All Documents

Current Document

Recommend

Container Engine Virtual Private Cloud Standard Storage Service

Content is empty

If you don't find the content you expect, please try another search term

Standard Storage Service (KS3)

View more results

Document title with current keyword not found

Directory

Expand AllFold All Up

Networking
Security

Video Services
Data Analysis
- MapReduce (KMR)
- Kingsoft Cloud Log Service
Account Management
- Identity and Access Management
- Account Management

No products found with this keyword

Standard Storage Service (KS3)

Access Control Management

User Policy

Last updated：2021-04-07 21:42:08

You can configure the following elements in a user policy:

Effect: The effect when a user requests a specified operation, which can be allowed or denied. If you do not explicitly allow the user to access resources, the user policy is not in effect. If you explicitly deny the user to access resources, the user cannot access the resources even though their request is explicitly allowed in another policy.
Resource: The bucket, objects, and related sub-resources.
Action: A set of operations that can be performed on each resource.
Condition: The conditions specified when you grant permissions on resources. An access policy takes effect only when the access request meets the specified conditions.

The following code provides a sample user policy. The user policy allows users to perform the ks3:listbucket and ks3:getobject operations on the examplebucket bucket. After you create the policy and attach it to an IAM user, the IAM user is granted the specified permissions. For more information, see Permission management.

{
    "Version":"2015-11-01",
    "Statement": [
    {
        "Sid":"1",
        "Effect":"Allow",
        "Action":[
            "ks3:ListBucket",
            "ks3:GetObject"
        ],
        "Resource":["krn:ksc:ks3:::examplebucket","krn:ksc:ks3:::examplebucket/*"]
    }
   ]
}

Note: Different from bucket policies, you do not need to specify the Principal element in user policies because user policies are attached to specified users.

Specify resources in a user policy

In Kingsoft Cloud Standard Storage Service (KS3), a Kingsoft Resource Name (KRN) is used to identify a resource. You can specify a KRN in the following format:

krn:ksc:ks3:::bucketname
krn:ksc:ks3:::bucketname/keyname

The bucketname parameter indicates the name of a bucket. The keyname parameter indicates the name of an object. Wildcards are supported in KRNs. An asterisk (*) represents any combination of a sequence of characters and a question mark (?) represents any single character.

Sample KRN in KS3:

The KRN to indicate the mybucket bucket:

krn:ksc:ks3:::mybucket

Specify the authorized principal in a user policy

You do not need to specify the authorized principal in user policies because user policies are attached to specified users.

Specify permissions in a user policy

KS3 allows you to define a set of permissions in a user policy. Each permission maps a specific KS3 operation.

Permission keyword	KS3 operation
ks3:ListBuckets	Lists buckets.
ks3:GetBucketLocation	Queries the region to which a bucket belongs.
ks3:PutBucket	Creates a bucket.
ks3:DeleteBucket	Deletes a bucket.
ks3:ListBucket	Lists the objects in a bucket and queries the bucket information.
ks3:GetBucketAcl	Queries the access control list (ACL) of a bucket.
ks3:PutBucketAcl	Configures the ACL of a bucket.
ks3:PutBucketPolicy	Creates a policy for a bucket.
ks3:GetBucketPolicy	Queries the policies of a bucket.
ks3:DeleteBucketPolicy	Deletes the policies of a bucket.
ks3:GetBucketCORS	Queries the cross-origin resource sharing (CORS) rules of a bucket.
ks3:PutBucketCORS	Configures the CORS rules of a bucket.
ks3:PutObject	Uploads an object through POST, PUT, and multipart requests.
ks3:DeleteObject	Deletes an object.
ks3:GetObject	Downloads an object and queries the metadata of the object.
ks3:GetObjectAc	Queries the ACL of an object.
ks3:PutObjectAc	Configures the ACL of an object.
ks3:ListBucketMultipartUploads	Lists multipart upload tasks of a bucket.
ks3:ListMultipartUploadParts	Lists multipart upload tasks of an object.
ks3:AbortMultipartUpload	Cancels the multipart upload task of an object.
ks3:PutBucketLifecycle	Creates a lifecycle rule for a bucket.
ks3:DeleteBucketLifecycle	Deletes the lifecycle rules of a bucket.
ks3:GetBucketLifecycle	Queries the lifecycle rules of a bucket.
ks3:PostObjectRestore	Restores an archive object.
ks3:PutObjectTagging	Adds a tag for an object or updates the tags of the object.
ks3:GetObjectTagging	Queries the tags of an object.
ks3:DeleteObjectTagging	Deletes the tags of an object.

Specify conditions in a user policy

The access policy language allows you to specify conditions when you grant permissions on resources. You can specify conditions for when a policy is in effect by using the optional Condition element, which is also called Condition block.

The following table describes the condition supported by KS3.

Condition	Feature
ksc:SourceIp	Specify an IP address.

On this page

Previous:Grant permissions to multiple Kingsoft Cloud accounts

Next:Example of user permissions

Pure ModeNormal Mode

Pure Mode

Click to preview the document content in full screen

Feedback