Updated on 2025-08-04 GMT+08:00

Bucket Policy Parameters

A bucket policy in JSON format:

{ 
"Statement" : [{
     statement1
  },
  {
     statement2
  },
  ......
 ]
}
Example:
{ 
"Statement" : [{
     "Sid": "ExampleStatementID1",
     "Principal": "*",
     "Effect": "Allow",   
     "Action": ["ListBucket"],
     "Resource": "examplebucket",
     "Condition": "some conditions"
  },
  {
     "Sid": "ExampleStatementID2",
     "Principal": "*",
     "Effect": "Allow",   
     "Action": ["PutObject"],
     "Resource": "examplebucket",
     "Condition": "some conditions"
  },
......
]
}

A policy consists of one or more statements. Each statement contains the following elements:

Table 1 Elements of a bucket policy statement

Element

Description

Mandatory/Optional

Sid

ID of the statement. The value is a string that describes the statement.

Optional

Principal

Domains and users that a statement applies to. The value can be a wildcard (*), indicating all users. To grant permissions to all users in a domain, set Principal to domain/domainid:user/*. To grant permissions to a specific user in a domain, set Principal to domain/domainid:user/userId or domain/domainid:user/userName.

If you configure a bucket inventory on OBS Console, a policy is automatically generated for the bucket. In the generated bucket policy, the value of Principal is {"Service": "obs"}. For details, see Bucket Inventories.

Optional. Select either Principal or NotPrincipal.

NotPrincipal

Users that the statement does not apply to. Its value has the same format as Principal.

The following gives an example that denies all operations performed by users except the specified IAM user.

domain_id indicates the account ID, and use_id indicates the IAM user ID. For details about how to obtain an account ID and IAM user ID, see Obtaining Account, IAM User, Group, Project, Region, and Agency Information.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
{
    "Statement": [
        {
            "Effect": "Deny", 
            "Action": ["*"], 
            "Resource": [
                "examplebucket/*", 
                "examplebucket"
            ], 
            "NotPrincipal": {
                "ID": [
                    "domain/domain_id:user/use_id", 
                    "domain/domain_id:root"
                ]
            }
        }
     ]
}

Optional. Select either NotPrincipal or Principal.

Action

Actions that the statement applies to. This parameter specifies a set of all the operations supported by OBS. Its values are case insensitive. The value can be a wildcard character (*) that indicates all operations. For example: "Action":["List*","Get*"].

Optional. Select either Action or NotAction.

NotAction

Actions that are not controlled by this statement. Its value has the same format as Action.

Optional. Select either Action or NotAction.

Effect

Whether the permission in a statement is Allow or Deny.

Mandatory

Resource

Resources that the statement will apply to. You can use a wildcard (*) to indicate all resources.

Optional. Select either Resource or NotResource.

NotResource

Resources that the statement will not apply to. Its value has the same format as Resource.

Optional. Select either Resource or NotResource.

Condition

Conditions for the statement to take effect.

Optional

A statement must contain Action or NotAction, Resource or NotResource, and Principal or NotPrincipal.

Principal/NotPrincipal

Principal or NotPrincipal can be all accounts, specific tenants, specific users, federated users, or agencies.

  • All (all accounts)
    "Principal": {"ID": "*"}

    In the example, the wildcard (*) indicates Everyone/Anonymous. Do not use the wildcard for Principal of the role's trust policy unless you have restricted access by using the Condition element in the policy.

  • Specific tenants

    If a tenant identifier is used as the Principal of a policy, permissions are granted to all users of this tenant. This includes all subscribers under the account. The following example demonstrates how to specify an account as an authorized person.

    "Principal": { "ID": " domain/domainIdxxxx:user/*" }

    You can also grant permissions to multiple tenants at a time:

    "Principal": { 
      "ID": [
        "domain/domainIDxx1:user/useridxxxx",
        "domain/domainIDxx2:user/*"
      ]
    }
  • Specific users

    User names in the Principal element are case-sensitive.

