Updated on 2024-03-04 GMT+08:00

Conditions

In addition to effect, principals, resources, and actions, you can specify conditions for a bucket policy. A bucket policy takes effect only when its condition expressions match values contained in the request. Conditions is an optional parameter. You can determine whether to use this parameter based on service requirements.

For example, if account A needs to be granted with full control permissions for an object uploaded by account B in bucket example, you can specify that the upload request must contain the acl key and set the policy effect to Allow for account A. The complete condition expression is as follows:

Condition Operator

Key

Value

StringEquals

acl

bucket-owner-full-control

A condition consists of three parts: condition operator, key, and value. Condition operators and keys are associated with each other. For example:

  • If a string type condition operator is selected, such as StringEquals, the key can only be of the string type, such as UserAgent.
  • If a date type key is selected, such as CurrentTime, the condition operator can only be of the date type, such as DateEquals.

Table 1 describes the predefined condition operators provided by OBS.

Table 1 Condition operators

Type

Key

Description

String

StringEquals

Strict matching. Short version: streq

StringNotEquals

Strict negated matching. Short version: strneq

StringEqualsIgnoreCase

Strict matching, ignoring case. Short version: streqi

StringNotEqualsIgnoreCase

Strict negated matching, ignoring case. Short version: strneqi

StringLike

Loose case-sensitive matching. The values can include a multi-character match wildcard (*) or a single-character match wildcard (?) anywhere in the string. Short version: strl

StringNotLike

Negated loose case-sensitive matching. The values can include a multi-character match wildcard (*) or a single-character match wildcard (?) anywhere in the string. Short version: strnl

Numeric

NumericEquals

Strict matching. Short version: numeq

NumericNotEquals

Strict negated matching. Short version: numneq

NumericLessThan

"Less than" matching. Short version: numlt

NumericLessThanEquals

"Less than or equals" matching. Short version: numlteq

NumericGreaterThan

"Greater than" matching. Short version: numgt

NumericGreaterThanEquals

"Greater than or equals" matching. Short version: numgteq

Date

DateEquals

Strict matching. Short version: dateeq

DateNotEquals

Strict negated matching. Short version: dateneq

DateLessThan

Indicates that the date is earlier than a specific date. Short version: datelt

DateLessThanEquals

Indicates that the date is earlier than or equal to a specific date. Short version: datelteq

DateGreaterThan

Indicates that the date is later than a specific date. Short version: dategt

DateGreaterThanEquals

Indicates that the date is later than or equal to a specific date. Short version: dategteq

Boolean

Bool

Strict Boolean matching

IP address

IpAddress

Takes effect only on a specified IP address or IP address range. Example: x.x.x.x/24

NotIpAddress

Takes effect only on all except the specified IP address or IP address range. Example: x.x.x.x/24

A condition can contain any of the three types of keys: general keys, keys related to bucket actions, and keys related to object actions.

Table 2 General keys

Key

Type

Description

CurrentTime

Date

Indicates the date when the request is received by the server. The date format must comply with ISO 8601.

EpochTime

Numeric

Indicates the time when the request is received by the server, which is expressed as seconds since 1970.01.01 00:00:00 UTC, regardless of the leap seconds.

SecureTransport

Bool

Requests whether to use SSL.

SourceIp

IP address

Source IP address from which the request is sent

UserAgent

String

Requested client software agent

Referer

String

Indicates the link from which the request is sent.

Table 3 Keys related to bucket actions

Action

Optional Key

Description

Description

ListBucket

prefix

Type: String. Lists objects that begin with the specified prefix.

If prefix, delimiter, and max-keys are configured, the key-value pair meeting the conditions must be specified in the List operation for the bucket policy to take effect.

For example, if a bucket policy (with the conditional operator set to NumericEquals, the key to max-keys, and the value to 100) that allows anonymous users to read data is configured for a bucket, the anonymous users must add ?max-keys=100 to the end of the bucket domain name for listing objects. The listed objects are the first 100 objects in alphabetic order.

max-keys

Type: Numeric. Sets the maximum number of objects. Returned objects are listed in alphabetic order.

ListBucketVersions

prefix

Type: String. Lists multi-version objects whose name starts with the specified prefix.

max-keys

Type: Numeric. Sets the maximum number of objects. Returned objects are listed in alphabetic order.

PutBucketAcl

acl

Type: String. Configures the bucket ACL. When modifying a bucket ACL, you can use the request that contains a canned ACL setting in its header. Value options of a canned ACL setting: private|public-read|public-read-write|authenticated-read|bucket-owner-read|bucket-owner-full-control|log-delivery-write

None

Table 4 Keys related to object actions

Action

Optional Key

Description

PutObject

acl

Type: String. Configures the object ACL. When uploading an object, you can use the request that contains a canned ACL setting in its header. Value options of a canned ACL setting: private|public-read|public-read-write|authenticated-read|bucketowner-read|bucket-owner-full-control|log-delivery-write.

copysource

Type: String. Specifies names of the source bucket and the source object. Format: /bucketname/keyname

metadata-directive

Type: String. Specifies whether to copy the metadata from the source object or replace with the metadata in the request. Values: COPY|REPLACE

PutObjectAcl

acl

Type: String. Configures the object ACL. When uploading an object, you can use the request that contains a canned ACL setting in its header. Value options of a canned ACL setting: private|public-read|public-read-write|authenticated-read|bucketowner-read|bucket-owner-full-control|log-delivery-write.

GetObjectVersion

VersionId

Type: String. Obtains the object with the specified version ID.

GetObjectVersionAcl

VersionId

Type: String. Obtains the ACL of the object with specified version ID.

PutObjectVersionAcl

VersionId

Type: String. Specifies a version ID.

acl

Type: String. Configures the ACL of the object with the specified version ID. When uploading an object, you can use the request that contains a canned ACL setting in its header. Value options of a canned ACL setting: private|public-read|public-read-write|authenticated-read|bucketowner-read|bucket-owner-full-control|log-delivery-write.

DeleteObjectVersion

VersionId

Type: String. Deletes the object with the specified version ID.