Help Center/ Object Storage Service/ Permissions Configuration Guide/ Permission Control Methods/ Bucket Policies/ Bucket Policy Parameters

Updated on 2025-08-04 GMT+08:00

View PDF

Bucket Policy Parameters

A bucket policy in JSON format:

{ 
"Statement" : [{
     statement1
  },
  {
     statement2
  },
  ......
 ]
}

Example:

{ 
"Statement" : [{
     "Sid": "ExampleStatementID1",
     "Principal": "*",
     "Effect": "Allow",   
     "Action": ["ListBucket"],
     "Resource": "examplebucket",
     "Condition": "some conditions"
  },
  {
     "Sid": "ExampleStatementID2",
     "Principal": "*",
     "Effect": "Allow",   
     "Action": ["PutObject"],
     "Resource": "examplebucket",
     "Condition": "some conditions"
  },
......
]
}

A policy consists of one or more statements. Each statement contains the following elements:

Table 1 Elements of a bucket policy statement

Element

Description

Mandatory/Optional

Sid

ID of the statement. The value is a string that describes the statement.

Optional

Principal

Domains and users that a statement applies to. The value can be a wildcard (*), indicating all users. To grant permissions to all users in a domain, set Principal to domain/domainid:user/*. To grant permissions to a specific user in a domain, set Principal to domain/domainid:user/userId or domain/domainid:user/userName.

If you configure a bucket inventory on OBS Console, a policy is automatically generated for the bucket. In the generated bucket policy, the value of Principal is {"Service": "obs"}. For details, see Bucket Inventories.

Optional. Select either Principal or NotPrincipal.

NotPrincipal

Users that the statement does not apply to. Its value has the same format as Principal.

The following gives an example that denies all operations performed by users except the specified IAM user.

domain_id indicates the account ID, and use_id indicates the IAM user ID. For details about how to obtain an account ID and IAM user ID, see Obtaining Account, IAM User, Group, Project, Region, and Agency Information.

         
          
            
            
              {
    "Statement": [
        {
            "Effect": "Deny", 
            "Action": ["*"], 
            "Resource": [
                "examplebucket/*", 
                "examplebucket"
            ], 
            "NotPrincipal": {
                "ID": [
                    "domain/domain_id:user/use_id", 
                    "domain/domain_id:root"
                ]
            }
        }
     ]
}

             

           

         
        

Optional. Select either NotPrincipal or Principal.

Action

Actions that the statement applies to. This parameter specifies a set of all the operations supported by OBS. Its values are case insensitive. The value can be a wildcard character (*) that indicates all operations. For example: "Action":["List*","Get*"].

Optional. Select either Action or NotAction.

NotAction

Actions that are not controlled by this statement. Its value has the same format as Action.

Optional. Select either Action or NotAction.

Effect

Whether the permission in a statement is Allow or Deny.

Mandatory

Resource

Resources that the statement will apply to. You can use a wildcard (*) to indicate all resources.

Optional. Select either Resource or NotResource.

NotResource

Resources that the statement will not apply to. Its value has the same format as Resource.

Optional. Select either Resource or NotResource.

Condition

Conditions for the statement to take effect.

Optional

A statement must contain Action or NotAction, Resource or NotResource, and Principal or NotPrincipal.

Principal/NotPrincipal

Principal or NotPrincipal can be all accounts, specific tenants, specific users, federated users, or agencies.

All (all accounts)
```
"Principal": {"ID": "*"}
```
In the example, the wildcard (*) indicates Everyone/Anonymous. Do not use the wildcard for Principal of the role's trust policy unless you have restricted access by using the Condition element in the policy.

Specific tenants
If a tenant identifier is used as the Principal of a policy, permissions are granted to all users of this tenant. This includes all subscribers under the account. The following example demonstrates how to specify an account as an authorized person.
```
"Principal": { "ID": " domain/domainIdxxxx:user/*" }
```
You can also grant permissions to multiple tenants at a time:
```
"Principal": { 
  "ID": [
    "domain/domainIDxx1:user/useridxxxx",
    "domain/domainIDxx2:user/*"
  ]
}
```

Specific users

User names in the Principal element are case-sensitive.

