• Object Storage Service

obs
  1. Help Center
  2. Object Storage Service
  3. User Guide (S3cmd)
  4. Operation Guide
  5. Bucket Management
  6. Configuring a Bucket Policy

Configuring a Bucket Policy

On OBS, you can use a bucket policy to control access to buckets and objects in a stricter manner. For example, you can specify a bucket that a specific OBS account can access, limit a specific address's access to a specified bucket, and more. You can configure a bucket policy for your own bucket.

Procedure

  1. Open the command line tool.
  2. Run the following command to create a file that stores a bucket policy.

    vi policy-file-name

    NOTE:

    policy-file-name is the name of the file that stores a bucket policy. The value can be user-defined.

  3. Press i to go to the edit mode and configure a bucket policy in the following format:

    {
        "Version": "2008-10-17",
        "Id": "PolicyId",
        "Statement": [
            {
                "Sid": "StmtId",
                "Effect": "Allow",
                "Principal": {
                    "AWS": [
                        "arn:aws:iam::domainid:root"
                    ]
                },
                "Action": [
                    "s3:Get*"
                ],
                "Resource": [
                    "arn:aws:s3:::my-bucket"
                ]
            }
        ]
    }

    Table 1 describes parameters in a bucket policy. 

    Table 1 Parameters in a bucket policy

    Parameter

    Description

    Mandatory or Optional

    Version

    The version that is consistent with Amazon S3. The value can only be 2008-10-17.

    Optional

    Id

    The bucket policy ID. The value must be unique.

    Optional

    Statement

    The description of the bucket policy. The statement defines complete permission control. Each bucket policy can have multiple statements, and each statement contains the following parameters:

    • Sid
    • Effect
    • Principal
    • NotPrincipal
    • Action
    • NotAction
    • Resource
    • NotResource
    • Condition
    NOTE:

    In each statement, you must select either Principal or NotPrincipal, either Action or NotAction, and either Resource or NotResource.

    Mandatory

    Sid

    The statement ID.

    Optional

    Effect

    The effect of the bucket policy. The statement can be sent to accept or reject requests.

    • Allow: to accept requests.
    • Deny: to reject requests.

    Mandatory

    Principal

    The grantee or user on whom the bucket policy statement takes effect. A wildcard character (*) indicates all users.

    Principal supports authorization of Domain in the following three formats:

    • AWS: [domainid]
    • AWS: [arn:aws:iam::domainid:root]
    • CanonicalUser:[domainid]

    When authorizing UserPrincipal is in the AWS: [arn:aws:iam::domainid:user/userId] format.

    Optional

    NotPrincipal

    The unauthorized user excluded from the users that match the bucket policy. The value format is the same as Principal.

    Optional

    Action

    The OBS operation on which the bucket policy statement takes effect. The value is an array configured with many operations that are separated by commas (,). The value is case-insensitive and supports a wildcard character (*) that indicates all operations, for example, "Action":["List*","Get*"].

    Optional

    NotAction

    The set of operations excluded from the operations that match the bucket policy. The value format is the same as Action.

    Optional

    Resource

    The target resource on which the bucket policy statement takes effect. If the target resource is a bucket, the format of Resource is arn:aws:s3:::my-bucket.

    If the target resource is an object, the format of Resource is arn:aws:s3:::my-bucket/*.

    NOTICE:

    The target bucket must be an existing bucket consistent with the one specified in the command. Otherwise, you cannot successfully configure a bucket policy.

    Optional

    NotResource

    The set of resources excluded from the resources that match the bucket policy.

    Optional

    Condition

    The condition that defines restrictions of this bucket policy.

    Optional

  4. Press Esc, input :wq!, and press Enter to save and exit the vi editor.
  5. Run the following command to configure this bucket policy for a specific bucket:

    s3cmd setpolicy policy-file-name s3://my-bucket

    NOTE:

    policy-file-name is the name of the file that stores the bucket policy and my-bucket is the name of the bucket for which you want to configure this bucket policy.

    If the following information is displayed in the command output, it indicates that the bucket policy is successfully configured for the bucket.

    s3://my-bucket/: Policy updated

  6. (Optional) Run the following command to view bucket basic information and check the bucket policy configuration:

    s3cmd info s3://my-bucket

Example

A bucket policy can define many access control policies. The following provides several configuration examples. These examples introduce how to control access permissions on OBS by configuring bucket policies in different scenarios.

  1. Assigning specific users the permission to obtain objects in specific buckets

    In the following example, the account (whose Domain ID is 783fc6652cf246c096ea836694f71855) is assigned the permission to obtain all objects in bucket examplebucket.

    {
        "Version": "2008-10-17",
        "Id": "Policy1",
        "Statement": [
            {
                "Sid": "Stmt1",
                "Effect": "Allow",
                "Principal": {
                    "AWS": [
                        "arn:aws:iam::783fc6652cf246c096ea836694f71855:root"
                    ]
                },
                "Action": [
                    "s3:GetObject"
                ],
                "Resource": [
                    "arn:aws:s3:::examplebucket/*"
                ]
            }
        ]
    }
  2. Assigning the read-only permission to anonymous users

    The following example introduces how to assign the permission to anonymous users to obtain all objects in the bucket. This permission allows all users to read objects and is very helpful when you configure a bucket as a website and hope that everyone can read objects stored in the bucket.

    {
        "Version":"2008-10-17",
        "Id":"Policy2",
        "Statement":[
            {
                "Sid":"Stmt2", 
                "Effect":"Allow",
                "Principal": "*",
                "Action":["s3:GetObject"],
                "Resource":["arn:aws:s3:::examplebucket/*"]
            }
        ]
    }
  3. Configuring access permissions of specific website addresses
    By default, all OBS resources are private and can only be accessed by accounts that create them. OBS is the storage resource pool of a website (suppose that the website's domain name is www.example.com and resources such as videos and images are stored in bucket  examplebucket). If you want to allow the objects in bucket  examplebucket to be accessed from  www.example.com, configure a bucket policy based on the following example:
    { 
        "Version":"2008-10-17", 
        "Id":"Policy3",
        "Statement":[ 
            {
                "Sid":"Stmt3",
                "Effect":"Allow", 
                "Principal":{"AWS":["*"]}, 
                "Action":["s3:GetObject"], 
                "Resource":["arn:aws:s3:::examplebucket/*"], 
                "Condition": {"StringEquals":{"aws:Referer":["www.example.com"]} 
                } 
            } 
        ] 
    }

Follow-up Procedure

If you need to modify the bucket policy, you can modify the original bucket policy file or create a bucket policy file, and then run the bucket policy configuration command. By doing so, the bucket policy can be updated.

You can delete an access policy of a bucket as follows if necessary:

  1. Open the command line tool.
  2. Run the following command to delete the bucket policy:

    s3cmd delpolicy s3://my-bucket

    If the following information is displayed in the command output, it indicates that this bucket policy is successfully deleted.

    s3://my-bucket/:Policy deleted

  3. (Optional) Run the following command to view bucket basic information and check the bucket policy configuration:

    s3cmd info s3://my-bucket