• Object Storage Service

obs
  1. Help Center
  2. Object Storage Service
  3. User Guide
  4. OBS Console Operation Guide
  5. Bucket Permissions
  6. Configuring a Bucket Policy

Configuring a Bucket Policy

A bucket policy defines the access control policy of resources (buckets and objects) on OBS. With only a few clicks, you can configure any of the universal policies for a bucket. The universal policies include private, public read, and public read and write. If you want to grant special permissions to specific users, you can configure advanced settings. If a universal policy conflicts with a policy configured with advanced settings, the advanced policy prevails.

Procedure

  1. In the bucket list on the OBS Console, click the target bucket to go to the Summary page.
  2. In the navigation tree on the left, click Permissions to go to the permission management page.
  3. Click Bucket Policy. Figure 1 displays the Bucket Policy page.

    Figure 1 Bucket Policy

  4. Click a policy card to configure any of the following general policies:

    • Private: Only the bucket owner can read, write, and delete objects in the bucket.

      This policy is the default bucket policy.

    • Public Read: Any user can read objects in the bucket. Only the bucket owner can write and delete objects in the bucket.
    • Public Read and Write: Any user can read, write, and delete objects in the bucket.

    To switch to another general policy, click the desired policy card, and click OK in the dialog box that is displayed.

    NOTE:
    • You can configure one general policy at a time.
    • For your data security, it is recommended that you do not select the public read or public read and write policy.

  5. Click Advanced Settings to configure a different bucket policy as needed.
  6. Click Add Bucket Policy. In Figure 2, change each parameter according to your actual needs.

    Figure 2 Adding a bucket policy

    Table 1 lists the meaning of each field.
    Table 1 Parameters in bucket policies

    Parameter

    Value

    Description

    Effect

    Allow or Deny

    Effect of the bucket policy.

    • Allow: Indicates that the configurations of this bucket policy are allowed.
    • Deny: Indicates that the configurations of this bucket policy are denied.

    Principal

    • Include or Exclude
    • Input format:

      Authorizing an account: Enter the account ID.

      Authorizing a user: Enter account ID:user/user ID.

    Specifies users on whom this bucket policy takes effect, including cloud service users and federated users. The registration on the cloud service access of the public cloud system user is called cloud service. This user name authenticated by the federal access of the public cloud system user is called federated users.

    • Include: Specifies the user on whom the bucket policy statement takes effect.
    • Exclude: Specifies the user on whom the bucket policy statement does not take effect.

    Resource

    • Include or Exclude
    • Input format:

      Object: object name

      Object set: object name prefix*, *object name suffix, or *

      Blank: Indicates that the resource is the entire bucket.

    Indicates the resource that a bucket policy applies to.

    • Include: Specifies the bucket policy statement takes effect on the OBS resources.
    • Exclude: Specifies the bucket policy statement does not take effect on the OBS resources.
    The resource type is related to the action:
    • When a resource is an object or an object set, only the actions related to the object can be configured.
    • When the resource is a bucket, only the actions related to the bucket can be configured.

    Action

    Action on which the bucket policy describes.

    • Include: Indicates that the operation described in this action takes effect.
    • Exclude: Indicates that the operation described in this action does not take effect.

    Condition

    Conditions for the policy statement to take effect.