How to create S3 read policy for prefix?

Question

I know how to sign policy for unique S3 key, but is it possible to create read policy that will allow to read all files (I am not talking about listing objects) from /project/1234/* - so it should allow to read all files with prefix /project/1234.

To sign single key I use following code (found in some lib):

this.readPolicy = function(key, bucket, duration, download, cb) {
        var dateObj = new Date;
        var expiration = new Date(dateObj.getTime() + duration * 1000);
        expiration = Math.round(expiration.getTime() / 1000);

        var policy = 'GET\n\n\n' + expiration + '\n';
        policy += '/' + bucket + '/' + key;
        if (download) {
            policy += '?response-content-disposition=attachment;filename=' + encodeURIComponent(download);
        }

        var signature = crypto.createHmac("sha1", this.secretKey).update(policy);

        var url = 'https://s3.amazonaws.com/';
        url += bucket + '/';
        url += key;
        url += '?AWSAccessKeyId=' + this.accessKey;
        url += '&Expires=' + expiration;
        url += '&Signature=' + encodeURIComponent(signature.digest("base64"));
        if (download) {
            url += '&response-content-disposition=attachment;filename=' + encodeURIComponent(download);
        }
        if (cb) {
            cb(null, url);
        } else {
            return url;
        }
    };

Answer 1

The author of that code is actually misusing the word "policy." That's a signed request, using Signature Version 2.

Policy documents are not supported for signed S3 downloads. They are only used for browser-based POST uploads. The only way to pre-sign a URL for GET (or HEAD) request is to sign the request for a specific object.