Set Policy

Attach or replace the policy on any bucket as an admin.

Endpoint	Method	Admin Required
`/api/v1/admin/buckets/:bucketName/policy`	PUT	Yes

Validates and saves a bucket policy document for any bucket, regardless of owner. The policy takes effect immediately - no restart required.

Path Parameters

bucketName

string required

The name of the bucket.

Request Body

policy

string required

A bucket policy document, as a JSON-encoded string.

Example

{
    "policy": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"PublicRead\",\"Effect\":\"Allow\",\"Principal\":\"*\",\"Action\":\"s3:GetObject\",\"Resource\":\"arn:aws:s3:::my-bucket/*\"}]}"
}

Response

Returns the saved policy:

{
    "policy": "{\"Version\":\"2012-10-17\",\"Statement\":[...]}"
}

Alarik currently supports a deliberately small, "anonymous public read" subset of the AWS bucket policy specification. Anything outside this subset is rejected when saving - it is never silently accepted and ignored.

Element	Supported value
`Effect`	`Allow` only
`Principal`	`"*"` only (anonymous/unauthenticated requests)
`Action`	`s3:GetObject`, `s3:GetObjectVersion`, `s3:ListBucket`
`Resource`	Must reference this bucket, e.g. `arn:aws:s3:::my-bucket` or `arn:aws:s3:::my-bucket/prefix/` (a single trailing `` wildcard is supported)
`Condition`	Not supported

Authenticated requests (a valid Access Key/Secret Key or SigV4 signature) are never affected by a bucket policy - they always use the normal ownership-based authorization. A policy only ever grants additional access to unauthenticated requests.

Errors

Status	Reason
`400`	Missing or invalid `policy`, or the policy uses an unsupported `Effect`, `Principal`, `Action`, or `Resource`
`404`	Bucket not found

Get Policy

Get the policy attached to any bucket as an admin.

Delete Policy

Remove the policy from any bucket as an admin.