Configuring a Bucket Policy
Functions
This operation modifies or creates a bucket policy for a specified bucket. The existing policy in a bucket is overwritten by the policy in the request. You can add as many statements as you would like to a bucket. All these statements in JSON cannot exceed 20 KB.
To perform this operation, the user must be the bucket owner or the bucket owner's IAM user that has permissions required for configuring bucket policies.
For details about how to use bucket policies to manage permissions, see the permission control in the OBS Permission Configuration Guide.
Authorization Information
To call this API, you must be the bucket owner or have the permission to configure bucket policies. You are advised to use IAM or bucket policies for authorization. For details about OBS authorization methods, see Differences Between OBS Permissions Control Methods.
- If you use IAM for authorization, you need to use either role/policy-based authorization or identity policy-based authorization and configure the required permissions:
- If you use role/policy-based authorization (IAM v3 APIs in the old IAM version), you need to grant the obs:bucket:PutBucketPolicy permission. For details, see Creating a Custom IAM Policy.
- If you use identity policy-based authorization (IAM v5 APIs in the new IAM version), you need to grant the obs:bucket:putBucketPolicy permission, as shown in the following table. For details, see Creating a Custom IAM Identity Policy.
Action
Access Level
Resource Type (*: Required)
Dependencies
obs:bucket:putBucketPolicy
Permission_management
bucket *
-
-
-
- obs:EpochTime
- obs:SourceIp
- obs:TlsVersion
- obs:CustomDomain
- If you use bucket policies for authorization, you need to grant the obs:bucket:PutBucketPolicy permission. For details, see Creating a Custom Bucket Policy.
Request Syntax
1 2 3 4 5 |
PUT /?policy HTTP/1.1 Host: bucketname.obs.region.myhuaweicloud.com Date: date Authorization: signatureValue Policy written in JSON |
Request Parameters
This request contains no message parameters.
Request Headers
This request uses common headers. For details, see Table 3.
Request Elements
The request body is a JSON string that contains the bucket policy information. For details, see Bucket Policy Parameters.
Response Syntax
1 2 3 |
HTTP/1.1 status_code Date: date Content-Length: length |
Response Headers
The response to the request uses common headers. For details, see Table 1.
Response Elements
This response contains no elements.
Error Responses
No special error responses are returned. For details, see Table 2.
Sample Request 1
Grant permissions to an OBS tenant.
Grant permissions to the tenant whose ID is 783fc6652cf246c096ea836694f71855.
For details about how to obtain the tenant ID, see Obtaining Account, IAM User, Project, User Group, Region, and Agency Information. For details about the parameters in a bucket policy, see Bucket Policy Parameters.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 |
PUT /?policy HTTP/1.1 Host: examplebucket.obs.region.myhuaweicloud.com Date: WED, 01 Jul 2015 02:32:25 GMT Authorization: OBS H4IPJX0TQTHTHEBQQCEC:jZiAT8Vx4azWEvPRMWi0X5BpJMA= { "Statement": [ { "Sid": "Stmt1375240018061", "Action": [ "GetBucketLogging" ], "Effect": "Allow", "Resource": "logging.bucket", "Principal": { "ID": [ "domain/783fc6652cf246c096ea836694f71855:user/*" ] } } ] } |
Sample Response 1
1 2 3 4 5 6 |
HTTP/1.1 204 No Content x-obs-request-id: 7B6DFC9BC71DD58B061285551605709 x-obs-id-2: N0I2REZDOUJDNzFERDU4QjA2MTI4NTU1MTYwNTcwOUFBQUFBQUFBYmJiYmJiYmJD Date: WED, 01 Jul 2015 02:32:25 GMT Content-Length: 0 Server: OBS |
Sample Request 2
Grant permissions to an OBS user.
The user ID is 71f3901173514e6988115ea2c26d1999, and the account ID is 783fc6652cf246c096ea836694f71855.
