Help Center> Object Storage Service> Permissions Configuration Guide> Permission Control Mechanisms> Bucket Policies
Updated on 2024-02-26 GMT+08:00
View PDF

Bucket Policies

Overview

A bucket policy applies to an OBS bucket and objects in the bucket. By leveraging bucket policies, the owner of a bucket can authorize IAM users or other accounts the permissions to operate the bucket and objects in the bucket.

  • Creating a bucket and obtaining a bucket list are service-level operations. To obtain such operation permissions, you need to configure IAM permissions.
  • Due to data caching, after a bucket policy is configured, it takes 5 minutes at most for the policy to take effect.

Bucket Policy Templates

OBS Console provides bucket policy templates for six typical scenarios. You can use these templates to quickly create bucket policies.

When using a template to create a bucket policy, you need to specify principals (authorized users) and resources, or you can modify the template settings, including principal, resources, actions, and conditions.

Table 1 Bucket policy templates

Template Name

Principal

Resource

Template Action

Bucket read-only

To be specified

The bucket and all the objects in it

Allows specified users to perform the following operations on the current bucket and all objects in it:

Get* (all get operations)

List* (all list operations)

HeadBucket (checking whether a bucket exists)

Bucket read and write

To be specified

The bucket and all the objects in it

Allows specified users to perform all operations excluding the following ones on the current bucket and all objects in it:

DeleteBucket (deleting a bucket)

PutBucketPolicy (configuring bucket policies)

PutBucketAcl (configuring a bucket ACL)

Directory read-only

To be specified

To be specified (You need to specify an object name prefix.)

Allows specified users to perform the following operations on the current bucket and specified objects in it:

ListBucket (listing objects in a bucket and obtaining the bucket metadata)

HeadBucket (checking whether a bucket exists)

GetBucketLocation (getting the bucket location)

ListBucketVersions (listing object versions in the bucket)

GetObject (obtaining object content and metadata)

RestoreObject (restoring objects from Archive storage)

GetObjectAcl (obtaining object ACL information)

GetObjectVersion (obtaining the content and metadata of a specified object version)

GetObjectVersionAcl (obtaining the ACL of a specific object version)

Directory read and write

To be specified

To be specified (You need to specify an object name prefix.)

Allows specified users to perform the following operations on the current bucket and specified objects in it:

ListBucket (listing objects in a bucket and obtaining the bucket metadata)

HeadBucket (checking whether a bucket exists)

GetBucketLocation (getting the bucket location)

ListBucketVersions (listing object versions in the bucket)

ListBucketMultipartUploads (listing multipart upload tasks)

GetObject (obtaining object content and metadata)

PutObject (PUT upload, POST upload, multipart upload, initialization of uploaded parts, and merging of parts)

RestoreObject (restoring objects from Archive storage)

GetObjectAcl (obtaining object ACL information)

PutObjectAcl (configuring an object ACL)

GetObjectVersion (obtaining the content and metadata of a specified object version)

GetObjectVersionAcl (obtaining the ACL of a specific object version)

AbortMultipartUpload (canceling multipart upload tasks)

ListMultipartUploadParts (listing uploaded parts)

ModifyObjectMetaData (modifying object metadata)

Public read

Anonymous user (all Internet users)

The bucket and all the objects in it

Allows anonymous users to perform the following operations on the current bucket and all objects in it:

HeadBucket (checking whether a bucket exists)

GetBucketLocation (getting the bucket location)

ListBucketVersions (listing object versions in the bucket)

GetObject (obtaining object content and metadata)

RestoreObject (restoring objects from Archive storage)

GetObjectVersion (obtaining the content and metadata of a specified object version)

Public Read and Write

Anonymous user (all Internet users)

The bucket and all the objects in it

Allows anonymous users to perform the following operations on the current bucket and all objects in it:

ListBucket (listing objects in a bucket and obtaining the bucket metadata)

HeadBucket (checking whether a bucket exists)

GetBucketLocation (getting the bucket location)

ListBucketVersions (listing object versions in the bucket)

