Updated on 2025-07-23 GMT+08:00

Object Storage Service OBS

The Organizations service provides Service Control Policies (SCPs) to set access control policies.

SCPs do not actually grant any permissions to an entity. They only set the permissions boundary for the entity. When SCPs are attached to an organizational unit (OU) or a member account, the SCPs do not directly grant permissions to that OU or member account. Instead, the SCPs only determine what permissions are available for that member account or those member accounts under that OU.

This section describes the elements used by Organizations SCPs. The elements include actions, resources, and conditions.

For details about how to use these elements to edit a custom SCP, see Creating an SCP.

Actions

Actions are specific operations that are allowed or denied in an SCP.

  • The Access Level column describes how the action is classified (List, Read, or Write). This classification helps you understand the level of access that an action grants when you use it in an SCP.
  • The Resource Type column indicates whether the action supports resource-level permissions.
    • You can use a wildcard (*) to indicate all resource types. If this column is empty (-), the action does not support resource-level permissions and you must specify all resources ("*") in your SCP statements.
    • If this column includes a resource type, you must specify the URN in the Resource element of your statements.
    • Required resources are marked with asterisks (*) in the table. If you specify a resource in a statement using this action, then it must be of this type.

    For details about the resource types defined by OBS, see Resources.

  • The Condition Key column contains keys that you can specify in the Condition element of an SCP statement.
    • If the Resource Type column has values for an action, the condition key takes effect only for the listed resource types.
    • If the Resource Type column is empty (-) for an action, the condition key takes effect for all resources that action supports.
    • If the Condition Key column is empty (-) for an action, the action does not support any condition keys.

    For details about the condition keys defined by OBS, see Conditions.

The following table lists the actions that you can define in SCP statements for OBS.

Table 1 Actions supported by OBS

Action

Description

Access Level

Resource Type (*: required)

Condition Key

Alias

obs:object:abortMultipartUpload

Grants the permission to abort multipart uploads.

Write

object *

g:EnterpriseProjectId

-

-

obs:object:deleteObject

Grants the permission to delete an object.

Write

object *

g:EnterpriseProjectId

-

-

obs:object:deleteObjectTagging

Grants permission to delete object tags.

Tagging

object *

-

-

obs:object:deleteObjectVersionTagging

Grants the permission to delete tags of a specified object version.

Tagging

object *

-

-

obs:object:deleteObjectVersion

Grants the permission to delete an object version.

Write

object *

-

-

obs:object:getObject

Grants the permission to download an object.

Read

object *

g:EnterpriseProjectId

-

-

obs:object:getObjectTagging

Grants the permission to download object tags.

Read

object *

-

-

obs:object:getObjectVersionTagging

Grants the permission to download tags of a specified object version.

Read

object *

-

-

obs:object:getObjectAcl

Grants the permission to obtain the ACL of an object.

Read

object *

g:EnterpriseProjectId

-

-

obs:object:getObjectRetention

Grants permission to obtain the object retention configuration.

Read

object *

g:EnterpriseProjectId

-

-

obs:object:getObjectVersion

Grants the permission to download an object version.

Read

object *

-

-

obs:object:getObjectVersionAcl

Grants the permission to obtain the ACL of an object version.

Read

object *

-

-

obs:object:listMultipartUploadParts

Grants the permission to obtain all parts associated with a multipart upload.

List

object *

g:EnterpriseProjectId

-

-

obs:object:modifyObjectMetadata

Grants the permission to add, modify, or delete the metadata of an existing object.

Write

object *

g:EnterpriseProjectId

-

-

obs:object:putObject

Grants the permission to upload an object.

Write

object *

g:EnterpriseProjectId

-

-

obs:object:putObjectTagging

Grants the permission to set object tags.

Tagging

object *

-

-

obs:object:putObjectVersionTagging

Grants the permission to set tags for an object version.

Tagging

object *

-

-

obs:object:putObjectAcl

Grants the permission to configure or modify the ACL of an object.