"Principal": {"ID": "domain/domainIDxxx:user/user-name" }
"Principal": {
  "ID": [
    "domain/domainIDxxx:user/UserID1", 
    "domain/domainIDxxx:user/UserID2"
  ]
}

Federated users (using SAML identity provider)

"Principal": { "Federated": "domain/domainIDxxx:identity-provider/provider-name" }
"Principal": { "Federated": "domain/domainIDxxx:group/groupname" }

Agencies

* indicates all agencies of a tenant.

"Principal": { "ID": "domain/domainIDxxx:agency/agencyname" }
"Principal": { "ID": "domain/domainIDxxx:agency/*" }

If you configure a bucket inventory on OBS Console, a policy is automatically generated for the destination bucket. In the generated bucket policy, the Principal is configured as follows:

"Principal":{"Service": "obs"}

For details, see Bucket Inventories.

The principals on OBS Console refer to the users that the bucket policies apply to. These users can be accounts or IAM users. The Exclude settings can determine whether a bucket policy applies to the specified principals:

Specified principals: If you select this option, the bucket policy applies to users except the specified ones.

Exclude not selected: The bucket policy applies to the specified users.
Exclude selected: The bucket policy applies to users except the specified ones.

Specifying IAM users under the current account

You can set Principal to Current account and select one or more IAM users, so that the bucket policy applies to the selected IAM users under this account.

Specifying another account

You can set Principals to Other accounts, enter one or more account IDs, and then enter one or more user IDs to apply the bucket policy to only the IAM users under that account or those accounts.

To obtain the account ID and IAM user ID, log in to the console as an IAM user and go to the My Credentials page to obtain them.

Specifying a delegated account

You can set Principals to Delegated accounts and specify one or more delegated accounts. After the bucket policy is created, the delegated accounts can perform O&M on your behalf.

Delegated accounts can be added only after Other accounts is selected.

Specifying all accounts

To grant access to anyone, set Principals to All accounts.

Exercise caution when granting permissions to all accounts. If you grant the permissions to all accounts, anyone can access your bucket. You are advised to restrict access requests. For example, you can allow access only from a specific IP address.

Action/NotAction

If a policy applies to a bucket, configure bucket-related actions. If the policy applies to the objects in a bucket, configure object-related actions.

The Exclude setting determines whether the bucket policy applies to the specified actions.

Specified actions: If you select this option, the bucket policy applies to actions except the specified ones.

Exclude not selected: The bucket policy applies to the specified actions.
Exclude selected: The bucket policy applies to actions except the specified ones.
By default, Specified actions is selected for Exclude in the bucket read/write template only. The action exclusion setting in bucket policy templates cannot be modified.

Bucket Actions

For details, see Bucket Actions.

Object Actions

For details, see Object Actions.

Resource/NotResource

The resources supported by OBS are as follows:

bucketname: The Action drop-down list box lists all actions allowed on a bucket. To allow an action on a bucket, set Resource to the bucket name.
bucketname/objectname: The Action drop-down list box lists all actions allowed on an object. To allow an action on an object in a bucket, set Resource to bucketname/objectname. You can use a wildcard for objectname to allow an action on all objects in the bucket. For example, if you want to allow an action on all objects in a directory of a bucket, set Resource to "bucketname/directory/*". If you have permissions on all the objects in a bucket, set Resource to "bucketname/*". If you want to allow an action on both a bucket and its objects, set Resource to ["examplebucket/*","examplebucket"].

The following example policy grants the permissions to allow user1 with the ID of 71f3901173514e6988115ea2c26d1999 under account b4bf1b36d9ca43d984fbcb9491b6fce9 (account ID) to take all actions on the examplebucket bucket and all objects in it.

{ 
    "Statement":[ 
    { 
      "Sid":"test", 
      "Effect":"Allow", 
      "Principal": {"ID": ["domain/b4bf1b36d9ca43d984fbcb9491b6fce9:user/71f3901173514e6988115ea2c26d1999"]}, 
      "Action":["*"], 
      "Resource":["examplebucket/*","examplebucket"]
    } 
  ] 
}

On OBS Console, you can apply a bucket policy to the following resources: an entire bucket (including the objects in it), the current bucket, and specified objects in a bucket.

The Exclude setting determines whether the bucket policy applies to the specified resources.