    "Principal": {"ID": "domain/domainIDxxx:user/user-name" }
    "Principal": {
      "ID": [
        "domain/domainIDxxx:user/UserID1", 
        "domain/domainIDxxx:user/UserID2"
      ]
    }
  • Federated users (using SAML identity provider)
    "Principal": { "Federated": "domain/domainIDxxx:identity-provider/provider-name" }
    "Principal": { "Federated": "domain/domainIDxxx:group/groupname" }
  • Agencies
    * indicates all agencies of a tenant.
    "Principal": { "ID": "domain/domainIDxxx:agency/agencyname" }
    "Principal": { "ID": "domain/domainIDxxx:agency/*" }

If you configure a bucket inventory on OBS Console, a policy is automatically generated for the destination bucket. In the generated bucket policy, the Principal is configured as follows:

"Principal":{"Service": "obs"}

For details, see Bucket Inventories.

The principals on OBS Console refer to the users that the bucket policies apply to. These users can be accounts or IAM users. The Exclude settings can determine whether a bucket policy applies to the specified principals:

Specified principals: If you select this option, the bucket policy applies to users except the specified ones.

  • Exclude not selected: The bucket policy applies to the specified users.
  • Exclude selected: The bucket policy applies to users except the specified ones.

Specifying IAM users under the current account

You can set Principal to Current account and select one or more IAM users, so that the bucket policy applies to the selected IAM users under this account.

Specifying another account

You can set Principals to Other accounts, enter one or more account IDs, and then enter one or more user IDs to apply the bucket policy to only the IAM users under that account or those accounts.

To obtain the account ID and IAM user ID, log in to the console as an IAM user and go to the My Credentials page to obtain them.

Specifying a delegated account

You can set Principals to Delegated accounts and specify one or more delegated accounts. After the bucket policy is created, the delegated accounts can perform O&M on your behalf.

Delegated accounts can be added only after Other accounts is selected.

Specifying all accounts

To grant access to anyone, set Principals to All accounts.

Exercise caution when granting permissions to all accounts. If you grant the permissions to all accounts, anyone can access your bucket. You are advised to restrict access requests. For example, you can allow access only from a specific IP address.

Action/NotAction

If a policy applies to a bucket, configure bucket-related actions. If the policy applies to the objects in a bucket, configure object-related actions.

The Exclude setting determines whether the bucket policy applies to the specified actions.

Specified actions: If you select this option, the bucket policy applies to actions except the specified ones.

  • Exclude not selected: The bucket policy applies to the specified actions.
  • Exclude selected: The bucket policy applies to actions except the specified ones.
  • By default, Specified actions is selected for Exclude in the bucket read/write template only. The action exclusion setting in bucket policy templates cannot be modified.

Bucket Actions

For details, see Bucket Actions.

Object Actions

For details, see Object Actions.

Resource/NotResource

The resources supported by OBS are as follows:

  • bucketname: The Action drop-down list box lists all actions allowed on a bucket. To allow an action on a bucket, set Resource to the bucket name.
  • bucketname/objectname: The Action drop-down list box lists all actions allowed on an object. To allow an action on an object in a bucket, set Resource to bucketname/objectname. You can use a wildcard for objectname to allow an action on all objects in the bucket. For example, if you want to allow an action on all objects in a directory of a bucket, set Resource to "bucketname/directory/*". If you have permissions on all the objects in a bucket, set Resource to "bucketname/*". If you want to allow an action on both a bucket and its objects, set Resource to ["examplebucket/*","examplebucket"].

The following example policy grants the permissions to allow user1 with the ID of 71f3901173514e6988115ea2c26d1999 under account b4bf1b36d9ca43d984fbcb9491b6fce9 (account ID) to take all actions on the examplebucket bucket and all objects in it.

{ 
    "Statement":[ 
    { 
      "Sid":"test", 
      "Effect":"Allow", 
      "Principal": {"ID": ["domain/b4bf1b36d9ca43d984fbcb9491b6fce9:user/71f3901173514e6988115ea2c26d1999"]}, 
      "Action":["*"], 
      "Resource":["examplebucket/*","examplebucket"]
    } 
  ] 
}

On OBS Console, you can apply a bucket policy to the following resources: an entire bucket (including the objects in it), the current bucket, and specified objects in a bucket.

