Updated on 2024-04-16 GMT+08:00

Creating a Custom Bucket Policy (Visual Editor)

You can customize bucket policies based on your needs. A custom bucket policy consists of five basic elements: effect, principals, resources, actions, and conditions.

Procedure

  1. In the bucket list, click the bucket you want to operate to go to the Objects page.
  2. In the navigation pane, choose Permissions > Bucket Policies.
  3. Click Create.
  4. Configure a bucket policy.

    Table 1 Parameters for configuring a custom bucket policy

    Parameter

    Description

    Method

    Visual editor or JSON. The visual editor is used here. For details about configurations in the JSON view, see Creating a Custom Bucket Policy (JSON View).

    Policy Name

    Enter a bucket policy name.

    Policy content

    Effect

    • Allow: The policy allows the matched requests.
    • Deny: The policy denies the matched requests.

    Principals

    • All accounts: The bucket policy applies to anonymous users.
    • Current account: Specify one or more IAM users under the current account.
    • Other accounts: Specify one or more accounts.
      NOTE:

      The account ID and IAM user ID can be obtained from the My Credentials page.

      Accounts should be configured in the Domain ID/IAM user ID format, with each one on a separate line.

      Account ID/* indicates that permission is granted to all IAM users under the account.

    • Delegated accounts: Delegated accounts can be added only after Other accounts is selected.
      NOTE:

      Delegated accounts should be configured in the ID of a delegating account/Agency name format. Multiple delegated accounts are allowed, with each one on a separate line.

    Resources

    • Entire bucket (including the objects in it): The policy applies to the bucket and the objects in it. You can configure bucket and object actions in this policy.
    • Current bucket: The policy applies to the current bucket. You can configure bucket actions in this policy.
    • Specified objects: The policy applies to specified objects in the bucket. You can configure object actions in this policy.
      NOTE:
      1. Multiple resource paths can be specified.
      2. A resource path should be configured in the Folder name/Object name format, for example, testdir/a.txt. To specify the testdir folder and all objects in it, enter testdir/*.
      3. You can specify a specific object, an object set, or a directory. * indicates all objects in the bucket.

        To specify a specific object, enter the object name.

        To specify a set of objects, enter Object name prefix*, *Object name suffix, or *. For example, testdir/* indicates objects in the testdir folder, and testprefix* indicates objects whose prefix is testprefix.

    Actions

    • Actions: Choose Customize.
    • Select Actions: See Actions.
      NOTE:
      1. If you select Entire bucket (including the objects in it) for Resources, common actions, bucket actions, and object actions will be available for you to choose from.
      2. If you select Current bucket for Resources, common actions and bucket actions will be available for you to choose from.
      3. If you select Specified objects for Resources, common actions and object actions will be available for you to choose from.
      4. If you select both Current bucket and Specified objects for Resources, common actions, bucket actions, and object actions will be available for you to choose from.

    Conditions (Optional)

    • Key: See Conditions.
    • Conditional Operator: See Conditions.
    • Value: The entered value is associated with the key.

    Advanced Settings > Exclude (Optional)

    • Specified principals: By selecting this option, the bucket policy applies to users except the specified ones.
      NOTE:

      If you do not select this option, the bucket policy applies to the specified users.

    • Specified resources: By selecting this option, the bucket policy applies to resources except the specified ones.
      NOTE:

      If you do not select this option, the bucket policy applies to the specified resources.

    • Specified actions: By selecting this option, the bucket policy applies to actions except the specified ones.
      NOTE:
      1. If you do not select this option, the bucket policy applies to the specified actions.
      2. By default, Specified actions is selected for Exclude in the bucket read/write template only. The action exclusion setting in bucket policy templates cannot be modified.

  5. Click Create in the lower right corner.