Allow the incoming traffic from GKE to S3 only. Bucket policy for this

I want to allow the incoming traffic from GKE to S3 only. What should the Bucket policy for this

To restrict access to an Amazon S3 bucket so that it only allows traffic from a Google Kubernetes Engine (GKE) cluster, you would typically use the AWS Identity and Access Management (IAM) to create a bucket policy that grants access based on specific conditions. However, since GKE clusters run on Google Cloud Platform (GCP) and not AWS, directly restricting access based on the GKE cluster’s identity might not be straightforward or possible in the same way as with AWS resources.

One practical approach is to restrict access based on the IP addresses of the nodes within your GKE cluster. You can obtain the external IP addresses of your GKE nodes and use them in the condition element of your S3 bucket policy.

Here is a generic example of what the S3 bucket policy might look like. This policy allows GetObject action from specific IP addresses. You need to replace "YourBucketName" with your actual bucket name and ["IP_ADDRESS_1", "IP_ADDRESS_2"] with the list of external IP addresses of your GKE nodes.

    "Version": "2012-10-17",
    "Statement": [
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::YourBucketName/*",
            "Condition": {
                "IpAddress": {
                    "aws:SourceIp": [

Steps to Implement:

  1. Obtain the External IP Addresses of Your GKE Nodes:
    • Use the kubectl get nodes -o wide command to list all nodes along with their external IP addresses.
    • Alternatively, if your GKE cluster is behind a NAT gateway or uses a static IP for egress, use the IP address of the NAT gateway or the static IP.
  2. Update the Bucket Policy:
    • Go to the Amazon S3 console, select your bucket, and then navigate to the Permissions tab.
    • Find the Bucket Policy section and edit it to include the policy provided above, customized with your bucket name and the obtained IP addresses.
  3. Test the Access:
    • After updating the bucket policy, test accessing the S3 bucket from within your GKE cluster to ensure the policy works as expected.
    • Try accessing the bucket from an IP address not included in the policy to verify that the access is denied.
Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Inline Feedbacks
View all comments
Would love your thoughts, please comment.x