The Exclude setting determines whether the bucket policy applies to the specified resources.

Specified resources: If you select this option, the bucket policy applies to resources except the specified ones.

  • Exclude not selected: The bucket policy applies to the specified OBS resources.
  • Exclude selected: The bucket policy applies to OBS resources except the specified ones.

Applying a bucket policy to the entire bucket (including the objects in it)

To apply a bucket policy to the entire bucket (including the objects in it), actions related to the bucket and objects must be configured in the policy.

Applying a bucket policy to a bucket

To apply a bucket policy to the current bucket, select Current bucket. When configuring actions for the policy, select bucket related actions.

Applying a bucket policy to specified objects

To apply a bucket policy to specified objects in a bucket, object-related actions must be configured in the policy. Specifically, select Specified objects for Resources.

  • For an object, enter the object name (including its folder name if any). For example, if the resource is the example.jpg file in the imgs-folder folder in the bucket, enter the following in the resource text box:

    imgs-folder/example.jpg

  • For an object set, use the wildcard asterisk (*). The asterisk (*) indicates an empty string or any combination of characters.
    • Use only one asterisk (*) to indicate all objects in a bucket.
    • Use Object name prefix* to indicate objects with this prefix in a bucket. Example:

      imgs*

    • Use *Object name suffix to indicate objects with this suffix in a bucket. Example:

      *.jpg

Condition

In addition to the effect, principals, resources, and actions, you can also specify the conditions for a bucket policy to take effect. The bucket policy is applied only when its condition expressions match the values contained in the request. Conditions are optional. You can choose whether to configure them.

For example, if account A needs to have full control over an object uploaded by account B to bucket example of account A, the x-obs-acl key must be specified in the upload request and the policy effect must be set to Allow for account A. The complete condition expression is as follows:

Key

Condition Operator

Value

x-obs-acl

StringEquals (do not select If Exists)

bucket-owner-full-control

A condition consists of condition operator, key, and value. Condition operators and keys are correlated. If you select a string type, for example, StringEquals, for a condition operator, the key can only be a string type, for example, UserAgent. Likewise, if you select a key of the date type, for example, CurrentTime, the condition operator can only be a date type, for example, DateEquals.

A condition can contain multiple combinations of a condition key, a condition operator, and a condition value. The Condition combination in the following figure indicates that the request time ranges from 2015-07-01T12:00:00Z to 2018-04-16T15:00:00Z and the request IP address range is 192.168.176.0/24 or 192.168.143.0/24.

"Condition" : { 
  "DateGreaterThan" : { 
  "CurrentTime" : "2015-07-01T12:00:00Z" 
  }, 
  "DateLessThan": { 
  "CurrentTime" : "2018-04-16T15:00:00Z" 
  }, 
  "IpAddress" : { 
  "SourceIp" : ["192.168.176.0/24","192.168.143.0/24"] 
  } 
}

Condition Operators

A condition operator, a condition key, and a condition value together constitute a complete condition statement. A policy can be applied only when its request conditions are met. Table 2 lists the condition operators available for statements. If a condition operator corresponds to multiple identical keys, only the last key is retained.

Table 2 Condition operators

Type

Element

Description

String

StringEquals

Strict matching. Short version: streq

StringNotEquals

Strict negated matching. Short version: strneq

StringEqualsIgnoreCase

Strict matching, ignoring case. Short version: streqi

StringNotEqualsIgnoreCase

Strict negated matching, ignoring case. Short version: strneqi

StringLike

Loose case-sensitive matching. The values can include a multi-character match wildcard (*) or a single-character match wildcard (?) anywhere in the string. Short version: strl

StringNotLike

Negated loose case-sensitive matching. The values can include a multi-character match wildcard (*) or a single-character match wildcard (?) anywhere in the string. Short version: strnl

Numeric

NumericEquals

Matching. Short version: numeq

Numeric indicates a data type expressed in numbers.

NumericNotEquals

Negated matching. Short version: numneq

NumericLessThan

"Less than" matching. Short version: numlt

NumericLessThanEquals

"Less than or equals" matching. Short version: numlteq

NumericGreaterThan

"Greater than" matching. Short version: numgt

NumericGreaterThanEquals

"Greater than or equals" matching. Short version: numgteq

Date

(The date format must comply with the ISO 8601 standard, for example, 2015-07-01T12:00:00Z.)