Permission_management

object *

g:EnterpriseProjectId

-

-

obs:object:putObjectRetention

Grants the permission to configure a retention policy for an object.

Write

object *

g:EnterpriseProjectId

-

-

obs:object:putObjectVersionAcl

Grants the permission to configure or modify the ACL of an object version.

Permission_management

object *

-

-

obs:object:restoreObject

Grants the permission to restore an object from Archive or Deep Archive storage.

Write

object *

g:EnterpriseProjectId

-

-

obs:bucket:createBucket

Grants the permission to create a bucket.

Write

bucket *

-

-

-

obs:bucket:deleteBucket

Grants the permission to delete a bucket.

Write

bucket *

-

-

obs:bucket:deleteBucketCustomDomainConfiguration

Grants the permission to delete the custom domain name of a bucket.

Write

bucket *

-

-

obs:bucket:deleteBucketInventoryConfiguration

Grants the permission to delete the inventory configuration of a bucket.

Write

bucket *

-

-

obs:bucket:deleteBucketPolicy

Grants the permission to delete a bucket policy.

Permission_management

bucket *

-

-

obs:bucket:deleteBucketTagging

Grants the permission to delete bucket tags.

Tagging

bucket *

-

-

obs:bucket:deleteBucketWebsite

Grants the permission to delete the static website hosting configuration of a bucket.

Write

bucket *

-

-

obs:bucket:deleteDirectColdAccessConfiguration

Grants the permission to delete the direct reading configuration for Archive objects in a bucket.

Write

bucket *

-

-

obs:bucket:deleteReplicationConfiguration

Grants the permission to delete the replication configuration of a bucket.

Write

bucket *

-

-

obs:bucket:getBucketAcl

Grants the permission to obtain the bucket ACL.

Read

bucket *

-

-

obs:bucket:getBucketObjectLockConfiguration

Grants the permission to query the default WORM policy and retention period for a bucket.

Read

bucket *

-

-

obs:bucket:getBucketCORS

Grants the permission to query the CORS configuration of a bucket.

Read

bucket *

-

-

obs:bucket:getBucketCustomDomainConfiguration

Grants the permission to query the custom domain name of a bucket.

Read

bucket *

-

-

obs:bucket:getBucketInventoryConfiguration

Grants the permission to query the inventory configuration of a bucket.

Read

bucket *

-

-

obs:bucket:getBucketLocation

Grants the permission to query the location of a bucket.

Read

bucket *

-

-

obs:bucket:getBucketLogging

Grants the permission to query the logging configuration of a bucket.

Read

bucket *

-

-

obs:bucket:getBucketPolicy

Grants the permission to obtain a bucket policy.

Read

bucket *

-

-

obs:bucket:getBucketQuota

Grants the permission to obtain the storage quota of a bucket.

Read

bucket *

-

-

obs:bucket:getBucketStorage

Grants the permission to query the object count and storage usage of a bucket.

Read

bucket *

-

-

obs:bucket:getBucketStoragePolicy

Grants the permission to obtain the default storage class of a bucket.

Read

bucket *

-

-

obs:bucket:getBucketTagging

Grants the permission to obtain bucket tags.

Read

bucket *

-

-

obs:bucket:getBucketVersioning

Grants the permission to obtain the versioning status of a bucket.

Read

bucket *

-

-

obs:bucket:getBucketWebsite

Grants the permission to obtain the static website hosting configuration of a bucket.

Read

bucket *

-

-

obs:bucket:getDirectColdAccessConfiguration

Grants the permission to obtain the direct reading policy of Archive objects in a bucket.

Read

bucket *

-

-

obs:bucket:getEncryptionConfiguration

Grants the permission to obtain the encryption configuration of a bucket.

Read

bucket *

-

-

obs:bucket:getLifecycleConfiguration

Grants the permission to obtain the lifecycle configuration of a bucket.

Read

bucket *

-

-

obs:bucket:getReplicationConfiguration

Grants the permission to obtain the cross-region replication configuration of a bucket.

