All Documents
Current Document

Content is empty

If you don't find the content you expect, please try another search term

Documentation

Configure bucket policies

Last updated:2021-07-06 15:04:36

Bucket policy-Documentation-Kingsoft Cloud

If you are a bucket owner, you can configure access control policies for KS3 resources, including buckets and objects.

User requests to access a bucket and its objects are controlled by the bucket policy. Specifically, their requests can be accepted or denied. Whether a request is accepted or denied depends on the bucket policy.

Permission identification logic

When a bucket policy identifies permissions, the effect of each statement can be Explicit Deny, Allow, or Default Deny. If a bucket policy contains multiple statements, it identifies the effect of each statement, and the final effect conforms to the following priority: Explicit Deny > Allow > Default Deny.

  • If no explicit Deny or Allow effect is identified, the effect of the statement is determined as Default Deny.
  • Explicit Deny overrides Allow.
  • Allow overrides Default Deny.
  • The order of statements makes no difference.
  • If the final effect of multiple statements is Default Deny, whether the resource is accessible also depends on whether the resource is public in its access control list (ACL).

Configure a bucket policy

  1. Log in to the KS3 console and click Bucket in the left navigation pane. On the Bucket list page, click the name of the target bucket. On the page that appears, click Bucket Settings. On the Bucket Settings tab, click Bucket Policy. On the Bucket Policy tab, click Add Policy.

  2. In the panel that appears, configure the bucket policy. image.png

Note: The requester IP address (ksc:SourceIp), request header (ksc:RequestHeader), and subnet ID of the Virtual Private Cloud (VPC) where the requester resides (ksc:SubnetID) can be used as conditions. For more information, see Conditions.

  1. Click Policy Language and view the content of the bucket policy.

Mapping between permission keywords and operations

Permission keyword Corresponding KS3 operation Operation level
ks3:ListBucket List objects in a bucket and query the bucket information. Bucket level
ks3:DeleteBucket Delete the current bucket. Bucket level
ks3:GetBucketAcl Query the ACL information of a bucket. Bucket level
ks3:PutBucketAcl Configure an ACL for a bucket. Bucket level
ks3:GetBucketCORS Query the CORS configuration of a bucket. Bucket level
ks3:PutBucketCORS Configure CORS for a bucket. Bucket level
ks3ListBucketMultipartUploads List multipart uploads. Bucket level
ks3:PutObject Upload an object by using the POST, PUT, or multipart upload method. Object level
ks3:DeleteObject Delete an object. Object level
ks3:GetObject Query an object and its metadata. Object level
ks3:GetObjectAcl Query the ACL information of an object. Object level
ks3:PutObjectAcl Configure an ACL for an object. Object level
ks3ListMultipartUploadParts List multipart upload parts. Object level
ks3:AbortMultipartUpload Cancel the multipart upload. Object level
ks3:PostObjectRestore Restore an Archive object. Object level

Note: You must specify equivalent resources for operations at different levels. If you want to grant the ks3:ListBucket permission, you must specify a bucket resource, for example, krn:ksc:ks3:::bucket01, which indicates the bucket named bucket01. If you want to grant the ks3:PutObject permission, you must specify an object resource, for example, krn:ksc:ks3:::bucket01/*, which indicates all objects in bucket01. If you want to grant both bucket-level and object-level permissions, you must specify both bucket and object resources.

Conditions

Conditional operators supported by the IP address (ksc:SourceIp)

Conditional operator Value Description
IpAddress IP addresses and Classless Inter-Domain Routing (CIDR) blocks. Only IPv4 is supported. If the source IP address of your request is the specified IP address or is within the specified range, the policy takes effect.
NotIpAddress IP addresses and CIDR blocks. Only IPv4 is supported. If the source IP address of your request is not the specified IP address or is beyond the specified range, the policy takes effect.

Conditional operators supported by the request header (ksc:RequestHeader)

Conditional operator Value Description
StringEquals Key-value strings, for example, x-kss-cdn:kingsoftcdn If a request carries the specified header and the header value is exactly matched (case-sensitive), the policy takes effect.
StringNotEquals Key-value strings, for example, x-kss-cdn:kingsoftcdn If a request carries the specified header and the header value is not matched (case-sensitive), the policy takes effect.
StringEqualsIgnoreCase Key-value strings, for example, x-kss-cdn:kingsoftcdn If a request carries the specified header and the header value is exactly matched (case-insensitive), the policy takes effect.
StringNotEqualsIgnoreCase Key-value strings, for example, x-kss-cdn:kingsoftcdn If a request carries the specified header and the header value is not matched (case-insensitive), the policy takes effect.
StringLike Key-value strings, which can contain asterisks () as the multi-character matching wildcard or question marks (?) as the single-character matching wildcard, for example, x-kss-cdn:\ If a request carries the specified header and the header value is matched in fuzzy mode (case-sensitive), the policy takes effect.
StringNotLike Key-value strings, which can contain asterisks () as the multi-character matching wildcard or question marks (?) as the single-character matching wildcard, for example, x-kss-cdn:\ If a request carries the specified header and the header value is not matched in fuzzy mode (case-insensitive), the policy takes effect.

Conditional operators supported by the VPC subnet ID (ksc:SubnetID)

Conditional operator Value Description
StringEquals Account IDs and subnet IDs If your request comes from the VPC subnet of the specified ID, the policy takes effect.
StringNotEquals Account IDs and subnet IDs If your request does not come from the VPC subnet of the specified ID, the policy takes effect.
On this page
Pure ModeNormal Mode

Pure Mode

Click to preview the document content in full screen
Feedback