DateEquals

Matching a specific date. Short version: dateeq

DateNotEquals

Negated matching. Short version: dateneq

DateLessThan

The date is earlier than a specific date. Short version: datelt

DateLessThanEquals

The date is earlier than or equal to a specific date. Short version: datelteq

DateGreaterThan

The date is later than a specific date. Short version: dategt

DateGreaterThanEquals

The date is later than or equal to a specific date. Short version: dategteq

Boolean

Bool

Strict Boolean matching

IP address

IpAddress

Specified IP address or range

NotIpAddress

All IP addresses excluding the specified IP address or range

Adding IfExists to the end of a condition operator

If you use the IfExists suffix in a condition, the policy applies when the values in the request are null (the condition is not checked) or matches the specified conditions in the policy. For example, the StringEqualsIfExists condition operator is specified to make sure that the policy applies with null request values or request values that match the values specified in the policy. On the console, you can configure the suffix by selecting If Exists in the Add Condition dialog box. IfExists can be added to any condition operator except the Null operator.

Using multi-valued operators

A multi-valued operator can be used only when the condition key is multi-valued. You can check Table 4 to see whether a condition key is multi-valued. A multi-valued condition key can have multiple values. For details, see Table 3. On the console, you can configure the multi-valued operator by specifying Qualifier in the Add Condition dialog box. For a single-valued condition key, Qualifier is default. ForAllValues indicates all values in the request, and ForAnyValue indicates any value in the request.

Table 3 Multi-valued condition operators

Element

Description

Example

ForAllValues

(For all values in the request)

Tests whether the value of every member of the request set is a subset of the condition key set. The condition returns true if every key value in the request matches at least one value in the policy.

This example shows how to use the ForAllValues with the StringEquals condition operator. The policy applies only when a requester has resource tag aa, bb, or cc.

If a requester initiates an image sharing request to aa and cc, the request is allowed because the requested attributes all match values specified in the policy.

If a requester initiates an image sharing request to aa, bb, cc, and dd, the request is denied because dd is not within the list of the allowed organization paths.

"Condition": {
    "ForAllValues:StringEquals": {
        "g:ResourceTag/test": [
            "aa",
            "bb",
            "cc"
        ]
    }
}

ForAnyValue

(For any value in the request)

Tests whether at least one member of the set of request values matches at least one member of the set of condition key values. The condition returns true if any one of the key values in the request matches any one of the condition values in the policy. For no matching key or a null dataset, the condition returns false.

This example shows how to use the ForAnyValue with the StringEquals condition operator. The policy applies when a requester has any of the following resource tags: aa, bb, or cc.

If a requester initiates an image sharing request to aa and dd, the request is allowed because the request contains one match (aa).

If a requester initiates an image sharing request to dd and ee, the request is denied because dd and ee are not within the list of the allowed organization paths.

"Condition": {
    "ForAnyValue:StringEquals": {
        "g:ResourceTag/test": [
            "aa",
            "bb",
            "cc"
         ]
    }
}

Condition Keys

Condition keys can be classified into general keys, keys related to actions on buckets, and keys related to actions on objects. Table 4 lists the general keys.

Currently, all condition keys are available in regions like LA-Mexico City1. The condition keys supported by each region are subject to what displayed on the console. If some condition keys cannot be found in the region where your bucket is located, use a bucket in another region that supports these condition keys.

Table 4 General keys

Key

Type

Multi-Valued or Not

Description

g:CalledVia

String

Yes

Used to control access across services. Requests for OBS may be forwarded through a chain of services. g:CalledVia records an ordered list of each service in the chain, as shown in Figure 1. For example, if a user requests to download an object from OBS through ModelArts, g:CalledVia records service.ModelArts.

Figure 1 g:CalledVia

The following gives an example that allows only requests made by ModelArts to make API calls for downloading objects from OBS.