Specified resources: If you select this option, the bucket policy applies to resources except the specified ones.

Exclude not selected: The bucket policy applies to the specified OBS resources.
Exclude selected: The bucket policy applies to OBS resources except the specified ones.

Applying a bucket policy to the entire bucket (including the objects in it)

To apply a bucket policy to the entire bucket (including the objects in it), actions related to the bucket and objects must be configured in the policy.

Applying a bucket policy to a bucket

To apply a bucket policy to the current bucket, select Current bucket. When configuring actions for the policy, select bucket related actions.

Applying a bucket policy to specified objects

To apply a bucket policy to specified objects in a bucket, object-related actions must be configured in the policy. Specifically, select Specified objects for Resources.

For an object, enter the object name (including its folder name if any). For example, if the resource is the example.jpg file in the imgs-folder folder in the bucket, enter the following in the resource text box:
imgs-folder/example.jpg
For an object set, use the wildcard asterisk (*). The asterisk (*) indicates an empty string or any combination of characters.
- Use only one asterisk (*) to indicate all objects in a bucket.
- Use Object name prefix* to indicate objects with this prefix in a bucket. Example:
  imgs*
- Use *Object name suffix to indicate objects with this suffix in a bucket. Example:
  *.jpg

Condition

In addition to the effect, principals, resources, and actions, you can also specify the conditions for a bucket policy to take effect. The bucket policy is applied only when its condition expressions match the values contained in the request. Conditions are optional. You can choose whether to configure them.

For example, if account A needs to have full control over an object uploaded by account B to bucket example of account A, the x-obs-acl key must be specified in the upload request and the policy effect must be set to Allow for account A. The complete condition expression is as follows:

Key	Condition Operator	Value
x-obs-acl	StringEquals (do not select If Exists)	bucket-owner-full-control

A condition consists of condition operator, key, and value. Condition operators and keys are correlated. If you select a string type, for example, StringEquals, for a condition operator, the key can only be a string type, for example, UserAgent. Likewise, if you select a key of the date type, for example, CurrentTime, the condition operator can only be a date type, for example, DateEquals.

A condition can contain multiple combinations of a condition key, a condition operator, and a condition value. The Condition combination in the following figure indicates that the request time ranges from 2015-07-01T12:00:00Z to 2018-04-16T15:00:00Z and the request IP address range is 192.168.176.0/24 or 192.168.143.0/24.

"Condition" : { 
  "DateGreaterThan" : { 
  "CurrentTime" : "2015-07-01T12:00:00Z" 
  }, 
  "DateLessThan": { 
  "CurrentTime" : "2018-04-16T15:00:00Z" 
  }, 
  "IpAddress" : { 
  "SourceIp" : ["192.168.176.0/24","192.168.143.0/24"] 
  } 
}

Condition Operators

A condition operator, a condition key, and a condition value together constitute a complete condition statement. A policy can be applied only when its request conditions are met. Table 2 lists the condition operators available for statements. If a condition operator corresponds to multiple identical keys, only the last key is retained.

**Table 2** Condition operators
Type	Element	Description
String	StringEquals	Strict matching. Short version: streq
	StringNotEquals	Strict negated matching. Short version: strneq
	StringEqualsIgnoreCase	Strict matching, ignoring case. Short version: streqi
	StringNotEqualsIgnoreCase	Strict negated matching, ignoring case. Short version: strneqi
	StringLike	Loose case-sensitive matching. The values can include a multi-character match wildcard (*) or a single-character match wildcard (?) anywhere in the string. Short version: strl
	StringNotLike	Negated loose case-sensitive matching. The values can include a multi-character match wildcard (*) or a single-character match wildcard (?) anywhere in the string. Short version: strnl
Numeric	NumericEquals	Matching. Short version: numeq Numeric indicates a data type expressed in numbers.
	NumericNotEquals	Negated matching. Short version: numneq
	NumericLessThan	"Less than" matching. Short version: numlt
	NumericLessThanEquals	"Less than or equals" matching. Short version: numlteq
	NumericGreaterThan	"Greater than" matching. Short version: numgt
	NumericGreaterThanEquals	"Greater than or equals" matching. Short version: numgteq
Date (The date format must comply with the ISO 8601 standard, for example, 2015-07-01T12:00:00Z.)	DateEquals	Matching a specific date. Short version: dateeq
	DateNotEquals	Negated matching. Short version: dateneq
	DateLessThan	The date is earlier than a specific date. Short version: datelt
	DateLessThanEquals	The date is earlier than or equal to a specific date. Short version: datelteq
	DateGreaterThan	The date is later than a specific date. Short version: dategt
	DateGreaterThanEquals	The date is later than or equal to a specific date. Short version: dategteq
Boolean	Bool	Strict Boolean matching
IP address	IpAddress	Specified IP address or range
IP address	NotIpAddress	All IP addresses excluding the specified IP address or range