Read

bucket *

-

-

obs:bucket:headBucket

Grants the permission to obtain the metadata of a bucket.

Read

bucket *

-

-

obs:bucket:listAllMyBuckets

Grants the permission to list the created buckets.

List

bucket *

-

-

-

obs:bucket:listBucket

Grants the permission to list the objects in a bucket.

List

bucket *

-

-

obs:bucket:listBucketMultipartUploads

Grants the permission to list the initiated multipart uploads in a bucket.

List

bucket *

-

-

obs:bucket:listBucketVersions

Grants the permission to list the object versions in a bucket.

List

bucket *

-

-

obs:bucket:putBucketAcl

Grants the permission to configure an ACL for a bucket.

Permission_management

bucket *

-

-

obs:bucket:putBucketCORS

Grants the permission to configure CORS for a bucket.

Write

bucket *

-

-

obs:bucket:putBucketCustomDomainConfiguration

Grants the permission to configure a custom domain name for a bucket.

Write

bucket *

-

-

obs:bucket:putBucketObjectLockConfiguration

Grants the permission to configure a default WORM policy for a bucket.

Write

bucket *

-

-

obs:bucket:putBucketInventoryConfiguration

Grants the permission to configure an inventory rule for a bucket.

Write

bucket *

-

-

obs:bucket:putBucketLogging

Grants the permission to configure logging for a bucket.

Write

bucket *

-

-

obs:bucket:putBucketPolicy

Grants the permission to configure a bucket policy.

Permission_management

bucket *

-

-

obs:bucket:putBucketQuota

Grants the permission to set a storage quota for a bucket.

Write

bucket *

-

-

obs:bucket:putBucketStoragePolicy

Grants the permission to configure a default storage class for a bucket.

Write

bucket *

-

-

obs:bucket:putBucketTagging

Grants the permission to configure tags for a bucket.

Tagging

bucket *

-

-

obs:bucket:putBucketVersioning

Grants the permission to configure versioning for a bucket.

Write

bucket *

-

-

obs:bucket:putBucketWebsite

Grants the permission to configure static website hosting for a bucket.

Write

bucket *

-

-

obs:bucket:putDirectColdAccessConfiguration

Grants the permission to configure direct reading for Archive objects in a bucket.

Write

bucket *

-

-

obs:bucket:putEncryptionConfiguration

Grants the permission to configure bucket encryption.

Write

bucket *

-

-

obs:bucket:putLifecycleConfiguration

Grants the permission to configure a lifecycle rule for a bucket.

Write

bucket *

-

-

obs:bucket:putReplicationConfiguration

Grants the permission to configure cross-region replication for a bucket.

Write

bucket *

-

-

obs:bucket:getBucketPublicAccessBlock

Grants the permission to obtain the BPA configuration of a bucket.

Read

bucket *

-

-

obs:bucket:putBucketPublicAccessBlock

Grants the permission to configure BPA for a bucket.

Permission_management

bucket *

-

-

obs:bucket:deleteBucketPublicAccessBlock

Grants the permission to delete the BPA configuration of a bucket.

Permission_management

bucket *

-

-

obs:bucket:getBucketPolicyPublicStatus

Grants the permission to obtain the public status of a bucket policy.

Read

bucket *

-

-

obs:bucket:getBucketPublicStatus

Grants the permission to obtain the public status of a bucket.

Read

bucket *

-

-

Each API of OBS usually supports one or more actions. Table 2 lists the supported actions and dependencies.