ListBucketMultipartUploads (listing multipart upload tasks)

GetObject (obtaining object content and metadata)

PutObject (PUT upload, POST upload, multipart upload, initialization of uploaded parts, and merging of parts)

RestoreObject (restoring objects from Archive storage)

GetObjectAcl (obtaining object ACL information)

PutObjectAcl (configuring an object ACL)

GetObjectVersion (obtaining the content and metadata of a specified object version)

GetObjectVersionAcl (obtaining the ACL of a specific object version)

AbortMultipartUpload (canceling multipart upload tasks)

ListMultipartUploadParts (listing uploaded parts)

ModifyObjectMetaData (modifying object metadata)

Custom Bucket Policies

You can also customize a bucket policy based on your service requirements. A custom bucket policy consists of five basic elements: effect, principal, resources, actions, and conditions. For details, see OBS Permission Control Elements.

Object Policy

Object policies apply to objects in a bucket. A bucket policy is applicable to a set of objects (with the same object name prefix) or to all objects (specified by an asterisk *) in the bucket. To configure an object policy, select an object, and then configure a policy for it.

Object Policy Templates:

OBS Console provides object policy templates for four typical scenarios. You can use the templates to quickly configure object policies.

When using a template to create an object policy, you need to specify principals (authorized users), or you can modify the template settings, including the principal, actions, and conditions. The resource is the object for which a policy is configured. This resource is automatically specified by the system and does not need to be modified.

Table 2 Object policy templates

Template Name

Principal

Resource

Action

Read-only

To be specified

The selected object, which is automatically specified by the system and does not need to be modified.

Allows specified users to perform the following operations on the selected object:

GetObject (obtaining object content and metadata)

GetObjectVersion (obtaining the content and metadata of a specified object version)

GetObjectVersionAcl (obtaining the ACL of a specific object version)

GetObjectAcl (obtaining object ACL information)

RestoreObject (restoring Archive objects)

Read and write

To be specified

The selected object, which is automatically specified by the system and does not need to be modified.

Allows specified users to perform the following operations on the selected object:

PutObject (PUT upload, POST upload, multipart upload, initialization of uploaded parts, and merging of parts)

GetObject (obtaining object content and metadata)

GetObjectVersion (obtaining the content and metadata of a specified object version)

ModifyObjectMetaData (modifying object metadata)

ListMultipartUploadParts (listing uploaded parts)

AbortMultipartUpload (canceling multipart upload tasks)

GetObjectVersionAcl (obtaining the ACL of a specific object version)

GetObjectAcl (obtaining object ACL information)

PutObjectAcl (configuring an object ACL)

RestoreObject (restoring Archive objects)

Public read

Anonymous user (all Internet users)

The selected object, which is automatically specified by the system and does not need to be modified.

Allows anonymous users to perform the following operations on the selected object:

GetObject (obtaining object content and metadata)

RestoreObject (restoring Archive objects)

GetObjectVersion (obtaining the content and metadata of a specified object version)

Public read and write

Anonymous user (all Internet users)

The selected object, which is automatically specified by the system and does not need to be modified.

Allows anonymous users to perform the following operations on the selected object:

PutObject (PUT upload, POST upload, multipart upload, initialization of uploaded parts, and merging of parts)

GetObject (obtaining object content and metadata)

ModifyObjectMetaData (modifying object metadata)

ListMultipartUploadParts (listing uploaded parts)

AbortMultipartUpload (canceling multipart upload tasks)

RestoreObject (restoring Archive objects)

GetObjectVersion (obtaining the content and metadata of a specified object version)

PutObjectAcl (configuring an object ACL)

GetObjectVersionAcl (obtaining the ACL of a specific object version)

GetObjectAcl (obtaining object ACL information)

Custom Object Policies

You can also customize an object policy as needed. A custom object policy consists of five basic elements: effect, principal, resources, actions, and conditions. For details, see Bucket Policy Parameters. The resource is the selected object and is automatically specified by the system.

