User Policy

Last updated:2021-04-07 21:42:08

You can configure the following elements in a user policy:

  • Effect: The effect when a user requests a specified operation, which can be allowed or denied. If you do not explicitly allow the user to access resources, the user policy is not in effect. If you explicitly deny the user to access resources, the user cannot access the resources even though their request is explicitly allowed in another policy.
  • Resource: The bucket, objects, and related sub-resources.
  • Action: A set of operations that can be performed on each resource.
  • Condition: The conditions specified when you grant permissions on resources. An access policy takes effect only when the access request meets the specified conditions.

The following code provides a sample user policy. The user policy allows users to perform the ks3:listbucket and ks3:getobject operations on the examplebucket bucket. After you create the policy and attach it to an IAM user, the IAM user is granted the specified permissions. For more information, see Permission management.

{
    "Version":"2015-11-01",
    "Statement": [
    {
        "Sid":"1",
        "Effect":"Allow",
        "Action":[
            "ks3:ListBucket",
            "ks3:GetObject"
        ],
        "Resource":["krn:ksc:ks3:::examplebucket","krn:ksc:ks3:::examplebucket/*"]
    }
   ]
}

Note: Different from bucket policies, you do not need to specify the Principal element in user policies because user policies are attached to specified users.

Specify resources in a user policy

In Kingsoft Cloud Standard Storage Service (KS3), a Kingsoft Resource Name (KRN) is used to identify a resource. You can specify a KRN in the following format:

krn:ksc:ks3:::bucketname
krn:ksc:ks3:::bucketname/keyname

The bucketname parameter indicates the name of a bucket. The keyname parameter indicates the name of an object. Wildcards are supported in KRNs. An asterisk (*) represents any combination of a sequence of characters and a question mark (?) represents any single character.

Sample KRN in KS3:

  • The KRN to indicate the mybucket bucket:
krn:ksc:ks3:::mybucket

Specify the authorized principal in a user policy

You do not need to specify the authorized principal in user policies because user policies are attached to specified users.

Specify permissions in a user policy

KS3 allows you to define a set of permissions in a user policy. Each permission maps a specific KS3 operation.

Permission keyword KS3 operation
ks3:ListBuckets Lists buckets.
ks3:GetBucketLocation Queries the region to which a bucket belongs.
ks3:PutBucket Creates a bucket.
ks3:DeleteBucket Deletes a bucket.
ks3:ListBucket Lists the objects in a bucket and queries the bucket information.
ks3:GetBucketAcl Queries the access control list (ACL) of a bucket.
ks3:PutBucketAcl Configures the ACL of a bucket.
ks3:PutBucketPolicy Creates a policy for a bucket.
ks3:GetBucketPolicy Queries the policies of a bucket.
ks3:DeleteBucketPolicy Deletes the policies of a bucket.
ks3:GetBucketCORS Queries the cross-origin resource sharing (CORS) rules of a bucket.
ks3:PutBucketCORS Configures the CORS rules of a bucket.
ks3:PutObject Uploads an object through POST, PUT, and multipart requests.
ks3:DeleteObject Deletes an object.
ks3:GetObject Downloads an object and queries the metadata of the object.
ks3:GetObjectAc Queries the ACL of an object.
ks3:PutObjectAc Configures the ACL of an object.
ks3:ListBucketMultipartUploads Lists multipart upload tasks of a bucket.
ks3:ListMultipartUploadParts Lists multipart upload tasks of an object.
ks3:AbortMultipartUpload Cancels the multipart upload task of an object.
ks3:PutBucketLifecycle Creates a lifecycle rule for a bucket.
ks3:DeleteBucketLifecycle Deletes the lifecycle rules of a bucket.
ks3:GetBucketLifecycle Queries the lifecycle rules of a bucket.
ks3:PostObjectRestore Restores an archive object.
ks3:PutObjectTagging Adds a tag for an object or updates the tags of the object.
ks3:GetObjectTagging Queries the tags of an object.
ks3:DeleteObjectTagging Deletes the tags of an object.

Specify conditions in a user policy

The access policy language allows you to specify conditions when you grant permissions on resources. You can specify conditions for when a policy is in effect by using the optional Condition element, which is also called Condition block.

The following table describes the condition supported by KS3.

Condition Feature
ksc:SourceIp Specify an IP address.

Did you find the above information helpful?

Unhelpful
Mostly Unhelpful
A little helpful
Helpful
Very helpful

What might be the problems?

  • Insufficient
  • Outdated
  • Unclear or awkward
  • Redundant or clumsy
  • Lack of context for the complex system or functionality

More suggestions

0/200

Please give us your feedback.

Submitted

Thank you for your feedback.

问题反馈