Bucket Policy Examples
Examples about typical bucket policy use cases are provided as follows: The policy uses the examplebucket as the bucket name in the examples. To test these policies, you need to replace these strings with your actual bucket name and change the authorized user to the user you want to authorize.
Granting Permissions to OBS Users
The following example policy grants the PutObject and PutObjectAcl permissions to the user whose ID is 71f3901173514e6988115ea2c26d1999 under account b4bf1b36d9ca43d984fbcb9491b6fce9 (account ID).
{
"Statement":[
{
"Sid":"AddCannedAcl",
"Effect":"Allow",
"Principal": {"ID": ["domain/b4bf1b36d9ca43d984fbcb9491b6fce9:user/71f3901173514e6988115ea2c26d1999"]},
"Action":["PutObject","PutObjectAcl"],
"Resource":["examplebucket/*"]
}
]
}
Grant All Operation Permissions for a Specified Bucket to an OBS User.
The following example policy grants all operation permissions (including bucket operations and object operations) of examplebucket to the user whose ID is 71f3901173514e6988115ea2c26d1999 in account b4bf1b36d9ca43d984fbcb9491b6fce9 (account ID).
{
"Statement":[
{
"Sid":"test",
"Effect":"Allow",
"Principal": {"ID": ["domain/b4bf1b36d9ca43d984fbcb9491b6fce9:user/71f3901173514e6988115ea2c26d1999"]},
"Action":["*"],
"Resource":[
"examplebucket/*",
"examplebucket"
]
}
]
}
Granting All Permissions Excluding the Permission for Deleting Objects to an OBS User
The following example policy grants a user (user ID 71f3901173514e6988115ea2c26d1999) of an account (ID b4bf1b36d9ca43d984fbcb9491b6fce9) all permissions for the examplebucket bucket, excluding the permission to delete objects.
{
"Statement":[
{
"Sid":"test1",
"Effect":"Allow",
"Principal": {"ID": ["domain/b4bf1b36d9ca43d984fbcb9491b6fce9:user/71f3901173514e6988115ea2c26d1999"]},
"Action":["*"],
"Resource":["examplebucket/*"]
},
{
"Sid":"test2",
"Effect":"Deny",
"Principal": {"ID": ["domain/b4bf1b36d9ca43d984fbcb9491b6fce9:user/71f3901173514e6988115ea2c26d1999"]},
"Action":["DeleteObject"],
"Resource":["examplebucket/*"]
}
]
}
Granting Permissions to Multiple Tenants and Specifying Conditions
The following example policy grants the PutObject and PutObjectAcl permissions to user 783fc6652cf246c096ea836694f71855 (account ID) and 219d520ceac84c5a98b237431a2cf4c2 (account ID), and requires that any request for these operations include the standard ACL permission of public-read.
{
"Statement":[
{
"Sid":"AddAcl",
"Effect":"Allow",
"Principal": {"ID": ["domain/783fc6652cf246c096ea836694f71855:user/*","domain/219d520ceac84c5a98b237431a2cf4c2:user/*"]},
"Action":["PutObject","PutObjectAcl"],
"Resource":["examplebucket/*"],
"Condition":{"StringEquals":{"x-obs-acl":["public-read"]}}
}
]
}
Granting the Read-Only Permission to Anonymous Users
The following example policy grants GetObject (download object) permission to anonymous users (non-public cloud users). This permission allows anyone to read all object data uploaded by the owner of the bucket. This is useful when you configure the bucket as a website and expect everyone to read objects in the bucket.
{
"Statement":[
{
"Sid":"AddPerm",
"Effect":"Allow",
"Principal": "*",
"Action":["GetObject"],
"Resource":["examplebucket/*"]
}
]
}
Granting the Read-Only Permission for Specific Objects to Anonymous Users
The following example policy grants the GetObject (download object) permission of exampleobject in bucket examplebucket to anonymous users, allowing everyone to read data of the exampleobject object.
{
"Statement":[
{
"Sid":"AddPerm",
"Effect":"Allow",
"Principal": "*",
"Action":["GetObject"],
"Resource":["examplebucket/exampleobject"]
}
]
}
Restricting Access to Specific IP Addresses
The following policy grants all users the permission to perform any OBS operation. However, the requests must be from the specified IP address range. The IP address range that is allowed by the statement is 192.168.0.* with an exception of 192.168.0.1.
Condition uses IpAddress, NotIpAddress, and SourceIp (in OBS range). The value of SourceIp is the CIDR notation described in RFC 4632.