Relationship Between Bucket Policies and Object Policies

An object policy applies to only one object in a bucket. A bucket policy applies to multiple or all objects in a bucket.

Bucket Policy Application Scenarios

  • You can use bucket policies to grant other Huawei Cloud accounts the permissions to access OBS resources.
  • You can configure bucket policies to grant IAM users various access permissions to different buckets.

Configuring a Bucket Policy

Bucket Policy Example

  • Example 1: Grant an IAM user the specified operation permission on all objects in a specified bucket.

    The following example policy grants the PutObject and PutObjectAcl permissions to the IAM user whose ID is 71f3901173514e6988115ea2c26d1999 under account b4bf1b36d9ca43d984fbcb9491b6fce9 (account ID).

    {
    "Statement":[
    {
      "Sid":"AddCannedAcl",
      "Effect":"Allow",
      "Principal": {"ID": ["domain/b4bf1b36d9ca43d984fbcb9491b6fce9:user/71f3901173514e6988115ea2c26d1999"]},
      "Action":["PutObject","PutObjectAcl"],
      "Resource":["examplebucket/*"]
    }
  ]
}
  • Example 2: Grant all permissions for a specified bucket to an IAM user.

    The following example policy grants all operation permissions (including bucket operations and object operations) of examplebucket to the user whose ID is 71f3901173514e6988115ea2c26d1999 in account b4bf1b36d9ca43d984fbcb9491b6fce9 (account ID).

    {
    "Statement":[
    {
      "Sid":"test",
      "Effect":"Allow",
      "Principal": {"ID": ["domain/b4bf1b36d9ca43d984fbcb9491b6fce9:user/71f3901173514e6988115ea2c26d1999"]},
      "Action":["*"],
      "Resource":[
        "examplebucket/*",
        "examplebucket"
      ]
    }
  ]
}
  • Example 3: Grant all permissions except the object deletion permission to an OBS user.

    The following example policy grants a user (user ID 71f3901173514e6988115ea2c26d1999) of an account (ID b4bf1b36d9ca43d984fbcb9491b6fce9) all permissions for the examplebucket bucket, excluding the permission to delete objects.

    {
    "Statement":[
    {
      "Sid":"test1",
      "Effect":"Allow",
      "Principal": {"ID": ["domain/b4bf1b36d9ca43d984fbcb9491b6fce9:user/71f3901173514e6988115ea2c26d1999"]},
      "Action":["*"],
      "Resource":["examplebucket/*"]
    },
    {
      "Sid":"test2",
      "Effect":"Deny",
      "Principal": {"ID": ["domain/b4bf1b36d9ca43d984fbcb9491b6fce9:user/71f3901173514e6988115ea2c26d1999"]},
      "Action":["DeleteObject"],
      "Resource":["examplebucket/*"]
    }
  ]
}
  • Example 4: Grant the read-only permission on a specified object to anonymous users.

    The following example policy grants the GetObject (download object) permission of exampleobject in bucket examplebucket to anonymous users, allowing everyone to read data of the exampleobject object.

    {
    "Statement":[
    {
      "Sid":"AddPerm",
      "Effect":"Allow",
      "Principal": "*",
      "Action":["GetObject"],
      "Resource":["examplebucket/exampleobject"]
    }
  ]
}
  • Example 5: Restrict access to a specific IP address.

    The following policy grants all users the permission to perform any OBS operation. However, the requests must be from the specified IP address range. The IP address range that is allowed by the statement is 192.168.0.* with an exception of 192.168.0.1.

    Use IpAddress and NotIpAddress conditions, and use the SourceIp (in OBS range) condition key. The value of SourceIp is the CIDR notation described in RFC 4632.

    {
  "Statement": [
    {
      "Sid": "IPAllow",
      "Effect": "Allow",
      "Principal": "*",
      "Action": "*",
      "Resource": "examplebucket/*",
      "Condition": {
         "IpAddress": {"SourceIp": "192.168.0.0/24"},
         "NotIpAddress": {"SourceIp": "192.168.0.1/32"} 
      } 
    } 
  ]
}