    "Condition": {
        "ForAnyValue:StringEquals": {
            "g:CalledVia": "service.ModelArts"
	 }
    }

g:CalledViaFirst

String

No

It refers to the first element in g:CalledVia, which means the first service that forwards a user's request.

g:CalledViaLast

String

No

It refers to the last element in g:CalledVia, which means the last service that forwards a user's request.

g:ViaService

Boolean

No

Whether the request was initiated by the cloud service on behalf of the user through the Impersonate protocol. The value of this key is true only when g:CalledVia is not an empty string.

  • true: The request is initiated by a cloud service.
  • false: The request is not initiated by a cloud service.

g:PrincipalIsService

Boolean

No

Whether the requesting principal is a cloud service. You can use this key to control whether only cloud services can access the specified APIs.

g:PrincipalServiceName

String

No

Name of the cloud service. This condition key is present only when the requester is a cloud service.

The following example allows the policy to be applied only when the requester is ModelArts.

    "Condition": {
        "StringEquals": {
            "g:PrincipalServiceName": "service.ModelArts"
        }
    }

g:CurrentTime

Date

No

When a request was received. The time is in ISO 8601 format, for example, 2012-11-11T23:59:59Z.

CurrentTime

Date

No

Same as g:CurrentTime

EpochTime

Numeric

No

Time when the request was received by the server, which was expressed as seconds since 1970.01.01 00:00:00 UTC, regardless of the leap seconds

g:TokenIssueTime

Date

No

Time when the STSToken in the access credentials was issued

g:DomainName

String

No

Account name of the requester. To obtain an account name, see Obtaining Account, IAM User, Group, Project, Region, and Agency Information.

g:DomainId

String

No

Account ID of the requester. To obtain an account ID, see Obtaining Account, IAM User, Group, Project, Region, and Agency Information.

g:PrincipalAccount

String

No

Same attribute as g:DomainId

g:PrincipalType

String

No

Type of the principal, which can be User, AssumedAgency, or ExternalUser. When long-term IAM credentials are used for access, the value is User. When an IAM assumed-agency session is used for access, the value is AssumedAgency. When a virtual federated user is used for access, the value is ExternalUser.

g:PrincipalUrn

String

No

URN of the requester. Different principals have different URN formats.

IAM users: iam::<domain-id>:user:<user-name>

IAM agencies: sts::<domain-id>:assumed-agency:<agency-name>/<session-name>

Virtual federated users: sts::<domain-id>:external-user:<idp-id>/<session-name>

For details about how to obtain the parameters, see Obtaining Account, IAM User, Group, Project, Region, and Agency Information. The session name is the entered enterprise username of the delegating party when you obtain the temporary access keys and security token of an agency.

g:PrincipalId

String

No

ID of the requesting principal. Different principals have different ID formats.

IAM users: <user-id>

IAM agencies: <agency-id>:<session-name>

Virtual federated users: <idp-id>:<session-name>

For details about how to obtain the parameters, see Obtaining Account, IAM User, Group, Project, Region, and Agency Information. The session name is the entered enterprise username of the delegating party when you obtain the temporary access keys and security token of an agency.

g:UserName

String

No

IAM username of the requester. For details about how to obtain an IAM username, see Obtaining an IAM Username.

g:UserId

String

No

IAM user ID of the requester. For details about how to obtain an IAM user ID, see Obtaining an IAM User ID.

g:PrincipalOrgId

String

No

ID of the organization to which the principal belongs. You can use this condition key to specify that only principals in the specified organization can access the specified APIs. This condition key is present only when the principal is part of an organization.

g:PrincipalOrgPath

String

No

Organization path for the requesting account. You can use this key to control that only accounts at specified levels in the organization can access the specified APIs. This condition key is present only when the requester is part of an organization. An account's organization path is in the following format:

<organization-id>/<root-id>/(<ou-id>/)*<account-id>

g:ResourceOrgId

String

No

ID of the organization to which the bucket owner account belongs

g:ResourceOrgPath

String

No

Path of the bucket owner account in the organization

g:ResourceAccount

String

No

Account ID of the bucket owner. For details about how to obtain an account ID, see Obtaining an Account ID.

g:MFAPresent

Boolean

No

Whether multi-factor authentication (MFA) is used to obtain a token

  • true: MFA authentication is used.
  • false: MFA authentication is not used.

g:MFAAge

Numeric

No

Validity period (in seconds) of STS security tokens obtained through MFA authentication. This condition must be used together with g:MFAPresent. This condition key is present only when you log in to the console through MFA authentication or when you use the assumed-agency session obtained through MFA to make a request.

g:Referer

String

No

HTTP referer header in a request. As this key is specified by the client, it should not be used to prevent unauthorized parties from making direct requests.

