• Object Storage Service

obs
  1. Help Center
  2. Object Storage Service
  3. User Guide
  4. OBS Browser Operation Guide
  5. Bucket Policy
  6. Configuring a Bucket Policy

Configuring a Bucket Policy

A bucket policy defines the access control policy of resources (buckets and objects) on OBS.

Procedure

  1. Log in to OBS Browser.
  2. Click the blank area in the row of the bucket for which you want to configure a bucket policy and choose More > Configure Bucket Policy.
  3. In the Configure Bucket Policy dialog box, enter a bucket policy. The following are two examples of bucket policy configurations.

    1. Grant a permission to an OBS account. In the following example, the account (whose Account ID is 783fc6652cf246c096ea836694f71855) is assigned the permission to obtain the log management information about bucket logging.bucket3.

      {

      "Id":"Policy1375342051334",

      "Statement":[

      {

      "Sid":"Stmt1375240018061",

      "Action":[

      "s3:GetBucketLogging"

      ],

      "Effect":"Allow",

      "Resource":"arn:aws:s3:::logging.bucket3",

      "Principal":{

      "AWS": [

      "arn:aws:iam::783fc6652cf246c096ea836694f71855:root"

      ]

      }

      }

      ]

      }

      Table 1 describes an example of parameters that you need to manually modify:
      Table 1 Parameters to be modified

      Parameter

      Description

      GetBucketLogging

      Value of the Action field that indicates the operation set in the policy and performed on the bucket. The Action field indicates all operations supported by OBS and contains a string of case-insensitive characters. The value supports a wildcard character (*) that indicates all operations.

      Allow

      Value of the Effect field that indicates whether the permission in the policy is allowed. The value of the Effect field must be Allow or Deny.

      logging.bucket3

      Target bucket on which the policy works. The bucket name varies based on actual conditions.

      783fc6652cf246c096ea836694f71855

      Account ID of an account. The Account ID needs to be modified based on actual conditions. You can click  after the target bucket to view the Account ID in the Basic dialog box that is displayed.

    2. Grant an OBS user a permission. In the following example, the user (whose User ID is 71f3901173514e6988115ea2c26d1999) of the account (whose Account ID is 219d520ceac84c5a98b237431a2cf4c2) is assigned the permission to set log management for bucket logging.bucket3.

      {

      "Id":"Policy1375342051335",

      "Statement":[

      {

      "Sid":"Stmt1375240018062",

      "Action":[

      "s3:PutBucketLogging"

      ],

      "Effect":"Allow",

      "Resource":"arn:aws:s3:::logging.bucket3",

      "Principal":{

      "AWS":[

      "arn:aws:iam::219d520ceac84c5a98b237431a2cf4c2:user/71f3901173514e6988115ea2c26d1999"

      ]

      }

      }

      ]

      }

      Table 2 describes an example of parameters that you need to manually modify:
      Table 2 Parameters to be modified

      Parameter

      Description

      PutBucketLogging

      Value of the Action field that indicates the operation set in the policy and performed on the bucket. The Action field indicates all operations supported by OBS and contains a string of case-insensitive characters. The value supports a wildcard character (*) that indicates all operations.

      Allow

      Value of the Effect field that indicates whether the permission in the policy is allowed. The value of the Effect field must be Allow or Deny.

      logging.bucket3

      Target bucket on which the policy works. The bucket name varies based on actual conditions.

      219d520ceac84c5a98b237431a2cf4c2

      Account ID of an account. The Account ID needs to be modified based on actual conditions. You can click  after the target bucket to view the Account ID in the Basic dialog box that is displayed.

      71f3901173514e6988115ea2c26d1999

      User ID of a user. The User ID needs to be modified based on actual conditions. You can click the username in the upper right corner of the OBS Console page and click My Credential. Then you can see the User ID on the My Credential page.

    Table 3 describes the parameters of bucket policies. All fields except the Effect field are optional.

    Table 3 Parameters in bucket policies

    Parameter

    Description

    Mandatory or Not

    Version

    The value can be 2008-10-17 or 2012-10-17.

    Optional

    Id

    The ID of the bucket policy. The value must be unique.

    Optional

    Statement

    The description of the bucket policy. The statement defines complete permission control. Each bucket policy can have multiple statements, and each statement contains the following parameters:

    • Sid
    • Effect
    • Principal
    • NotPrincipal
    • Action
    • NotAction
    • Resource
    • NotResource
    • Condition

    Mandatory

    Effect

    The effect of the bucket policy. The statement can be sent to accept or reject requests. Possible values are Allow and Deny.

