All Documents

Current Document

Recommend

Container Engine Virtual Private Cloud Standard Storage Service

Content is empty

If you don't find the content you expect, please try another search term

Standard Storage Service (KS3)

View more results

Document title with current keyword not found

Directory

Expand AllFold All Up

Networking
Security

Video Services
Data Analysis
- MapReduce (KMR)
- Kingsoft Cloud Log Service
Account Management
- Identity and Access Management
- Account Management

No products found with this keyword

Standard Storage Service (KS3)

Access Control Management

Bucket policy

Last updated：2021-04-07 21:42:04

You can configure the following elements in a bucket policy:

Effect: The effect when a user requests a specified operation, which can be allowed or denied. If you do not explicitly allow the user to access resources, the bucket policy is not in effect. If you explicitly deny the user to access resources, the user cannot access the resources even though their request is explicitly allowed in another policy.
Resource: The bucket, objects, and related sub-resources.
Action: A set of operations that can be performed on each resource.
Principal: The user or account that is allowed or denied to access resources.
Condition: The conditions specified when you grant permissions on resources. An access policy takes effect only when the access request meets the specified conditions.

The following code provides a sample bucket policy. The bucket policy allows the IAM user Dave within the accountid account to perform the ks3:listbucket and ks3:getobject operations on the examplebucket bucket.

{
    "Version":"2015-11-01",
    "Statement": [
    {
        "Sid":"1",
        "Effect":"Allow",
        "Principal":{krn:ksc:iam::(accountid):user/Dave},
        "Action":[
            "ks3:ListBucket",
            "ks3:GetObject"
         ],
        "Resource":["krn:ksc:ks3:::examplebucket","krn:ksc:ks3:::examplebucket/*"]
   }
  ]
}

Specify resources in a bucket policy

In Kingsoft Cloud Standard Storage Service (KS3), a Kingsoft Resource Name (KRN) is used to identify a resource. You can specify a KRN in the following format:

krn:ksc:ks3:::bucketname
krn:ksc:ks3:::bucketname/keyname

The bucketname parameter indicates the name of a bucket. The keyname parameter indicates the name of an object. Wildcards are supported in KRNs. An asterisk (*) represents any combination of a sequence of characters and a question mark (？) represents any single character.

Sample KRNs in KS3:

The KRN to indicate the mybucket bucket:

krn:ksc:ks3:::mybucket

The KRN to indicate all objects in the mybucket bucket:

krn:ksc:ks3:::mybucket/*

The KRN to indicate all buckets and objects you own:

krn:ksc:ks3:::*

Note:

In practical use, you can omit the krn:ksc:ks3::: parameter and write only the bucket name and object name in the console to simplify input. The background program automatically converts the simplified input to standard input.
For more information about the mapping between operation levels and KRNs, see Specify permissions in a bucket policy.

Specify the authorized principal in a bucket policy

You can use the Principal element to specify an IAM user, account, service, or another entity that is allowed or denied to access the resources. The Principal element is required only in bucket policies. You do not need to specify the Principal element in user policies because user policies are attached to specified users. Examples:

1. * indicates all users.
2. krn:ksc:iam::(accountid):root // Indicates the Kingsoft Cloud account. accountid indicates the ID of the Kingsoft Cloud account. root is a fixed value.
3. krn:ksc:iam::(accountid):user/(userName) // Indicates an IAM user. userName indicates the IAM user. user is a fixed value. accountid indicates the ID of the Kingsoft Cloud account.
4. krn:ksc:iam::(accountid):role/(roleNAME) // Indicates an IAM role. roleNAME indicates the role name. role is a fixed value. accountid indicates the ID of the Kingsoft Cloud account.

Note: In practical use, if the authorized principle is a Kingsoft Cloud account, you can write only the Kingsoft Cloud account ID in the console to simplify input. For IAM users, write the Kingsoft Cloud account ID and the username in the accountid/userName format. The background program automatically converts the simplified input to standard input.

Specify permissions in a bucket policy

KS3 allows you to define a set of permissions in a bucket policy. Each permission maps a specific KS3 operation.

Permission keyword	KS3 operation	Operation level
ks3:ListBucket	Lists the objects in a bucket and queries the bucket information.	Bucket
ks3:DeleteBucket	Deletes a bucket.	Bucket
ks3:GetBucketAcl	Queries the access control list (ACL) of a bucket.	Bucket
ks3:PutBucketAcl	Configures the ACL of a bucket.	Bucket
ks3:GetBucketCORS	Queries the cross-origin resource sharing (CORS) rules of a bucket.	Bucket
ks3:PutBucketCORS	Configures the CORS rules of a bucket.	Bucket
ks3:ListBucketMultipartUploads	Lists multipart upload tasks of a bucket.	Bucket
ks3:PutObject	Uploads an object through POST, PUT, and multipart requests.	Object
ks3:DeleteObject	Deletes an object.	Object
ks3:GetObject	Downloads an object and queries the metadata of the object.	Object
ks3:GetObjectAcl	Queries the ACL of an object.	Object
ks3:PutObjectAcl	Configures the ACL of an object.	Object
ks3:ListMultipartUploadParts	Lists multipart upload tasks of an object.	Object
ks3:AbortMultipartUpload	Cancels the multipart upload task of an object.	Object
ks3:PostObjectRestore	Restores an archive object.	Object
ks3:PutObjectTagging	Adds a tag for an object or updates the tags of the object.	Object
ks3:GetObjectTagging	Queries the tags of an object.	Object
ks3:DeleteObjectTagging	Deletes the tags of an object.	Object

Note: You must specify resources that match the specific operation level. If you want to grant users the permission to perform the ks3:ListBucket operation, specify a bucket.
For example, the krn:ksc:ks3:::bucket01 KRN indicates a bucket of which the name is bucket01.
If you want to grant users the permission to perform the ks3:PutObject operation, specify an object.
For example, the krn:ksc:ks3:::bucket01/* KRN indicates all objects in the bucket bucket01.
If you want to grant users the permission to perform operations of the bucket level and object level at the same time, both resources must be specified.

Specify conditions in a bucket policy

The access policy language allows you to specify conditions when you grant permissions on resources. You can specify conditions for when a policy is in effect by using the optional Condition element, which is also called Condition block.

A policy takes effect only when the request of a user meets the specified conditions.

The following table describes the conditions supported by KS3.

Condition	Feature
ksc:SourceIp	Specify an IP address.
ksc:RequestHeader	Specify a request header in the request.
ksc:SubnetID	Specify the ID of the VPC subnet from which the request originates.

For more information about how to configure bucket policies in the console, see Bucket Policy.

On this page

Next:Examples of bucket policies

Pure ModeNormal Mode

Pure Mode

Click to preview the document content in full screen

Feedback