Referer

String

No

Same as g:Referer

g:RequestedRegion

String

No

Region that was called in a request. If the target cloud service is a global service, set this parameter to NULL. If the target cloud service is a regional service, set this parameter to the ID of the region, for example, cn-north-4. This condition key is present only when certain region-specific services are requested.

g:RequestTag/<tag-key>

String

No

Tag contained in a request. <tag-key> is case-insensitive. If a requester adds a tag when making an API call (for example, adding a tag for an existing bucket or adding a tag when creating a bucket), you can use this condition key to check whether the request contains the tag. You need to manually enter a tag key.

g:ResourceTag/<tag-key>

String

No

Tag attached to the requested resource. You can use this key to control that only resources with specified tags can be accessed. <tag-key> is case-insensitive. You need to manually enter a tag key.

g:TagKeys

String

Yes

List of tag keys in a request

The following example allows the policy to be applied when the tag included in a request is either group or country.

    "Condition": {
        "ForAnyValue:StringNotEquals": {
            "g:TagKeys": ["group", "country"]
        }
     }

g:SecureTransport

Boolean

No

Whether the request was sent using SSL

  • true: SSL is used.
  • false: SSL is not used.

SecureTransport

Boolean

No

Same as g:SecureTransport

TlsVersion

Numeric

No

TLS version used in the request

Restrictions on using TlsVersion:

  • TlsVersion cannot be used for parallel file systems.
  • If a client uses OBS Console, OBS Browser+, or SDKs to access OBS, the used TLS version cannot be earlier than 1.2, or the requests will be denied. Note that when a user accesses OBS through the console, OBS detects the TLS version used by the console system, rather than the TLS version of the original request.
  • TlsVersion cannot be used in the getBucketLocation API.

The following gives an example that denies object download requests initiated by clients whose TLS version is earlier than 1.2.

    "Condition":{
        "NumericLessThan":{
            "TlsVersion": "1.2"
        }
    }

g:SourceIdentity

String

No

The source_identity field that was set in the temporary IAM credential STSToken. The source_identity field is specified when a user obtains a temporary IAM credential for the first time through the AssumeAgency API of STS and cannot be changed in subsequent agency switching.

g:SourceIp

IP address

No

Public IP address that made the request to access OBS. If a proxy or NAT is used for access, the public IP address that made the request will change. OBS then checks the last-hop public IP address of the request for accessing the server.

SourceIp

IP address

No

IP address that made the request. When SourceIp is used, the IP address provided by the customer is preferentially identified. If no IP address is provided, the previous-hop IP address is identified. Using SourceIp may cause IP address spoofing.

SourceVpc

String

No

ID of the VPC that initiated the request. For details about how to obtain a VPC ID, see Obtaining a VPC ID.

g:SourceVpce

String

No

ID of the VPC endpoint that initiated the request. For details about how to obtain a VPC endpoint ID, see Obtaining a VPC Endpoint ID.

SourceVpce

String

No

Same as g:SourceVpce

g:VpcSourceIp

IP address

No

Source IP address of a request initiated in a VPC

g:UserAgent

String

No

HTTP User-Agent header in a request. As this key is specified by the client, it should not be used to prevent unauthorized parties from making direct requests.

UserAgent

String

No

Same as g:UserAgent

g:EnterpriseProjectId

String

No

ID of the enterprise project for the request or the requested resource. For details about how to obtain an enterprise project ID, see How Do I Obtain an Enterprise Project ID?