For details about how to obtain the account ID and user ID, see Obtaining Account, IAM User, Project, User Group, Region, and Agency Information. For details about the parameters in a bucket policy, see Bucket Policy Parameters.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 |
PUT /?policy HTTP/1.1 Host: examplebucket.obs.region.myhuaweicloud.com Date: WED, 01 Jul 2015 02:33:28 GMT Authorization: OBS H4IPJX0TQTHTHEBQQCEC:jZiAT8Vx4azWEvPRMWi0X5BpJMA= { "Statement": [ { "Sid": "Stmt1375240018062", "Action": [ "PutBucketLogging" ], "Effect": "Allow", "Resource": "examplebucket", "Principal": { "ID": [ "domain/783fc6652cf246c096ea836694f71855:user/71f3901173514e6988115ea2c26d1999" ] } } ] } |
Sample Response 2
1 2 3 4 5 6 |
HTTP/1.1 204 No Content x-obs-request-id: 7B6DFC9BC71DD58B061285551605709 x-obs-id-2: N0I2REZDOUJDNzFERDU4QjA2MTI4NTU1MTYwNTcwOUFBQUFBQUFBYmJiYmJiYmJD Date: WED, 01 Jul 2015 02:33:28 GMT Content-Length: 0 Server: OBS |
Sample Request 3
Deny all users except the specified one all the operation permissions.
The user ID is 71f3901173514e6988115ea2c26d1999, and the account ID is 783fc6652cf246c096ea836694f71855.
For details about how to obtain the account ID and user ID, see Obtaining Account, IAM User, Project, User Group, Region, and Agency Information. For details about the parameters in a bucket policy, see Bucket Policy Parameters.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 |
PUT /?policy HTTP/1.1 Host: examplebucket.obs.region.myhuaweicloud.com Date: WED, 01 Jul 2015 02:34:34 GMT Authorization: OBS H4IPJX0TQTHTHEBQQCEC:jZiAT8Vx4azWEvPRMWi0X5BpJMA= { "Statement": [ { "Effect": "Deny", "Action": ["*"], "Resource": [ "examplebucket/*", "examplebucket" ], "NotPrincipal": { "ID": [ "domain/783fc6652cf246c096ea836694f71855:user/71f3901173514e6988115ea2c26d1999", "domain/783fc6652cf246c096ea836694f71855:root" ] } } ] } |
Sample Response 3
1 2 3 4 5 6 |
HTTP/1.1 204 No Content x-obs-request-id: A603000001604A7DFE4A4AF31E301891 x-obs-id-2: BKOvGmTlt6sda5X4G89PuMO4fabObGYmnpRGkaMba1LqPt0fCACEuCMllAObRK1n Date: WED, 01 Jul 2015 02:34:34 GMT Content-Length: 0 Server: OBS |
Sample Request 5
Granting permissions to a specified agency
The tenant whose account ID is 783fc6652cf246c096ea836694f71855 has an agency named exampleAgency. This example grants the agency the permission to view logs of the logging.bucket bucket.
For details about the bucket policy parameters, see Bucket Policy Parameters. For details about how to obtain the account ID and agency name, see Obtaining Account, IAM User, Group, Project, Region, and Agency Information.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 |
PUT /?policy HTTP/1.1 Host: examplebucket.obs.region.myhuaweicloud.com Date: WED, 01 Jul 2015 02:32:25 GMT Authorization: OBS H4IPJX0TQTHTHEBQQCEC:jZiAT8Vx4azWEvPRMWi0X5BpJMA= { "Statement": [ { "Sid": "Stmt1375240018061", "Action": [ "GetBucketLogging" ], "Effect": "Allow", "Resource": "logging.bucket", "Principal": { "ID": [ "domain/783fc6652cf246c096ea836694f71855:agency/exampleAgency" ] } } ] } |
Sample Response 5
1 2 3 4 5 6 |
HTTP/1.1 204 No Content x-obs-request-id: A603000001604A7DFE4A4AF31E301891 x-obs-id-2: BKOvGmTlt6sda5X4G89PuMO4fabObGYmnpRGkaMba1LqPt0fCACEuCMllAObRK1n Date: WED, 01 Jul 2015 02:34:34 GMT Content-Length: 0 Server: OBS |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