Adding IfExists to the end of a condition operator

If you use the IfExists suffix in a condition, the policy applies when the values in the request are null (the condition is not checked) or matches the specified conditions in the policy. For example, the StringEqualsIfExists condition operator is specified to make sure that the policy applies with null request values or request values that match the values specified in the policy. On the console, you can configure the suffix by selecting If Exists in the Add Condition dialog box. IfExists can be added to any condition operator except the Null operator.

Using multi-valued operators

A multi-valued operator can be used only when the condition key is multi-valued. You can check Table 4 to see whether a condition key is multi-valued. A multi-valued condition key can have multiple values. For details, see Table 3. On the console, you can configure the multi-valued operator by specifying Qualifier in the Add Condition dialog box. For a single-valued condition key, Qualifier is default. ForAllValues indicates all values in the request, and ForAnyValue indicates any value in the request.

Click to enlarge

**Table 3** Multi-valued condition operators
Element	Description	Example
ForAllValues (For all values in the request)	Tests whether the value of every member of the request set is a subset of the condition key set. The condition returns true if every key value in the request matches at least one value in the policy.	This example shows how to use the ForAllValues with the StringEquals condition operator. The policy applies only when a requester has resource tag aa, bb, or cc. If a requester initiates an image sharing request to aa and cc, the request is allowed because the requested attributes all match values specified in the policy. If a requester initiates an image sharing request to aa, bb, cc, and dd, the request is denied because dd is not within the list of the allowed organization paths. "Condition": { "ForAllValues:StringEquals": { "g:ResourceTag/test": [ "aa", "bb", "cc" ] } }
ForAnyValue (For any value in the request)	Tests whether at least one member of the set of request values matches at least one member of the set of condition key values. The condition returns true if any one of the key values in the request matches any one of the condition values in the policy. For no matching key or a null dataset, the condition returns false.	This example shows how to use the ForAnyValue with the StringEquals condition operator. The policy applies when a requester has any of the following resource tags: aa, bb, or cc. If a requester initiates an image sharing request to aa and dd, the request is allowed because the request contains one match (aa). If a requester initiates an image sharing request to dd and ee, the request is denied because dd and ee are not within the list of the allowed organization paths. "Condition": { "ForAnyValue:StringEquals": { "g:ResourceTag/test": [ "aa", "bb", "cc" ] } }

Condition Keys

Condition keys can be classified into general keys, keys related to actions on buckets, and keys related to actions on objects. Table 4 lists the general keys.

Currently, all condition keys are available in regions like LA-Mexico City1. The condition keys supported by each region are subject to what displayed on the console. If some condition keys cannot be found in the region where your bucket is located, use a bucket in another region that supports these condition keys.