    Mandatory

    Sid

    The statement ID.

    Optional

    Principal/NotPrincipal

    The user on whom the bucket policy statement takes effect.

    Either Principal or NotPrincipal must be selected to specify the user on whom the bucket policy statement takes effect or does not take effect.

    Mandatory

    Action/NotAction

    The OBS operation on which the bucket policy statement takes effect.

    Either Action or NotAction must be selected to specify whether the bucket policy statement takes effect on the OBS operation.

    Mandatory

    Resource/NotResource

    The object on which the bucket policy statement takes effect.

    Either Resource or NotResource must be selected to specify whether the bucket policy statement takes effect on the OBS resources.

    Mandatory

    Condition

    Indicates the conditions for a statement to take effect.

    Optional

Example

  1. Assigning specific users the permission to obtain objects in specific buckets

    In the following example, the user (whose User ID is ac49fefeb80247799fbaf43249eb73ed) of the account (whose Account ID is 783fc6652cf246c096ea836694f71855) is assigned the permission to obtain all objects in bucket mybucket.

    Table 4 describes an example of parameters that you need to manually modify:
    Table 4 Parameters to be modified

    Parameter

    Description

    Allow

    Value of the Effect field that indicates whether the permission in the policy is allowed or denied. The value of the Effect field must be Allow or Deny.

    783fc6652cf246c096ea836694f71855

    Account ID of an account. The Account ID needs to be modified based on actual conditions. You can click the username in the upper right corner of the OBS Console page and click My Credential. Then you can see the Account ID on the My Credential page.

    ac49fefeb80247799fbaf43249eb73ed

    User ID of a user. The User ID needs to be modified based on actual conditions. You can click the username in the upper right corner of the OBS Console page and click My Credential. Then you can see the User ID on the My Credential page.

    GetObject

    Value of the Action field that indicates the operation set in the policy and performed on the bucket. The Action field indicates all operations supported by OBS and contains a string of case-insensitive characters. The value supports a wildcard character (*) that indicates all operations, for example, "Action":["s3:List*", "s3:Get*"]. Enter a value based on actual conditions.

    mybucket/*

    Target object on which the policy works. The object varies based on actual conditions. A wildcard character (*) indicates all objects in bucket mybucket.

    {

    "Version":"2008-10-17",

    "Id":"aaaa-bbbb-cccc-dddd",

    "Statement":[

    {

    "Effect":"Allow",

    "Sid":"1",

    "Principal":{

    "AWS":["arn:aws:iam::783fc6652cf246c096ea836694f71855:user/ac49fefeb80247799fbaf43249eb73ed"]

    },

    "Action":["s3:GetObject"],

    "Resource":"arn:aws:s3:::mybucket/*"

    }

    ]

    }

  2. Limiting specific addresses' permission to access specific buckets

    In the following example, the permission of address www.example.com to access all objects in bucket mybucket is limited.

    Table 5 describes an example of parameters that you need to manually modify:
    Table 5 Parameters to be modified

    Parameter

    Description

    Deny

    Value of the Effect field that indicates whether the permission in the policy is allowed or denied. The value of the Effect field must be Allow or Deny.

    Wildcard character (*) in Principal

    The user on whom the bucket policy statement takes effect. A wildcard character (*) indicates that the policy works on all users.

    Wildcard character (*) in Action

    The OBS operation on which the bucket policy statement takes effect. A wildcard character (*) indicates all OBS actions, such as GetObject and PutObject.

    mybucket/*

    Target object on which the policy works. The object varies based on actual conditions. A wildcard character (*) indicates all objects in bucket mybucket.

    www.example.com

    Address whose access to OBS is restricted.

    {

    "Version":"2008-10-17",

    "Statement":[

    {

    "Sid":"1",

    "Effect":"Deny",

    "Principal":{"CanonicalUser":["*"]},

    "Action":["s3:*"],

    "Resource":["arn:aws:s3:::mybucket/*"],

    "Condition": {"StringEquals":{"aws:Referer":["www.example.com"]}

    }

    }

    ]

    }

  3. Listing objects in a bucket with conditions

    In the following example, only account 219d520ceac84c5a98b237431a2cf4c2 is allowed to list objects prefixed with Obj in bucket mybucket.

    Table 6 describes an example of parameters that you need to manually modify:
    Table 6 Parameters to be modified

    Parameter

    Description

    Allow

    Value of the Effect field that indicates whether the permission in the policy is allowed or denied. The value of the Effect field must be Allow or Deny.

    219d520ceac84c5a98b237431a2cf4c2

    Account ID of an account. The Account ID needs to be modified based on actual conditions. You can click the username in the upper right corner of the OBS Console page and click My Credential. Then you can see the Account ID on the My Credential page.

