Help Center> Object Storage Service> User Guide (Ankara Region)> OBS Console Operation Guide> Permissions Control> Permission Control Mechanisms> Bucket Policies and Object Policies
Updated on 2024-04-16 GMT+08:00
View PDF

Bucket Policies and Object Policies

Bucket Owner and Object Owner

The owner of a bucket is the account that created the bucket. If the bucket is created by an IAM user under the account, the bucket owner is the account instead of the IAM user.

The owner of an object is the account that uploads the object, who may not be the owner of the bucket to which the object belongs. For example, account B is granted the permission to access a bucket of account A, and account B uploads a file to the bucket. In that case, instead of the bucket owner account A, account B is the owner of the object.

Bucket Policies

Bucket policies apply to buckets and the objects in them. By leveraging bucket policies, the owner of a bucket can grant IAM users or other accounts the permissions to operate the bucket and objects in the bucket.

Application Scenarios

  • If no IAM policies are used for access control and you want to grant other accounts the permissions to access your OBS resources, you can use bucket policies.
  • You can configure bucket policies to grant IAM users different access permissions on buckets.
  • You can also use bucket policies to grant other accounts the permissions to access your buckets.

Bucket Policy Templates

OBS Console provides bucket policy templates for eight typical scenarios. You can use these templates to quickly create bucket policies.

Some templates may require a configuration of principals or resources. You can also modify the existing template settings, including principals, resources, actions, and conditions.

Table 1 Bucket policy templates

Principal

Resource

Template

Actions Allowed

Advanced Settings

All accounts

Entire bucket (including the objects in it)

Public Read

Allows anonymous users to perform the following actions on a bucket and the objects in it:

HeadBucket (to check whether the bucket exists and obtain the bucket metadata)

GetBucketLocation (to get the bucket location)

GetObject (to obtain object content and metadata)

GetObjectVersion (to obtain the content and metadata of a specified object version)

Excluding the specified actions is not allowed.

Public Read/Write

Allows anonymous users to perform the following actions on a bucket and the objects in it:

ListBucket (to list objects in the bucket and obtain the bucket metadata)

ListBucketVersions (to list object versions in the bucket)

HeadBucket (to check whether the bucket exists and obtain the bucket metadata)

GetBucketLocation (to get the bucket location)

PutObject (to upload objects using PUT and POST, upload parts, initiate multipart uploads, and assemble parts)

GetObject (to obtain object content and metadata)

ModifyObjectMetaData (to modify object metadata)

ListBucketMultipartUploads (to list multipart uploads)

ListMultipartUploadParts (to list uploaded parts)

AbortMultipartUpload (to abort multipart uploads)

GetObjectVersion (to obtain the content and metadata of a specified object version)

PutObjectAcl (to configure the object ACL)

GetObjectVersionAcl (to obtain the ACL of a specified object version)

GetObjectAcl (to obtain the object ACL)

Excluding the specified actions is not allowed.

Current account/Other accounts/Delegated accounts

Entire bucket (including the objects in it)

Bucket Read-Only

Allows specified accounts to perform the following actions on a bucket and the objects in it:

Get* (all GET actions)

List* (all LIST actions)

HeadBucket (to check whether the bucket exists and obtain the bucket metadata)

Excluding the specified actions is not allowed.

Bucket Read/Write

Allows specified accounts to perform all actions excluding the following ones on a bucket and the objects in it:

DeleteBucket (to delete the bucket)

PutBucketPolicy (to configure a bucket policy)

PutBucketAcl (to configure the bucket ACL)

The specified actions are excluded.

All accounts/Current account/Other accounts/Delegated accounts

Current bucket + Specified objects

Directory Read-Only

Allows anonymous users or specified accounts to perform the following actions on the current bucket and the specified resources in it:

GetObject (to obtain object content and metadata)

GetObjectVersion (to obtain the content and metadata of a specified object version)

GetObjectVersionAcl (to obtain the ACL of a specified object version)

GetObjectAcl (to obtain the object ACL)

ListBucket (to list objects in the bucket and obtain the bucket metadata)

ListBucketVersions (to list object versions in the bucket)

HeadBucket (to check whether the bucket exists and obtain the bucket metadata)

GetBucketLocation (to get the bucket location)

NOTE:

If you apply the policy to All accounts, ListBucket and ListBucketVersions are not included in the template.