**Table 4** General keys
Key	Type	Multi-Valued or Not	Description
g:CalledVia	String	Yes	Used to control access across services. Requests for OBS may be forwarded through a chain of services. g:CalledVia records an ordered list of each service in the chain, as shown in Figure 1. For example, if a user requests to download an object from OBS through ModelArts, g:CalledVia records service.ModelArts. Figure 1 g:CalledVia The following gives an example that allows only requests made by ModelArts to make API calls for downloading objects from OBS. "Condition": { "ForAnyValue:StringEquals": { "g:CalledVia": "service.ModelArts" } }
g:CalledViaFirst	String	No	It refers to the first element in g:CalledVia, which means the first service that forwards a user's request.
g:CalledViaLast	String	No	It refers to the last element in g:CalledVia, which means the last service that forwards a user's request.
g:ViaService	Boolean	No	Whether the request was initiated by the cloud service on behalf of the user through the Impersonate protocol. The value of this key is true only when g:CalledVia is not an empty string. true: The request is initiated by a cloud service. false: The request is not initiated by a cloud service.
g:PrincipalIsService	Boolean	No	Whether the requesting principal is a cloud service. You can use this key to control whether only cloud services can access the specified APIs.
g:PrincipalServiceName	String	No	Name of the cloud service. This condition key is present only when the requester is a cloud service. The following example allows the policy to be applied only when the requester is ModelArts. "Condition": { "StringEquals": { "g:PrincipalServiceName": "service.ModelArts" } }
g:CurrentTime	Date	No	When a request was received. The time is in ISO 8601 format, for example, 2012-11-11T23:59:59Z.
CurrentTime	Date	No	Same as g:CurrentTime
EpochTime	Numeric	No	Time when the request was received by the server, which was expressed as seconds since 1970.01.01 00:00:00 UTC, regardless of the leap seconds
g:TokenIssueTime	Date	No	Time when the STSToken in the access credentials was issued
g:DomainName	String	No	Account name of the requester. To obtain an account name, see Obtaining Account, IAM User, Group, Project, Region, and Agency Information.
g:DomainId	String	No	Account ID of the requester. To obtain an account ID, see Obtaining Account, IAM User, Group, Project, Region, and Agency Information.
g:PrincipalAccount	String	No	Same attribute as g:DomainId
g:PrincipalType	String	No	Type of the principal, which can be User, AssumedAgency, or ExternalUser. When long-term IAM credentials are used for access, the value is User. When an IAM assumed-agency session is used for access, the value is AssumedAgency. When a virtual federated user is used for access, the value is ExternalUser.
g:PrincipalUrn	String	No	URN of the requester. Different principals have different URN formats. IAM users: iam::<domain-id>:user:<user-name> IAM agencies: sts::<domain-id>:assumed-agency:<agency-name>/<session-name> Virtual federated users: sts::<domain-id>:external-user:<idp-id>/<session-name> For details about how to obtain the parameters, see Obtaining Account, IAM User, Group, Project, Region, and Agency Information. The session name is the entered enterprise username of the delegating party when you obtain the temporary access keys and security token of an agency.
g:PrincipalId	String	No	ID of the requesting principal. Different principals have different ID formats. IAM users: <user-id> IAM agencies: <agency-id>:<session-name> Virtual federated users: <idp-id>:<session-name> For details about how to obtain the parameters, see Obtaining Account, IAM User, Group, Project, Region, and Agency Information. The session name is the entered enterprise username of the delegating party when you obtain the temporary access keys and security token of an agency.
g:UserName	String	No	IAM username of the requester. For details about how to obtain an IAM username, see Obtaining an IAM Username.
g:UserId	String	No	IAM user ID of the requester. For details about how to obtain an IAM user ID, see Obtaining an IAM User ID.
g:PrincipalOrgId	String	No	ID of the organization to which the principal belongs. You can use this condition key to specify that only principals in the specified organization can access the specified APIs. This condition key is present only when the principal is part of an organization.
g:PrincipalOrgPath	String	No	Organization path for the requesting account. You can use this key to control that only accounts at specified levels in the organization can access the specified APIs. This condition key is present only when the requester is part of an organization. An account's organization path is in the following format: <organization-id>/<root-id>/(<ou-id>/)*<account-id>
g:ResourceOrgId	String	No	ID of the organization to which the bucket owner account belongs
g:ResourceOrgPath	String	No	Path of the bucket owner account in the organization