    ListBucket

    Value of the Action field that indicates the operation set in the policy and performed on the bucket. The Action field indicates all operations supported by OBS and contains a string of case-insensitive characters. The value supports a wildcard character (*) that indicates all operations, for example, "Action":["s3:List*", "s3:Get*"]. Enter a value based on actual conditions.

    mybucket

    Target bucket on which the policy works. The bucket name varies based on actual conditions.

    Obj

    Objects that are selected by prefixes for listing. The value needs to be modified based on actual conditions.

    {

    "Version":"2008-10-17",

    "Id":"aaaa-bbbb-cccc-dddd",

    "Statement":[

    {

    "Effect":"Allow",

    "Sid":"1",

    "Principal":{"AWS":["arn:aws:iam::219d520ceac84c5a98b237431a2cf4c2:root"]},

    "Action":["s3:ListBucket"],

    "Resource":"arn:aws:s3:::mybucket",

    "Condition":{"StringEquals":{"s3:prefix":"Obj"}}

    }

    ]

    }

  4. Limiting the start time and end time of accessing objects in a bucket

    In the following example, the start time of accessing all objects in bucket mybucket by all users is set.

    Table 7 describes an example of parameters that you need to manually modify:
    Table 7 Parameters to be modified

    Parameter

    Description

    Allow

    Value of the Effect field that indicates whether the permission in the policy is allowed or denied. The value of the Effect field must be Allow or Deny.

    Wildcard character (*) in Principal

    The user on whom the bucket policy statement takes effect. A wildcard character (*) indicates that the policy works on all users.

    Wildcard character (*) in Action

    The OBS operation on which the bucket policy statement takes effect. A wildcard character (*) indicates all OBS actions, such as GetObject and PutObject.

    mybucket/*

    Target object on which the policy works. The object varies based on actual conditions. A wildcard character (*) indicates all objects in bucket mybucket.

    2015-09-10T12:00:00Z

    Start time of accessing the bucket.

    2015-09-10T15:00:00Z

    End time of accessing the bucket.

    {

    "Version":"2008-10-17",

    "Statement":[

    {

    "Sid":"1",

    "Effect":"Allow",

    "Principal":{"CanonicalUser":["*"]},

    "Action":["s3:*"],

    "Resource":["arn:aws:s3:::mybucket/*"],

    "Condition":

    {

    "DateGreaterThan":{

    "aws:CurrentTime":"2015-09-10T12:00:00Z"},

    "DateLessThan":{"aws:CurrentTime":"2015-09-10T15:00:00Z"}

    }

    }

    ]

    }

  5. Limiting access to OBS from specific IP addresses

    Instead of an agent IP address, this IP address is the source IP address. The following policy grants all users the permission to perform any OBS operation on objects in a specific bucket. However, the requests must be from the specified IP address range.

    Table 8 describes an example of parameters that you need to manually modify:
    Table 8 Parameters to be modified

    Parameter

    Description

    Allow

    Value of the Effect field that indicates whether the permission in the policy is allowed or denied. The value of the Effect field must be Allow or Deny.

    Wildcard character (*) in Principal

    The user on whom the bucket policy statement takes effect. A wildcard character (*) indicates that the policy works on all users.

    Wildcard character (*) in Action

    The OBS operation on which the bucket policy statement takes effect. A wildcard character (*) indicates all OBS actions, such as GetObject and PutObject.

    examplebucket/*

    Target object on which the policy works. The object varies based on actual conditions. A wildcard character (*) indicates all objects in bucket mybucket.

    192.168.0.25/32

    IP address range that is not allowed to access OBS. The value needs to be modified based on actual conditions. Instead of an agent IP address, this IP address is the source IP address.

    192.168.1.0/24

    IP address range that is allowed to access OBS. The value needs to be modified based on actual conditions. Instead of an agent IP address, this IP address is the source IP address.

    {

    "Version":"2008-10-17",

    "Id":"01",

    "Statement":[

    {

    "Sid":"1",

    "Effect":"Allow",

    "Principal":{

    "AWS":[

    "*"

    ]

    },

    "Action":[

    "s3:*"

    ],

    "Resource":[

    "arn:aws:s3:::examplebucket/*"

    ],

    "Condition":{

    "NotIpAddress":{

    "aws:SourceIp":[

    "192.168.0.25/32"

    ]

    },

    "IpAddress":{

    "aws:SourceIp":[

    "192.168.1.0/24"

    ]

    }

    }

    }

    ]

    }