Help Center/ Object Storage Service/ Permissions Configuration Guide/ Permission Control Methods/ Bucket Policies
Updated on 2024-08-15 GMT+08:00
View PDF
Share

Bucket Policies

Overview

A bucket policy applies to an OBS bucket and the objects in the bucket. By leveraging bucket policies, the owner of a bucket can authorize IAM users or other accounts the permissions to operate the bucket and its objects.

  • Creating a bucket and obtaining a bucket list are service-level operations. To obtain such operation permissions, you need to configure IAM permissions.
  • Due to data caching, after a bucket policy is configured, it takes 5 minutes at most for the policy to take effect.

Bucket Policy Templates

OBS Console provides bucket policy templates for eight typical scenarios. You can use these templates to quickly create bucket policies.

Some templates may require a configuration of principals or resources. You can also modify the existing template settings, including principals, resources, actions, and conditions.

Table 1 Bucket policy templates

Principal

Resource

Template Name

Actions Allowed

Advanced Settings

All accounts

Entire bucket (including the objects in it)

Public Read

Allows all accounts to perform the following actions on a bucket and the objects in it:

HeadBucket (to check whether the bucket exists and obtain the bucket metadata)

GetBucketLocation (to get the bucket location)

GetObject (to obtain object content and metadata)

RestoreObject (to restore objects from Archive storage)

GetObjectVersion (to obtain the content and metadata of a specified object version)

Excluding the specified actions is not allowed.

Public Read/Write

Allows all accounts to perform the following actions on a bucket and the objects in it:

ListBucket (to list objects in the bucket and obtain the bucket metadata)

ListBucketVersions (to list object versions in the bucket)

HeadBucket (to check whether the bucket exists and obtain the bucket metadata)

GetBucketLocation (to get the bucket location)

PutObject (to upload objects using PUT and POST, upload parts, initiate multipart uploads, and assemble parts)

GetObject (obtaining object content and metadata)

ModifyObjectMetaData (to modify object metadata)

ListBucketMultipartUploads (to list multipart uploads)

ListMultipartUploadParts (to list uploaded parts)

AbortMultipartUpload (to cancel multipart uploads)

RestoreObject (to restore objects from Archive storage)

GetObjectVersion (to obtain the content and metadata of a specified object version)

PutObjectAcl (to configure the object ACL)

GetObjectVersionAcl (to obtain the ACL of a specified object version)

GetObjectAcl (to obtain the object ACL)

Excluding the specified actions is not allowed.

Current account/Other accounts/Delegated accounts

Entire bucket (including the objects in it)

Bucket Read-Only

Allows specified accounts to perform the following actions on a bucket and the objects in it:

Get* (all GET actions)

List* (all LIST actions)

HeadBucket (to check whether the bucket exists and obtain the bucket metadata)

Excluding the specified actions is not allowed.

Bucket Read/Write

Allows specified accounts to perform all actions excluding the following ones on a bucket and the objects in it:

DeleteBucket (to delete a bucket)

PutBucketPolicy (to configure a bucket policy)

PutBucketAcl (to configure a bucket ACL)

The specified actions are excluded.

All accounts/Current account/Other accounts/Delegated accounts

Current bucket + Specified objects

Directory Read-Only

Allows all accounts or specified accounts to perform the following actions on the current bucket and the specified resources in it:

GetObject (to obtain object content and metadata)

GetObjectVersion (to obtain the content and metadata of a specified object version)

GetObjectVersionAcl (to obtain the ACL of a specified object version)

GetObjectAcl (to obtain the object ACL)

RestoreObject (to restore objects from Archive storage)

HeadBucket (to check whether the bucket exists and obtain the bucket metadata)

GetBucketLocation (to get the bucket location)

NOTE:

If you apply the policy to All accounts, ListBucket and ListBucketVersions are not included in the template.

Excluding the specified actions is not allowed.

