Approach 1 — Canned ACL

Setting ACL: types.ObjectCannedACLPublicRead during PutObject.
Upload succeeds but anonymous GET returns 403.

Approach 2 — Tag-based bucket policy

Setting input.Tagging = "public-read=true" during PutObject, with this policy:

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {"AWS": ""},
"Action": ["s3:GetObject"],
"Resource": ["arn:aws:s3:::oblax/"],
"Condition": {
"StringEquals": {
"s3:ExistingObjectTag/public-read": "true"
}
}
}
]
}

Anonymous GET still returns 403 AccessDenied.

What does work

A bucket policy with no conditions allows anonymous access to everything —
but I need per-object control.

Questions

1. Are object-level canned ACLs (public-read) supported?
2. Are tag-based policy conditions (s3:ExistingObjectTag) supported?

[GatewayJ]

The issue has been confirmed; coding will expedite the resolution.Both methods will be supported.Thank you for your feedback. I will keep you informed as soon as there is progress.

[metoant]

thank you.

[loverustfs]

Fixed.

[Theoooooo]

I can confirm this issue not fixed
I'm using the v86 alpha version and i still can't use the condition as stated above

I'll test the v90 later today and see if it was shipped after the v86 version

[GatewayJ]

I can confirm this issue not fixed I'm using the v86 alpha version and i still can't use the condition as stated above

I'll test the v90 later today and see if it was shipped after the v86 version

Could you please provide the complete use case information, including the complete bucket policy, ram policy, and requested method? Thank you for your feedback

[Theoooooo]

Could you please provide the complete use case information, including the complete bucket policy, ram policy, and requested method? Thank you for your feedback

I've updated to version v90, here is what i've created in this order :

• Create custom policy with following content :

{
  "ID": "",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Action": [
        "s3:DeleteObject",
        "s3:GetObjectTagging",
        "s3:GetBucketLocation",
        "s3:ListBucket",
        "s3:PutObject"
      ],
      "Resource": [
        "arn:aws:s3:::my_username/*"
      ],
      "Condition": {}
    },
    {
      "Sid": "",
      "Effect": "Allow",
      "Action": [
        "s3:PutObjectTagging",
        "s3:GetObject"
      ],
      "Resource": [
        "arn:aws:s3:::my_username/*"
      ],
      "Condition": {
        "StringEquals": {
          "s3:ExistingObjectTag/antivirus_result": "OK"
        }
      }
    }
  ]
}

• Create a group with the policy linked to the group
• Create my_username and link the group to my user
• Create a bucket named my_username and drop any file inside the bucket, full set on default options nothing is configured apart from the name
• Connect as my user
• I can see the bucket and list objects inside my bucket, but i cannot get any informations of any files, when i click on a file i have the following error :

- Inspecting the content doesn't give any info, just a plain error 403 from the request and not content inside the response

I also cannot see the details like the object count and the size

I can also put objects inside my bucket as intended. However all actions listed under my condition doesn't work (such as GetObject and PutObjectTagging)
This exact same policy worked under minio also

[GatewayJ]

Could you please provide the complete use case information, including the complete bucket policy, ram policy, and requested method? Thank you for your feedback

I've updated to version v90, here is what i've created in this order :

* Create custom policy with following content :

{
"ID": "",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Action": [
"s3:DeleteObject",
"s3:GetObjectTagging",
"s3:GetBucketLocation",
"s3:ListBucket",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::my_username/"
],
"Condition": {}
},
{
"Sid": "",
"Effect": "Allow",
"Action": [
"s3:PutObjectTagging",
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::my_username/"
],
"Condition": {
"StringEquals": {
"s3:ExistingObjectTag/antivirus_result": "OK"
}
}
}
]
}

* Create a group with the policy linked to the group

* Create my_username and link the group to my user

* Create a bucket named **my_username** and drop any file inside the bucket, full set on default options nothing is configured apart from the name

* Connect as my user

* I can see the bucket and list objects inside my bucket, but i cannot get any informations of any files, when i click on a file i have the following error :

- Inspecting the content doesn't give any info, just a plain error 403 from the request and not content inside the response

I also cannot see the details like the object count and the size

I can also put objects inside my bucket as intended. However all actions listed under my condition doesn't work (such as GetObject and PutObjectTagging) This exact same policy worked under minio also

Sorry for the trouble. This issue occurred because the logic didn't check whether the RAM policy includes tag filtering conditions; previously, it only validated bucket policies. I will add this supplementary check as soon as possible.

[Theoooooo]

Sorry for the trouble. This issue occurred because the logic didn't check whether the RAM policy includes tag filtering conditions; previously, it only validated bucket policies. I will add this supplementary check as soon as possible.

Awesome, thank you i'll be waiting for the next release where this will be shipped 👍