g:ResourceAccount	String	No	Account ID of the bucket owner. For details about how to obtain an account ID, see Obtaining an Account ID.
g:MFAPresent	Boolean	No	Whether multi-factor authentication (MFA) is used to obtain a token true: MFA authentication is used. false: MFA authentication is not used.
g:MFAAge	Numeric	No	Validity period (in seconds) of STS security tokens obtained through MFA authentication. This condition must be used together with g:MFAPresent. This condition key is present only when you log in to the console through MFA authentication or when you use the assumed-agency session obtained through MFA to make a request.
g:Referer	String	No	HTTP referer header in a request. As this key is specified by the client, it should not be used to prevent unauthorized parties from making direct requests.
Referer	String	No	Same as g:Referer
g:RequestedRegion	String	No	Region that was called in a request. If the target cloud service is a global service, set this parameter to NULL. If the target cloud service is a regional service, set this parameter to the ID of the region, for example, cn-north-4. This condition key is present only when certain region-specific services are requested.
g:RequestTag/<tag-key>	String	No	Tag contained in a request. <tag-key> is case-insensitive. If a requester adds a tag when making an API call (for example, adding a tag for an existing bucket or adding a tag when creating a bucket), you can use this condition key to check whether the request contains the tag. You need to manually enter a tag key.
g:ResourceTag/<tag-key>	String	No	Tag attached to the requested resource. You can use this key to control that only resources with specified tags can be accessed. <tag-key> is case-insensitive. You need to manually enter a tag key.
g:TagKeys	String	Yes	List of tag keys in a request The following example allows the policy to be applied when the tag included in a request is either group or country. "Condition": { "ForAnyValue:StringNotEquals": { "g:TagKeys": ["group", "country"] } }
g:SecureTransport	Boolean	No	Whether the request was sent using SSL true: SSL is used. false: SSL is not used.
SecureTransport	Boolean	No	Same as g:SecureTransport
TlsVersion	Numeric	No	TLS version used in the request Restrictions on using TlsVersion: TlsVersion cannot be used for parallel file systems. If a client uses OBS Console, OBS Browser+, or SDKs to access OBS, the used TLS version cannot be earlier than 1.2, or the requests will be denied. Note that when a user accesses OBS through the console, OBS detects the TLS version used by the console system, rather than the TLS version of the original request. TlsVersion cannot be used in the getBucketLocation API. The following gives an example that denies object download requests initiated by clients whose TLS version is earlier than 1.2. "Condition":{ "NumericLessThan":{ "TlsVersion": "1.2" } }
g:SourceIdentity	String	No	The source_identity field that was set in the temporary IAM credential STSToken. The source_identity field is specified when a user obtains a temporary IAM credential for the first time through the AssumeAgency API of STS and cannot be changed in subsequent agency switching.
g:SourceIp	IP address	No	Public IP address that made the request to access OBS. If a proxy or NAT is used for access, the public IP address that made the request will change. OBS then checks the last-hop public IP address of the request for accessing the server.
SourceIp	IP address	No	IP address that made the request. When SourceIp is used, the IP address provided by the customer is preferentially identified. If no IP address is provided, the previous-hop IP address is identified. Using SourceIp may cause IP address spoofing.
SourceVpc	String	No	ID of the VPC that initiated the request. For details about how to obtain a VPC ID, see Obtaining a VPC ID.
g:SourceVpce	String	No	ID of the VPC endpoint that initiated the request. For details about how to obtain a VPC endpoint ID, see Obtaining a VPC Endpoint ID.
SourceVpce	String	No	Same as g:SourceVpce
g:VpcSourceIp	IP address	No	Source IP address of a request initiated in a VPC
g:UserAgent	String	No	HTTP User-Agent header in a request. As this key is specified by the client, it should not be used to prevent unauthorized parties from making direct requests.
UserAgent	String	No	Same as g:UserAgent
g:EnterpriseProjectId	String	No	ID of the enterprise project for the request or the requested resource. For details about how to obtain an enterprise project ID, see How Do I Obtain an Enterprise Project ID?
ServiceAgency	String	No	Name of the IAM agency that delegates cloud services to access OBS. For details about how to obtain an agency name, see Obtaining an Agency Name.
g:SourceAccount	String	No	Account of the resource for which a service-to-service request was initiated
g:SourceUrn	String	No	URN of the resource for which a service-to-service request was initiated