Excluding the specified actions is not allowed.

Directory Read/Write

Allows anonymous users or specified accounts to perform the following actions on the current bucket and the specified resources in it:

PutObject (to upload objects using PUT and POST, upload parts, initiate multipart uploads, and assemble parts)

GetObject (to obtain object content and metadata)

GetObjectVersion (to obtain the content and metadata of a specified object version)

ModifyObjectMetaData (to modify object metadata)

ListBucketMultipartUploads (to list multipart uploads)

ListMultipartUploadParts (to list uploaded parts)

AbortMultipartUpload (to abort multipart uploads)

GetObjectVersionAcl (to obtain the ACL of a specified object version)

GetObjectAcl (to obtain the object ACL)

PutObjectAcl (to configure the object ACL)

ListBucket (to list objects in the bucket and obtain the bucket metadata)

ListBucketVersions (to list object versions in the bucket)

HeadBucket (to check whether the bucket exists and obtain the bucket metadata)

GetBucketLocation (to get the bucket location)

Excluding the specified actions is not allowed.

All accounts/Current account/Other accounts/Delegated accounts

Specified objects

Object Read-Only

Allows anonymous users or specified accounts to perform the following actions on specified resources in the bucket:

GetObject (to obtain object content and metadata)

GetObjectVersion (to obtain the content and metadata of a specified object version)

GetObjectVersionAcl (to obtain the ACL of a specified object version)

GetObjectAcl (to obtain the object ACL)

Excluding the specified actions is not allowed.

Object Read/Write

Allows anonymous users or specified accounts to perform the following actions on specified resources in the bucket:

PutObject (to upload objects using PUT and POST, upload parts, initiate multipart uploads, and assemble parts)

GetObject (to obtain object content and metadata)

GetObjectVersion (to obtain the content and metadata of a specified object version)

ModifyObjectMetaData (to modify object metadata)

ListMultipartUploadParts (to list uploaded parts)

AbortMultipartUpload (to abort multipart uploads)

GetObjectVersionAcl (to obtain the ACL of an object version)

GetObjectAcl (to obtain the object ACL)

PutObjectAcl (to configure the object ACL)

Excluding the specified actions is not allowed.

Custom Bucket Policies

You can also customize bucket policies based on your needs. A custom bucket policy consists of five basic elements: effect, principals, resources, actions, and conditions. For details, see Bucket Policy Parameters.

Object Policies

Object policies apply to objects in a bucket. A bucket policy is applicable to a set of objects (with the same object name prefix) or to all objects (specified by an asterisk *) in the bucket. To configure an object policy, select an object, and then configure a policy for it.

Object Policy Templates

OBS Console provides object policy templates for two typical scenarios. You can use these templates to quickly create object policies.

Some templates may require a configuration of principals. You can also modify the existing template settings, including principals, actions, and conditions. The resource in an object policy is the object that the policy is applied to, which is automatically specified by the system and does not need to be modified.

Table 2 Object policy templates

Principal

Resource

Template

Actions Allowed

Advanced Settings

All accounts/Current account/Other accounts/Delegated accounts

Specified objects

Object Read-Only

Allows anonymous users or specified accounts to perform the following actions on specified resources in the bucket:

GetObject (to obtain object content and metadata)

GetObjectVersion (to obtain the content and metadata of a specified object version)

GetObjectVersionAcl (to obtain the ACL of a specified object version)

GetObjectAcl (to obtain the object ACL)

Excluding the specified actions is not allowed.

Object Read/Write

Allows anonymous users or specified accounts to perform the following actions on specified resources in the bucket:

PutObject (to upload objects using PUT and POST, upload parts, initiate multipart uploads, and assemble parts)

GetObject (to obtain object content and metadata)

GetObjectVersion (to obtain the content and metadata of a specified object version)

ModifyObjectMetaData (to modify object metadata)

ListMultipartUploadParts (to list uploaded parts)

AbortMultipartUpload (to abort multipart uploads)

GetObjectVersionAcl (to obtain the ACL of a specified object version)

GetObjectAcl (to obtain the object ACL)

PutObjectAcl (to configure the object ACL)

Excluding the specified actions is not allowed.

Custom Object Policies

You can also customize object policies based on your needs. A custom object policy consists of five basic elements: effect, principals, resources, actions, and conditions, similar to a bucket policy. For details, see Bucket Policy Parameters.