Directory Read/Write

Allows all accounts or specified accounts to perform the following actions on the current bucket and the specified resources in it:

PutObject (to upload objects using PUT and POST, upload parts, initiate multipart uploads, and assemble parts)

GetObject (to obtain object content and metadata)

GetObjectVersion (to obtain the content and metadata of a specified object version)

ModifyObjectMetaData (to modify object metadata)

ListBucketMultipartUploads (to list multipart uploads)

ListMultipartUploadParts (to list uploaded parts)

AbortMultipartUpload (to cancel multipart uploads)

GetObjectVersionAcl (to obtain the ACL of a specified object version)

GetObjectAcl (to obtain the object ACL)

PutObjectAcl (to configure the object ACL)

RestoreObject (to restore objects from Archive storage)

ListBucket (to list objects in the bucket and obtain the bucket metadata)

ListBucketVersions (to list object versions in the bucket)

HeadBucket (to check whether the bucket exists and obtain the bucket metadata)

GetBucketLocation (to get the bucket location)

Excluding the specified actions is not allowed.

All accounts/Current account/Other accounts/Delegated accounts

Specified objects

Object Read-Only

Allows all accounts or specified accounts to perform the following actions on specified resources in the bucket:

GetObject (to obtain object content and metadata)

GetObjectVersion (to obtain the content and metadata of a specified object version)

GetObjectVersionAcl (obtaining the ACL of a specific object version)

GetObjectAcl (to obtain the object ACL)

RestoreObject (to restore objects from Archive storage)

Excluding the specified actions is not allowed.

Object Read/Write

Allows all accounts or specified accounts to perform the following actions on specified resources in the bucket:

PutObject (to upload objects using PUT and POST, upload parts, initiate multipart uploads, and assemble parts)

GetObject (to obtain object content and metadata)

GetObjectVersion (to obtain the content and metadata of a specified object version)

ModifyObjectMetaData (to modify object metadata)

ListMultipartUploadParts (to list uploaded parts)

AbortMultipartUpload (to cancel multipart uploads)

GetObjectVersionAcl (to obtain the ACL of an object version)

GetObjectAcl (to obtain the object ACL)

PutObjectAcl (to configure the object ACL)

RestoreObject (to restore objects from Archive storage)

Excluding the specified actions is not allowed.

Custom Bucket Policies

You can also customize a bucket policy based on your service requirements. A custom bucket policy consists of five basic elements: effect, principal, resources, actions, and conditions. For details, see OBS Permission Control Elements.

Object Policy

A bucket policy is applicable to a set of objects (with the same object name prefix) or to all objects (specified by an asterisk *) in the bucket. An object policy applies to objects in a bucket. To configure an object policy, select an object, and then configure a policy for it.

Object Policy Templates:

OBS Console provides object policy templates for two typical scenarios. You can use these templates to quickly create object policies.

Some templates may require a configuration of principals. You can also modify the existing template settings, including principals, actions, and conditions. The resource is the object that a policy applies to, which is automatically specified by the system and does not need to be modified.

Table 2 Object policy templates

Principal

Resource

Template Name

Actions Allowed

Advanced Settings

All accounts/Current account/Other accounts/Delegated accounts

Specified objects

Object Read-Only

Allows all accounts or specified accounts to perform the following actions on specified resources in the bucket:

GetObject (to obtain object content and metadata)

GetObjectVersion (to obtain the content and metadata of a specified object version)

GetObjectVersionAcl (to obtain the ACL of a specified object version)

GetObjectAcl (to obtain the object ACL)

RestoreObject (to restore objects from Archive storage)

Excluding the specified actions is not allowed.

Object Read/Write

Allows all accounts or specified accounts to perform the following actions on specified resources in the bucket:

PutObject (to upload objects using PUT and POST, upload parts, initiate multipart uploads, and assemble parts)

GetObject (to obtain object content and metadata)

GetObjectVersion (to obtain the content and metadata of a specified object version)

ModifyObjectMetaData (to modify object metadata)

ListMultipartUploadParts (to list uploaded parts)

AbortMultipartUpload (to cancel multipart uploads)

GetObjectVersionAcl (to obtain the ACL of an object version)

GetObjectAcl (to obtain the object ACL)

PutObjectAcl (to configure the object ACL)

RestoreObject (to restore objects from Archive storage)

Excluding the specified actions is not allowed.