Table 2 Actions and dependencies supported by OBS APIs

API

Action

Dependencies

PUT /?replication

obs:bucket:putReplicationConfiguration

-

GET /?replication

obs:bucket:getReplicationConfiguration

-

DELETE /?replication

obs:bucket:deleteReplicationConfiguration

-

PUT /ObjectName?acl

obs:object:putObjectAcl

-

PUT /ObjectName?acl

obs:object:putObjectVersionAcl

-

GET /ObjectName?acl

obs:object:getObjectAcl

-

GET /ObjectName?acl

obs:object:getObjectVersionAcl

-

PUT /ObjectName?metadata

obs:object:modifyObjectMetadata

-

POST /

obs:object:putObject

  • kms:cmk:create
  • kms:cmk:list
  • kms:cmk:createDataKey
  • functiongraph:function:invokeAsync
  • functiongraph:workflow:invoke
  • smn:topic:publish

PUT /ObjectName

obs:object:putObject

  • kms:cmk:create
  • kms:cmk:list
  • kms:cmk:createDataKey
  • functiongraph:function:invokeAsync
  • functiongraph:workflow:invoke
  • smn:topic:publish

PUT /objectname?tagging&versionId=versionid

obs:object:putObjectTagging

-

PUT /objectName?tagging&versionId

obs:object:putObjectVersionTagging

-

GET /ObjectName

obs:object:getObject

  • kms:cmk:create
  • kms:cmk:list
  • kms:cmk:decryptDataKey

GET /objectname?tagging&versionId=versionid

obs:object:getObjectTagging

-

GET /objectName?tagging&versionId

obs:object:getObjectVersionTagging

-

GET /ObjectName

obs:object:getObjectVersion

  • kms:cmk:create
  • kms:cmk:list
  • kms:cmk:decryptDataKey

HEAD /ObjectName

obs:object:getObject

obs:object:getObjectRetention

HEAD /ObjectName

obs:object:getObjectVersion

obs:object:getObjectRetention

DELETE /ObjectName

obs:object:deleteObject

  • functiongraph:function:invokeAsync
  • functiongraph:workflow:invoke
  • smn:topic:publish

DELETE /objectname?tagging&versionId=versionid

obs:object:deleteObjectTagging

-

DELETE /objectName?tagging&versionId

obs:object:deleteObjectVersionTagging

-

DELETE /ObjectName

obs:object:deleteObjectVersion

  • functiongraph:function:invokeAsync
  • functiongraph:workflow:invoke
  • smn:topic:publish

POST /ObjectName?uploads

obs:object:putObject

  • kms:cmk:create
  • kms:cmk:list
  • kms:cmk:createDataKey

GET /?uploads&max-uploads=max

obs:bucket:listBucketMultipartUploads

-

PUT /ObjectName?partNumber=partNum&uploadId=uploadID

obs:object:putObject

  • kms:cmk:createDataKey
  • kms:cmk:decryptDataKey

GET /ObjectName?uploadId=uploadid&max-parts=max&part-number-marker=marker

obs:object:listMultipartUploadParts

-

DELETE /ObjectName?uploadId=uplaodID

obs:object:abortMultipartUpload

-

POST /ObjectName?uploadId=uploadID

obs:object:putObject

  • functiongraph:function:invokeAsync
  • functiongraph:workflow:invoke
  • smn:topic:publish