Action-related condition keys can be used only when a specific action is selected. Table 5 and Table 6 list the mapping between actions and condition keys.

**Table 5** Keys related to bucket actions
Action	Optional Key	Description	Remarks
ListBucket	prefix	Type: String. Lists objects with the specified prefix.	If prefix, delimiter, and max-keys are configured for a bucket policy, the List requests must contain the matched key-value pair. For example, if a bucket policy (with the condition operator set to NumericEquals, the key to max-keys, and the value to 100) is configured to allow all accounts to read data from a bucket, the List requests from all accounts must have ?max-keys=100 at the end of the bucket domain name. The listed objects are the first 100 objects in alphabetic order.
	delimiter	Type: String. Groups objects in a bucket.
	max-keys	Type: Numeric. Sets the maximum number of objects. Returned objects are listed in alphabetic order.
ListBucketVersions	prefix	Type: String. Lists multi-version objects with the specified prefix.
	delimiter	Type: String. Groups objects of different versions in a bucket.
	max-keys	Type: Numeric. Sets the maximum number of objects. Returned objects are listed in alphabetic order.
PutBucketAcl	x-obs-acl	Type: String. Configures the bucket ACL. When modifying a bucket ACL, you can use the request that contains a canned ACL setting in its header. Value options of a canned ACL setting: private\|public-read\|public-read-write\|bucketowner-read\|log-delivery-write.	None

**Table 6** Keys related to object actions
Action	Optional Key	Description
PutObject	x-obs-acl	Type: String. Configures the object ACL. When uploading an object, you can use the request that contains a canned ACL setting in its header. Value options of a canned ACL setting: private\|public-read\|public-read-write\|bucketowner-read\|bucket-owner-full-control\|log-delivery-write.
	x-obs-copy-source	Type: String. Specifies names of the source bucket and the source object. Format: /bucketname/keyname
	x-obs-metadata-directive	Type: String. Specifies whether to copy the metadata of the source object or replace with the metadata in the request. The value can be COPY or REPLACE.
	x-obs-server-side-encryption	Type: String. Specifies that objects in a bucket are encrypted using SSE-KMS before they are stored. The value is kms.
PutObjectAcl	x-obs-acl	Type: String. Configures the object ACL. When uploading an object, you can use the request that contains a canned ACL setting in its header. Value options of a canned ACL setting: private\|public-read\|public-read-write\|bucketowner-read\|bucket-owner-full-control\|log-delivery-write.
GetObjectVersion	versionId	Type: String. Obtains the object with the specified version ID.
GetObjectVersionAcl	versionId	Type: String. Obtains the ACL of the object with the specified version ID.
PutObjectVersionAcl	versionId	Type: String. Specifies a version ID.
PutObjectVersionAcl	x-obs-acl	Type: String. Configures the ACL of the object with the specified version ID. When uploading an object, you can use the request that contains a canned ACL setting in its header. Value options of a canned ACL setting: private\|public-read\|public-read-write\|bucketowner-read\|bucket-owner-full-control\|log-delivery-write.
DeleteObjectVersion	versionId	Type: String. Deletes the object with the specified version ID.

Policy Permission Judgment Logic

Each statement in a policy can have the action Explicit Deny, Allow, or Default Deny. If a bucket policy contains multiple statements with different actions, the final action is determined according to the following rules:

- If there are no Explicit Deny or Allow, Default Deny will apply.

- An explicit deny overrides an allow.

- An allow overrides a default deny.

- Statements can be in any order in a policy.

**Table 7** Statement results
Result	Description
explicit deny	A statement defines effect="deny". All requests for resources to which the statement applies are denied. No permission is returned.
allow	A statement defines effect="allow". All requests for resources to which the statement applies are allowed.
default deny	Conditions defined in a statement are not met. Requests are denied.

If both an ACL and a bucket policy apply, an explicit deny in the bucket policy overrides the allow in the ACL.

If both a bucket policy and an IAM policy apply, an explicit deny overrides an allow, and an allow overrides the default deny.

Bucket ACL/Policy for cross-tenant authorization does not apply to SSE-KMS server-side encrypted objects.

Parent Topic: Bucket Policies

Previous topic: Bucket Policy Overview

Next topic: ACLs

Feedback

Was this page helpful?

Helpful Not helpful

Provide feedback

Thank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.

The system is busy. Please try again later.

Which of the following issues have you encountered?

Content is inconsistent with the product UI

Unclear descriptions

Lack of examples or code

Incorrect steps

Can't find what I need

Lack of best practices

Feedback (optional)

0/500

Select at least one type of issue, and enter your comments or suggestions.

Enter a maximum of 500 characters.

Submit Cancel

For any further questions, feel free to contact us through the chatbot.

Chatbot