ServiceAgency

String

No

Name of the IAM agency that delegates cloud services to access OBS. For details about how to obtain an agency name, see Obtaining an Agency Name.

g:SourceAccount

String

No

Account of the resource for which a service-to-service request was initiated

g:SourceUrn

String

No

URN of the resource for which a service-to-service request was initiated

Action-related condition keys can be used only when a specific action is selected. Table 5 and Table 6 list the mapping between actions and condition keys.

Table 5 Keys related to bucket actions

Action

Optional Key

Description

Remarks

ListBucket

prefix

Type: String. Lists objects with the specified prefix.

If prefix, delimiter, and max-keys are configured for a bucket policy, the List requests must contain the matched key-value pair.

For example, if a bucket policy (with the condition operator set to NumericEquals, the key to max-keys, and the value to 100) is configured to allow all accounts to read data from a bucket, the List requests from all accounts must have ?max-keys=100 at the end of the bucket domain name. The listed objects are the first 100 objects in alphabetic order.

delimiter

Type: String. Groups objects in a bucket.

max-keys

Type: Numeric. Sets the maximum number of objects. Returned objects are listed in alphabetic order.

ListBucketVersions

prefix

Type: String. Lists multi-version objects with the specified prefix.

delimiter

Type: String. Groups objects of different versions in a bucket.

max-keys

Type: Numeric. Sets the maximum number of objects. Returned objects are listed in alphabetic order.

PutBucketAcl

x-obs-acl

Type: String. Configures the bucket ACL. When modifying a bucket ACL, you can use the request that contains a canned ACL setting in its header. Value options of a canned ACL setting: private|public-read|public-read-write|bucketowner-read|log-delivery-write.

None

Table 6 Keys related to object actions

Action

Optional Key

Description

PutObject

x-obs-acl

Type: String. Configures the object ACL. When uploading an object, you can use the request that contains a canned ACL setting in its header. Value options of a canned ACL setting: private|public-read|public-read-write|bucketowner-read|bucket-owner-full-control|log-delivery-write.

x-obs-copy-source

Type: String. Specifies names of the source bucket and the source object. Format: /bucketname/keyname

x-obs-metadata-directive

Type: String. Specifies whether to copy the metadata of the source object or replace with the metadata in the request. The value can be COPY or REPLACE.

x-obs-server-side-encryption

Type: String. Specifies that objects in a bucket are encrypted using SSE-KMS before they are stored. The value is kms.

PutObjectAcl

x-obs-acl

Type: String. Configures the object ACL. When uploading an object, you can use the request that contains a canned ACL setting in its header. Value options of a canned ACL setting: private|public-read|public-read-write|bucketowner-read|bucket-owner-full-control|log-delivery-write.

GetObjectVersion

versionId

Type: String. Obtains the object with the specified version ID.

GetObjectVersionAcl

versionId

Type: String. Obtains the ACL of the object with the specified version ID.

PutObjectVersionAcl

versionId

Type: String. Specifies a version ID.

x-obs-acl

Type: String. Configures the ACL of the object with the specified version ID. When uploading an object, you can use the request that contains a canned ACL setting in its header. Value options of a canned ACL setting: private|public-read|public-read-write|bucketowner-read|bucket-owner-full-control|log-delivery-write.

DeleteObjectVersion

versionId

Type: String. Deletes the object with the specified version ID.

Policy Permission Judgment Logic

Each statement in a policy can have the action Explicit Deny, Allow, or Default Deny. If a bucket policy contains multiple statements with different actions, the final action is determined according to the following rules:

- If there are no Explicit Deny or Allow, Default Deny will apply.

- An explicit deny overrides an allow.

- An allow overrides a default deny.

- Statements can be in any order in a policy.

Table 7 Statement results

Result

Description

explicit deny

A statement defines effect="deny". All requests for resources to which the statement applies are denied. No permission is returned.

allow

A statement defines effect="allow". All requests for resources to which the statement applies are allowed.

default deny

Conditions defined in a statement are not met. Requests are denied.

If both an ACL and a bucket policy apply, an explicit deny in the bucket policy overrides the allow in the ACL.

If both a bucket policy and an IAM policy apply, an explicit deny overrides an allow, and an allow overrides the default deny.

Bucket ACL/Policy for cross-tenant authorization does not apply to SSE-KMS server-side encrypted objects.