PUT /?website

obs:bucket:putBucketWebsite

-

GET /?website

obs:bucket:getBucketWebsite

-

DELETE /?website

obs:bucket:deleteBucketWebsite

-

PUT /?cors

obs:bucket:putBucketCORS

-

GET /?cors

obs:bucket:getBucketCORS

-

DELETE /?cors

obs:bucket:putBucketCORS

-

PUT /?directcoldaccess

obs:bucket:putDirectColdAccessConfiguration

-

GET /?directcoldaccess

obs:bucket:getDirectColdAccessConfiguration

-

DELETE /?directcoldaccess

obs:bucket:deleteDirectColdAccessConfiguration

-

POST /ObjectName?restore&versionId=VersionID

obs:object:restoreObject

-

PUT /?quota

obs:bucket:putBucketQuota

-

GET /?quota

obs:bucket:getBucketQuota

-

PUT /?lifecycle

obs:bucket:putLifecycleConfiguration

-

DELETE /?lifecycle

obs:bucket:putLifecycleConfiguration

-

GET /?lifecycle

obs:bucket:getLifecycleConfiguration

-

PUT /?acl

obs:bucket:putBucketAcl

-

GET /?acl

obs:bucket:getBucketAcl

-

PUT /?logging

obs:bucket:putBucketLogging

-

GET /?logging

obs:bucket:getBucketLogging

-

PUT /?tagging

obs:bucket:putBucketTagging

-

GET /?tagging

obs:bucket:getBucketTagging

-

DELETE /?tagging

obs:bucket:deleteBucketTagging

-

PUT /?policy

obs:bucket:putBucketPolicy

-

GET /?policy

obs:bucket:getBucketPolicy

-

DELETE /?policy

obs:bucket:deleteBucketPolicy

-

GET /?storageinfo

obs:bucket:getBucketStorage

-

PUT /

obs:bucket:createBucket

-

DELETE /

obs:bucket:deleteBucket

-

HEAD /

obs:bucket:headBucket

-

GET /

obs:bucket:listBucket

-

GET /?location

obs:bucket:getBucketLocation

-

PUT /?versioning

obs:bucket:putBucketVersioning

-

GET /?versioning

obs:bucket:getBucketVersioning

-

GET /

obs:bucket:listBucketVersions

-

PUT /?encryption

obs:bucket:putEncryptionConfiguration

kms:cmk:get

GET /?encryption

obs:bucket:getEncryptionConfiguration

-

DELETE /?encryption

obs:bucket:putEncryptionConfiguration

-

PUT /?inventory&id=configuration-id

obs:bucket:putBucketInventoryConfiguration

-

GET /?inventory&id=configuration-id

obs:bucket:getBucketInventoryConfiguration

-

GET /?inventory

obs:bucket:getBucketInventoryConfiguration

-

DELETE /?inventory&id=configuration-id

obs:bucket:deleteBucketInventoryConfiguration

-

PUT /?storageClass

obs:bucket:putBucketStoragePolicy

-

GET /?storageClass

obs:bucket:getBucketStoragePolicy

-

PUT /?customdomain=domainname

obs:bucket:putBucketCustomDomainConfiguration

-

GET /?customdomain

obs:bucket:getBucketCustomDomainConfiguration

-

DELETE /?customdomain=domainname

obs:bucket:deleteBucketCustomDomainConfiguration

-

PUT /?object-lock

obs:bucket:putBucketObjectLockConfiguration

-

GET /?object-lock

obs:bucket:getBucketObjectLockConfiguration

-

PUT /ObjectName?retention&versionId=versionid

obs:object:putObjectRetention

-

PUT /ObjectName?partNumber=partNum&uploadId=UploadID

obs:object:putObject

  • obs:object:getObject
  • kms:cmk:create
  • kms:cmk:list
  • kms:cmk:createDataKey
  • kms:cmk:decryptDataKey

POST /?delete

obs:object:deleteObject

  • functiongraph:function:invokeAsync
  • functiongraph:workflow:invoke
  • smn:topic:publish

PUT /destinationObjectName

obs:object:putObject

  • obs:object:getObject
  • kms:cmk:create
  • kms:cmk:list
  • kms:cmk:createDataKey
  • kms:cmk:decryptDataKey
  • functiongraph:function:invokeAsync
  • functiongraph:workflow:invoke
  • smn:topic:publish

GET /

obs:bucket:listAllMyBuckets

-

PUT /ObjectName?truncate&length=Length

obs:object:putObject

-

POST /ObjectName?append&position=Position

obs:object:putObject

  • kms:cmk:create
  • kms:cmk:list
  • kms:cmk:createDataKey
  • kms:cmk:decryptDataKey

PUT /ObjectName?modify&position=Position

obs:object:putObject

-

POST /ObjectName?name=Name&rename

obs:object:getObject

obs:object:putObject

GET /?publicAccessBlock

obs:bucket:getBucketPublicAccessBlock

-

PUT /?publicAccessBlock

obs:bucket:putBucketPublicAccessBlock

-

DELETE /?publicAccessBlock

obs:bucket:deleteBucketPublicAccessBlock

-

GET /?policyStatus

obs:bucket:getBucketPolicyPublicStatus

-

GET /?bucketStatus

obs:bucket:getBucketPublicStatus

-

Resources

A resource type indicates the resources that an SCP applies to. If you specify a resource type for any action in Table 3, the resource URN must be specified in the SCP statements using that action, and the SCP applies only to resources of this type. If no resource type is specified, the Resource element is marked with an asterisk (*) and the SCP applies to all resources. You can also set condition keys in an SCP to define resource types.

