All Documents
Current Document
Content is empty
If you don't find the content you expect, please try another search term
Content is empty
If you don't find the content you expect, please try another search term
Standard Storage Service (KS3)
Console User Guide
Bucket management
Configure bucket policies
Last updated:2021-07-06 15:04:36
Bucket policy-Documentation-Kingsoft Cloud
If you are a bucket owner, you can configure access control policies for KS3 resources, including buckets and objects.
User requests to access a bucket and its objects are controlled by the bucket policy. Specifically, their requests can be accepted or denied. Whether a request is accepted or denied depends on the bucket policy.
When a bucket policy identifies permissions, the effect of each statement can be Explicit Deny, Allow, or Default Deny. If a bucket policy contains multiple statements, it identifies the effect of each statement, and the final effect conforms to the following priority: Explicit Deny > Allow > Default Deny.
Log in to the KS3 console and click Bucket in the left navigation pane. On the Bucket list page, click the name of the target bucket. On the page that appears, click Bucket Settings. On the Bucket Settings tab, click Bucket Policy. On the Bucket Policy tab, click Add Policy.
Note: The requester IP address (ksc:SourceIp), request header (ksc:RequestHeader), and subnet ID of the Virtual Private Cloud (VPC) where the requester resides (ksc:SubnetID) can be used as conditions. For more information, see Conditions.
| Permission keyword | Corresponding KS3 operation | Operation level |
|---|---|---|
| ks3:ListBucket | List objects in a bucket and query the bucket information. | Bucket level |
| ks3:DeleteBucket | Delete the current bucket. | Bucket level |
| ks3:GetBucketAcl | Query the ACL information of a bucket. | Bucket level |
| ks3:PutBucketAcl | Configure an ACL for a bucket. | Bucket level |
| ks3:GetBucketCORS | Query the CORS configuration of a bucket. | Bucket level |
| ks3:PutBucketCORS | Configure CORS for a bucket. | Bucket level |
| ks3ListBucketMultipartUploads | List multipart uploads. | Bucket level |
| ks3:PutObject | Upload an object by using the POST, PUT, or multipart upload method. | Object level |
| ks3:DeleteObject | Delete an object. | Object level |
| ks3:GetObject | Query an object and its metadata. | Object level |
| ks3:GetObjectAcl | Query the ACL information of an object. | Object level |
| ks3:PutObjectAcl | Configure an ACL for an object. | Object level |
| ks3ListMultipartUploadParts | List multipart upload parts. | Object level |
| ks3:AbortMultipartUpload | Cancel the multipart upload. | Object level |
| ks3:PostObjectRestore | Restore an Archive object. | Object level |
Note: You must specify equivalent resources for operations at different levels. If you want to grant the
ks3:ListBucketpermission, you must specify a bucket resource, for example,krn:ksc:ks3:::bucket01, which indicates the bucket named bucket01. If you want to grant theks3:PutObjectpermission, you must specify an object resource, for example,krn:ksc:ks3:::bucket01/*, which indicates all objects in bucket01. If you want to grant both bucket-level and object-level permissions, you must specify both bucket and object resources.
| Conditional operator |
Value | Description |
|---|---|---|
| IpAddress | IP addresses and Classless Inter-Domain Routing (CIDR) blocks. Only IPv4 is supported. | If the source IP address of your request is the specified IP address or is within the specified range, the policy takes effect. |
| NotIpAddress | IP addresses and CIDR blocks. Only IPv4 is supported. | If the source IP address of your request is not the specified IP address or is beyond the specified range, the policy takes effect. |
| Conditional operator |
Value | Description |
|---|---|---|
| StringEquals | Key-value strings, for example, x-kss-cdn:kingsoftcdn | If a request carries the specified header and the header value is exactly matched (case-sensitive), the policy takes effect. |
| StringNotEquals | Key-value strings, for example, x-kss-cdn:kingsoftcdn | If a request carries the specified header and the header value is not matched (case-sensitive), the policy takes effect. |
| StringEqualsIgnoreCase | Key-value strings, for example, x-kss-cdn:kingsoftcdn | If a request carries the specified header and the header value is exactly matched (case-insensitive), the policy takes effect. |
| StringNotEqualsIgnoreCase | Key-value strings, for example, x-kss-cdn:kingsoftcdn | If a request carries the specified header and the header value is not matched (case-insensitive), the policy takes effect. |
| StringLike | Key-value strings, which can contain asterisks () as the multi-character matching wildcard or question marks (?) as the single-character matching wildcard, for example, x-kss-cdn:\ | If a request carries the specified header and the header value is matched in fuzzy mode (case-sensitive), the policy takes effect. |
| StringNotLike | Key-value strings, which can contain asterisks () as the multi-character matching wildcard or question marks (?) as the single-character matching wildcard, for example, x-kss-cdn:\ | If a request carries the specified header and the header value is not matched in fuzzy mode (case-insensitive), the policy takes effect. |
| Conditional operator | Value | Description |
|---|---|---|
| StringEquals | Account IDs and subnet IDs | If your request comes from the VPC subnet of the specified ID, the policy takes effect. |
| StringNotEquals | Account IDs and subnet IDs | If your request does not come from the VPC subnet of the specified ID, the policy takes effect. |
Pure Mode