Custom Object Policies

You can also customize an object policy as needed. A custom object policy consists of five elements: effect, principal, resources, actions, and conditions. For details, see Bucket Policy Parameters. The resource is automatically specified by the system.

Relationships Between Bucket Policies and Object Policies

An object policy applies to only one object in a bucket. A bucket policy applies to multiple or all objects in a bucket.

Application Scenarios of a Bucket Policy

  • You can use bucket policies to grant other Huawei Cloud accounts the permissions to access OBS resources.
  • You can also use bucket policies to grant IAM users the permissions to access buckets.

Configuring a Bucket Policy

Bucket Policy Example

  • Example 1: Grant an IAM user the specified operation permission on all objects in a specified bucket.

    The following policy grants the PutObject and PutObjectAcl permissions to the IAM user 71f3901173514e6988115ea2c26d1999 under account b4bf1b36d9ca43d984fbcb9491b6fce9.

    {
    "Statement":[
    {
      "Sid":"AddCannedAcl",
      "Effect":"Allow",
      "Principal": {"ID": ["domain/b4bf1b36d9ca43d984fbcb9491b6fce9:user/71f3901173514e6988115ea2c26d1999"]},
      "Action":["PutObject","PutObjectAcl"],
      "Resource":["examplebucket/*"]
    }
  ]
}
  • Example 2: Grant all permissions for a specified bucket to an IAM user.

    The following policy grants all permissions for bucket examplebucket and its objects to the user 71f3901173514e6988115ea2c26d1999 in account b4bf1b36d9ca43d984fbcb9491b6fce9.

    {
    "Statement":[
    {
      "Sid":"test",
      "Effect":"Allow",
      "Principal": {"ID": ["domain/b4bf1b36d9ca43d984fbcb9491b6fce9:user/71f3901173514e6988115ea2c26d1999"]},
      "Action":["*"],
      "Resource":[
        "examplebucket/*",
        "examplebucket"
      ]
    }
  ]
}
  • Example 3: Grant all permissions except the object deletion permission to an OBS user.

    The following policy grants the user 71f3901173514e6988115ea2c26d1999 under the account b4bf1b36d9ca43d984fbcb9491b6fce9 all permissions for the examplebucket bucket, excluding the permission to delete objects.

    {
    "Statement":[
    {
      "Sid":"test1",
      "Effect":"Allow",
      "Principal": {"ID": ["domain/b4bf1b36d9ca43d984fbcb9491b6fce9:user/71f3901173514e6988115ea2c26d1999"]},
      "Action":["*"],
      "Resource":["examplebucket/*"]
    },
    {
      "Sid":"test2",
      "Effect":"Deny",
      "Principal": {"ID": ["domain/b4bf1b36d9ca43d984fbcb9491b6fce9:user/71f3901173514e6988115ea2c26d1999"]},
      "Action":["DeleteObject"],
      "Resource":["examplebucket/*"]
    }
  ]
}
  • Example 4: Grant the read-only permission on a specified object to all accounts.

    The following policy grants all accounts the GetObject permissions to download object exampleobject from bucket examplebucket, allowing everyone to read data of the exampleobject object.

    {
    "Statement":[
    {
      "Sid":"AddPerm",
      "Effect":"Allow",
      "Principal": "*",
      "Action":["GetObject"],
      "Resource":["examplebucket/exampleobject"]
    }
  ]
}
  • Example 5: Allow access only from a specific IP address.

    The following policy grants the permission to allow users to access from the specific IP address range to perform any operations on OBS. The range is 192.168.0.*, excluding 192.168.0.1.

    You can use IpAddress and NotIpAddress conditions, and the SourceIp (in OBS range) condition key. The value of SourceIp is a CIDR notation described in RFC 4632.

    {
  "Statement": [
    {
      "Sid": "IPAllow",
      "Effect": "Allow",
      "Principal": "*",
      "Action": "*",
      "Resource": "examplebucket/*",
      "Condition": {
         "IpAddress": {"SourceIp": "192.168.0.0/24"},
         "NotIpAddress": {"SourceIp": "192.168.0.1/32"} 
      } 
    } 
  ]
}