The following table lists the resource types that you can define in SCP statements for OBS.

Table 3 Resource types supported by OBS

Resource Type

URN

bucket

obs:::bucket:<bucket-name>

object

obs:::object:<bucket-name>/<object-name>

Conditions

Condition Key Overview

A Condition element lets you specify conditions for when an SCP is in effect. It contains condition keys and operators.

  • The condition key that you specify can be a global condition key or a service-specific condition key.
    • Global condition keys (with the g: prefix) apply to all actions. Cloud services do not need to provide user identity information. Instead, the system automatically obtains such information and authenticates users. For details, see Global Condition Keys.
    • Service-specific condition keys (with the abbreviation of a service name plus a colon as the prefix, for example, obs) apply only to operations of the xx service. For details, see Table 4.
    • The number of values associated with a condition key in the request context of an API call makes the condition key single-valued or multivalued. Single-valued condition keys have at most one value in the request context of an API call. Multivalued condition keys can have multiple values in the request context of an API call. For example, a request can originate from at most one VPC endpoint, so g:SourceVpce is a single-valued condition key. You can tag resources and include multiple tag key-value pairs in a request, so g:TagKeys is a multivalued condition key.
  • A condition operator, condition key, and a condition value together constitute a complete condition statement. An SCP can be applied only when its request conditions are met. For supported condition operators, see Condition operators.

Service-specific condition keys supported by OBS

The following table lists the condition keys that you can define in identity policies for OBS. You can include these condition keys to specify conditions for when your SCP is in effect.

Table 4 Service-specific condition keys supported by OBS

Service-specific Condition Key

Type

Single-valued/Multivalued

Description

obs:versionId

string

Single-valued

Filters requests by the object version ID.

obs:prefix

string

Single-valued

Filters requests by the prefix specified for objects to be listed.

obs:delimiter

string

Single-valued

Filters requests by the delimiter character for grouping objects.

obs:max-keys

numeric

Single-valued

Filters requests by the maximum number of objects to return. The max-keys parameter indicates how many objects can be returned at most in alphabetical order.

obs:x-obs-acl

string

Single-valued

Filters requests by the ACL header. The ACL value can be private, public-read, public-read-write, bucketowner-read, bucket-owner-full-control, or log-delivery-write.

obs:x-obs-copy-source

string

Single-valued

Filters requests by the source bucket and object used for replication. The format is /bucketname/keyname.

obs:x-obs-metadata-directive

string

Single-valued

Filters requests by whether the metadata of the destination object is copied from the source object or replaced with the metadata contained in the request (COPY or REPLACE).

obs:x-obs-server-side-encryption

string

Single-valued

Filters requests by whether objects in the bucket are encrypted. The value is kms.

obs:SourceIp

ip_address

Single-valued

Filters requests by the first IP address in the x-forward-for header or the source IP address of the request.

obs:EpochTime

numeric

Single-valued

Filters requests by the time when the request is received by the server, which is the number of non-leap seconds that have elapsed since 1970.01.01 00:00:00 UTC.

obs:BucketEncrypted

boolean

Single-valued

Filters requests by the encryption status of the bucket after the bucket is created, encrypted, or decrypted.

obs:TlsVersion

numeric

Single-valued

Filters requests by the TLS protocol version used by the client.

obs:CustomDomain

boolean

Single-valued

Filters requests by whether the requester client uses a custom domain name.