{
"Statement": [
{
"Sid": "IPAllow",
"Effect": "Allow",
"Principal": "*",
"Action": "*",
"Resource": "examplebucket/*",
"Condition": {
"IpAddress": {"SourceIp": "192.168.0.0/24"},
"NotIpAddress": {"SourceIp": "192.168.0.1/32"}
}
}
]
}
Restrict Accesses to Specified HTTP Website
Assume that you have a website whose domain name is www.example.com or example.com with a link examplebucket pointing to photos and videos in the OBS bucket. By setting the permission, all objects in a bucket can be accessed by anonymous users. However, you can only read and access these objects from your website. You can add a bucket policy that allows the GetObject condition, that is, the request must come from a specific web page. This function is called anti-leeching. For details, see URL Validation Settings.
Grant the PutObject permission to the copied object from the specified replication source.
For PutObject requests, when a user specifies a source object, this is a copy operation. Correspondingly, the bucket owner grants the permission to copy the object to the user, but has restrictions on the source object, for example:
- Only objects in bucket sourcebucket can be copied.
- Objects starting with public/ in bucket sourcebucket can be copied. For example: sourcebucket/public/*
- Only a specific object in bucket sourcebucket can be copied. For example: sourcebucket/example.jpg.
The following example bucket policy grants PutObject (upload object and copy object) permission to user 71f3901173514e6988115ea2c26d1999 (user ID) in account b4bf1b36d9ca43d984fbcb9491b6fce9 (account ID), but can copy only objects whose name is prefixed with public/ in the sourcebucket bucket.
{
"Statement": [
{
"Sid": "putObject",
"Effect": "Allow",
"Principal": {
"ID": "domain/b4bf1b36d9ca43d984fbcb9491b6fce9:user/71f3901173514e6988115ea2c26d1999"
},
"Action": ["PutObject"],
"Resource": "examplebucket/*"
},
{
"Sid": "Deny copy /bucket/folder",
"Effect": "Deny",
"Principal": {
"ID": "domain/b4bf1b36d9ca43d984fbcb9491b6fce9:user/71f3901173514e6988115ea2c26d1999"
},
"Action": "PutObject",
"Resource": "examplebucket/*",
"Condition": {
"StringNotLike": {
"x-obs-copy-source": "sourcebucket/public/*"
}
}
}
]
}
Granting the Permission to Access the Specified Version of the Object
Assume that the multi-version function is enabled for the bucket of account A. The bucket contains multiple versions of object obj01. The account administrator wants to grant the user 71f3901173514e6988115ea2c26d1999 (user ID) only to obtain the permission of the specified version of the object. The account administrator only needs to grant the permission to download specified version objects as required, described as follows: The key of the VersionId condition is specified in the key value pair of Condition.
{
"Statement": [
{
"Sid": "statement1",
"Effect": "Allow",
"Principal": {
"ID": "domain/b4bf1b36d9ca43d984fbcb9491b6fce9:user/71f3901173514e6988115ea2c26d1999"
},
"Action": ["GetObjectVersion"],
"Resource": "examplebucket/obj01"
},
{
"Sid": "statement2",
"Effect": "Deny",
"Principal": {
"ID": "domain/b4bf1b36d9ca43d984fbcb9491b6fce9:user/71f3901173514e6988115ea2c26d1999"
},
"Action": ["GetObjectVersion"],
"Resource": "examplebucket/obj01",
"Condition": {
"StringNotEquals": {
"VersionId": "0000015C76E7B6FE8bf6559fe44bab991985569b811bb864007855445346485a"
}
}
}
]
}
Allowing Users to Obtain the Object List in a Bucket Based on a Specified Prefix
The bucket owner can limit the content of a specified folder in a bucket. It is useful if the object in the bucket is organized based on the prefix of the key value. The OBS Console displays the folder level based on the prefix.
This condition limits the user to listing object keys with the examplefolder prefix. The added explicit rejection will deny the user to list the keys with any other prefix, regardless of what permission the user might have. For example, the user may obtain the permission to list the object keys that are not limited by updating a previous user policy or by using a bucket policy. However, because explicit rejection always replaces any other permission, user requests listing non-examplefolder prefixes will be rejected.
{
"Statement":[
{
"Sid":"statement1",
"Effect":"Allow",
"Principal": {
"ID": "domain/783fc6652cf246c096ea836694f71855:user/*"
},
"Action":[
"ListBucket"
],
"Resource":[
"examplebucket"
],
"Condition" : {
"StringEquals" : {
"prefix": "examplefolder"
}
}
},
{
"Sid":"statement2",
"Effect":"Deny",
"Principal": {
"ID": "domain/783fc6652cf246c096ea836694f71855:user/*"
},
"Action":[
"ListBucket"
],
"Resource":[
"examplebucket"
],
"Condition" : {
"StringNotEquals" : {
"prefix": "examplefolder"
}
}
}
]
}
Last Article: Policy Format
Next Article: URL Validation Settings
Did this article solve your problem?
Thank you for your score!Your feedback would help us improve the website.