Bucket policy

Last updated:2021-04-07 21:42:04

You can configure the following elements in a bucket policy:

  • Effect: The effect when a user requests a specified operation, which can be allowed or denied. If you do not explicitly allow the user to access resources, the bucket policy is not in effect. If you explicitly deny the user to access resources, the user cannot access the resources even though their request is explicitly allowed in another policy.
  • Resource: The bucket, objects, and related sub-resources.
  • Action: A set of operations that can be performed on each resource.
  • Principal: The user or account that is allowed or denied to access resources.
  • Condition: The conditions specified when you grant permissions on resources. An access policy takes effect only when the access request meets the specified conditions.

The following code provides a sample bucket policy. The bucket policy allows the IAM user Dave within the accountid account to perform the ks3:listbucket and ks3:getobject operations on the examplebucket bucket.

{
    "Version":"2015-11-01",
    "Statement": [
    {
        "Sid":"1",
        "Effect":"Allow",
        "Principal":{krn:ksc:iam::(accountid):user/Dave},
        "Action":[
            "ks3:ListBucket",
            "ks3:GetObject"
         ],
        "Resource":["krn:ksc:ks3:::examplebucket","krn:ksc:ks3:::examplebucket/*"]
   }
  ]
}

Specify resources in a bucket policy

In Kingsoft Cloud Standard Storage Service (KS3), a Kingsoft Resource Name (KRN) is used to identify a resource. You can specify a KRN in the following format:

krn:ksc:ks3:::bucketname
krn:ksc:ks3:::bucketname/keyname

The bucketname parameter indicates the name of a bucket. The keyname parameter indicates the name of an object. Wildcards are supported in KRNs. An asterisk (*) represents any combination of a sequence of characters and a question mark () represents any single character.

Sample KRNs in KS3:

  • The KRN to indicate the mybucket bucket:
krn:ksc:ks3:::mybucket

  • The KRN to indicate all objects in the mybucket bucket:
krn:ksc:ks3:::mybucket/*

  • The KRN to indicate all buckets and objects you own:
krn:ksc:ks3:::*

Note:

  • In practical use, you can omit the krn:ksc:ks3::: parameter and write only the bucket name and object name in the console to simplify input. The background program automatically converts the simplified input to standard input.
  • For more information about the mapping between operation levels and KRNs, see Specify permissions in a bucket policy.

Specify the authorized principal in a bucket policy

You can use the Principal element to specify an IAM user, account, service, or another entity that is allowed or denied to access the resources. The Principal element is required only in bucket policies. You do not need to specify the Principal element in user policies because user policies are attached to specified users. Examples:

1. * indicates all users.
2. krn:ksc:iam::(accountid):root // Indicates the Kingsoft Cloud account. accountid indicates the ID of the Kingsoft Cloud account. root is a fixed value.
3. krn:ksc:iam::(accountid):user/(userName) // Indicates an IAM user. userName indicates the IAM user. user is a fixed value. accountid indicates the ID of the Kingsoft Cloud account.
4. krn:ksc:iam::(accountid):role/(roleNAME) // Indicates an IAM role. roleNAME indicates the role name. role is a fixed value. accountid indicates the ID of the Kingsoft Cloud account.

Note: In practical use, if the authorized principle is a Kingsoft Cloud account, you can write only the Kingsoft Cloud account ID in the console to simplify input. For IAM users, write the Kingsoft Cloud account ID and the username in the accountid/userName format. The background program automatically converts the simplified input to standard input.

Specify permissions in a bucket policy

KS3 allows you to define a set of permissions in a bucket policy. Each permission maps a specific KS3 operation.

Permission keyword KS3 operation Operation level
ks3:ListBucket Lists the objects in a bucket and queries the bucket information. Bucket
ks3:DeleteBucket Deletes a bucket. Bucket
ks3:GetBucketAcl Queries the access control list (ACL) of a bucket. Bucket
ks3:PutBucketAcl Configures the ACL of a bucket. Bucket
ks3:GetBucketCORS Queries the cross-origin resource sharing (CORS) rules of a bucket. Bucket
ks3:PutBucketCORS Configures the CORS rules of a bucket. Bucket
ks3:ListBucketMultipartUploads Lists multipart upload tasks of a bucket. Bucket
ks3:PutObject Uploads an object through POST, PUT, and multipart requests. Object
ks3:DeleteObject Deletes an object. Object
ks3:GetObject Downloads an object and queries the metadata of the object. Object
ks3:GetObjectAcl Queries the ACL of an object. Object
ks3:PutObjectAcl Configures the ACL of an object. Object
ks3:ListMultipartUploadParts Lists multipart upload tasks of an object. Object
ks3:AbortMultipartUpload Cancels the multipart upload task of an object. Object
ks3:PostObjectRestore Restores an archive object. Object
ks3:PutObjectTagging Adds a tag for an object or updates the tags of the object. Object
ks3:GetObjectTagging Queries the tags of an object. Object
ks3:DeleteObjectTagging Deletes the tags of an object. Object

Note: You must specify resources that match the specific operation level. If you want to grant users the permission to perform the ks3:ListBucket operation, specify a bucket.
For example, the krn:ksc:ks3:::bucket01 KRN indicates a bucket of which the name is bucket01.
If you want to grant users the permission to perform the ks3:PutObject operation, specify an object.
For example, the krn:ksc:ks3:::bucket01/* KRN indicates all objects in the bucket bucket01.
If you want to grant users the permission to perform operations of the bucket level and object level at the same time, both resources must be specified.

Specify conditions in a bucket policy

The access policy language allows you to specify conditions when you grant permissions on resources. You can specify conditions for when a policy is in effect by using the optional Condition element, which is also called Condition block.

A policy takes effect only when the request of a user meets the specified conditions.

The following table describes the conditions supported by KS3.

Condition Feature
ksc:SourceIp Specify an IP address.
ksc:RequestHeader Specify a request header in the request.
ksc:SubnetID Specify the ID of the VPC subnet from which the request originates.

For more information about how to configure bucket policies in the console, see Bucket Policy.

Did you find the above information helpful?

Unhelpful
Mostly Unhelpful
A little helpful
Helpful
Very helpful

What might be the problems?

  • Insufficient
  • Outdated
  • Unclear or awkward
  • Redundant or clumsy
  • Lack of context for the complex system or functionality

More suggestions

0/200

Please give us your feedback.

Submitted

Thank you for your feedback.

问题反馈