Help Center> Object Storage Service> Developer Guide> Permission Control> Bucket Policy> About Bucket Policy
View PDF

About Bucket Policy

Bucket policies provide centralized access control to buckets and objects based on a variety of conditions, including OBS operations, authorizers, resources, and elements (for example IP addresses) of the request. There is no limit on the number of bucket policies (statements) for a bucket. However, the total size of JSON descriptions of all bucket policies in a bucket cannot exceed 20 KB. The permissions attached to a bucket apply to all of the objects in that bucket. Tenants have the power to grant bucket policy permissions and assign employees permissions based on a variety of conditions. For example, an account can create a policy that gives a user the write permission:

  • To a particular bucket for a user.
  • For a user from a specified account's corporate network.
  • For an account's custom application.

Different from ACLs which can add (grant) permissions only on individual objects, bucket policies can either add or deny permissions on all objects within a bucket. With one request, an account can set permissions for any number of objects in a bucket. In addition, an account can add the wildcard (similar to regular expression operators) to resource names and other values to control access to a set of objects.

A bucket owner can perform the PutBucket policy operation to set a policy on bucket access. A new policy will overwrite the existing one. A bucket owner can also perform the GetBucket Policy or DeleteBucket Policy operation to obtain or delete the existing bucket policy. After a policy is set for a bucket, all subsequent accesses to the bucket are controlled by the policy. The description of a policy determines whether a request will be accepted or rejected. The following policy allows 783fc6652cf246c096ea836694f71855 (account ID) and 219d520ceac84c5a98b237431a2cf4c2 (account ID) to perform the GetObject operation on all the objects in bucket mybucket.

{ 
  "Statement" : [ 
     { 
      "Effect":"Allow", 
      "Sid":"1",  
      "Principal" : { 
        "ID":["domain/783fc6652cf246c096ea836694f71855:user/*",
        "domain/219d520ceac84c5a98b237431a2cf4c2:user/*"] 
      }, 
      "Action":["GetObject"], 
      "Resource":"mybucket/*" 
     } 
  ]  
}
Parent topic: Bucket Policy