Help Center/ Object Storage Service/ User Guide/ Permissions Control/ Configuring a Bucket Policy/ Creating a Custom Bucket Policy (JSON View)
Updated on 2024-10-24 GMT+08:00
View PDF
Share

Creating a Custom Bucket Policy (JSON View)

If you are familiar with the JSON syntax and OBS bucket policies, you can code a bucket policy in the JSON view. There is no limit on the number of bucket policies (statements) for a bucket, but the JSON descriptions of all bucket policies in a bucket cannot exceed 20 KB in total.

Ways to Create a Custom Bucket Policy

You can use OBS Console, APIs, SDKs, OBS Browser+, or obsutil to create a custom bucket policy.

Using OBS Console

  1. In the navigation pane of OBS Console, choose Object Storage.
  2. In the bucket list, click the bucket you want to operate. The Objects page is displayed.
  3. In the navigation pane, choose Permissions > Bucket Policies.
  4. In the upper right corner of the page, click JSON and then Edit.
  5. Edit the bucket policy. Below gives a bucket policy example in JSON: 

    {
   "Statement":[
       {
           "Action":[
               "CreateBucket",
               "DeleteBucket"
           ],
           "Effect":"Allow",
           "Principal":{
               "ID":[
                   "domain/account ID", 
                   "domain/account ID:user/User ID" 
               ]
           },
           "Condition":{
               "NumericNotEquals":{
                   "Referer":"sdf"
               },
               "StringNotLike":{
                   "Delimiter":"ouio"
               }
           },
           "Resource":"000-02/key01"
       }
   ]
 }
    Table 1 Parameters for creating a bucket policy in JSON

    Parameter

    Description

    Action

    Actions the bucket policy applies to. For details, see Bucket Policy Parameters.

    Effect

    Effect of the bucket policy. For details, see Bucket Policy Parameters.

    Principal

    Users the bucket policy is applied to. You can obtain the user ID on the My Credentials page by logging in to the console as the user to be authorized. Principals should be configured as follows:

    • domain/Account ID (indicating that the principal is an account)
    • domain/Account ID:user/User ID (indicating that the principal is a user under an account)

    Condition

    Conditions under which the bucket policy takes effect. For details, see Bucket Policy Parameters.

    Resource

    Resources the bucket policy is applied to. For details, see Bucket Policy Parameters.

  6. Click Create.

Using APIs

Using SDKs

Java

Python

C: not supported

Go

BrowserJS

.NET

Android

iOS

PHP

Node.js

Using the GUI Tool - OBS Browser+

  1. Log in to OBS Browser+.
  2. Select the bucket you want and choose More > Bucket Policy. The window shown in Figure 1 is displayed.

    Figure 1 Configuring a bucket policy

  3. Enter a bucket policy in the following format.

    1. Grant permissions to an account. In the following example, the account (whose account ID is 783fc6652cf246c096ea836694f71855) is granted the permission required to obtain the log management information about bucket logging.bucket3. 
      {
    "Statement": [
        {
            "Sid": "testing",
            "Effect": "Allow",
            "Principal": {
                "ID": [
                    "domain/783fc6652cf246c096ea836694f71855:user/*"
                ]
            },
            "Action": [
                "GetBucketLogging"
            ],
            "Resource": [
                "logging.bucket3"
            ]
        }
    ]
}
      Table 2 describes the parameters that you need to manually modify in the example above:
      Table 2 Parameter changes

      Item to Modify

      Description

      GetBucketLogging

      Value of the Action field that indicates all OBS-supported actions in the policy. The value is a case-insensitive string. The value can contain a wildcard character (*), for example, "Action":["List*", "Get*"], to apply all actions to the resources. You need to change the value as needed. For the actions supported by OBS, see Bucket-Related Actions.

      Allow

      Value of the Effect field that indicates whether the permission in the policy is allowed or denied. The value must be Allow or Deny.

      logging.bucket3

      The bucket on which the policy works. You can change the bucket name as needed.

      783fc6652cf246c096ea836694f71855

      ID of an account. You can change it as needed. You can obtain the account ID on the bucket's Basic Information page.
    2. Grant permissions to an IAM user. In the following example, the user (whose ID is 71f3901173514e6988115ea2c26d1999) under the account (whose ID is 219d520ceac84c5a98b237431a2cf4c2) is assigned the permission required to set log management for bucket logging.bucket3. 
      {
    "Statement": [
        {
            "Sid": "testing",
            "Effect": "Allow",
            "Principal": {
                "ID": [
                    "domain/219d520ceac84c5a98b237431a2cf4c2:user/71f3901173514e6988115ea2c26d1999"
                ]
            },
            "Action": [
                "PutBucketLogging"
            ],
            "Resource": [
                "logging.bucket3"
            ]
        }
    ]
}
      Table 3 describes the parameters that you need to manually modify in the example above:
      Table 3 Parameter changes

      Item to Modify

      Description

      PutBucketLogging

      Value of the Action field that indicates all OBS-supported actions in the policy. The value is a case-insensitive string. The value can contain a wildcard character (*), for example, "Action":["List*", "Get*"], to apply all actions to the resources. You need to change the value as needed. For the actions supported by OBS, see Bucket-Related Actions.

      Allow

      Value of the Effect field that indicates whether the permission in the policy is allowed or denied. The value must be Allow or Deny.

      logging.bucket3

      The bucket on which the policy works. You can change the bucket name as needed.

      219d520ceac84c5a98b237431a2cf4c2

      ID of an account. You can change it as needed. You can click next to the target bucket to obtain the Account ID on the Basic Information page.

      71f3901173514e6988115ea2c26d1999

      ID of a user under the account. You can change it as needed. You can choose My Credentials from the username in the upper right corner of OBS Console to obtain the IAM User ID.

    For details about bucket policy parameters, see Bucket Policy Parameters.

Using the CLI Tool - obsutil

Command Line Structure

  • In Windows 
    obsutil bucketpolicy obs://bucket -method=put -localfile=xxx [-config=xxx] [-e=xxx] [-i=xxx] [-k=xxx] [-t=xxx]
  • In Linux or macOS 
    ./obsutil bucketpolicy obs://bucket -method=put -localfile=xxx [-config=xxx] [-e=xxx] [-i=xxx] [-k=xxx] [-t=xxx]

Examples

  • Take the Windows OS as an example. Run the obsutil bucketpolicy obs://bucket -method=put -localfile=d:\temp\policy.json command to set a bucket policy based on file policy.json. 
    obsutil bucketpolicy obs://bucket -method=put -localfile=d:\temp\policy.json

Put bucketPolicy succeed, requestId is [04050000016836C5DA6FB21F14A2A0C0]

Parameter Description

Parameter

Optional or Mandatory

Description

bucket

Mandatory

Bucket name

method

Mandatory

Specifies the method. Set this parameter to put when configuring a bucket policy.

localfile

Mandatory

Path of the local policy file to import

config

Optional (additional parameter)

User-defined configuration file for executing the current command. To learn the parameters that can be configured in this file, see Configuration Parameters.

e

Optional (additional parameter)

Specifies the endpoint.

i

Optional (additional parameter)

Specifies the user's AK.

k

Optional (additional parameter)

Specifies the user's SK.

t

Optional (additional parameter)

Specifies the user's security token.

Parent Topic: Configuring a Bucket Policy