• Object Storage Service

obs
  1. Help Center
  2. Object Storage Service
  3. User Guide
  4. OBS Console Operation Guide
  5. Bucket Permissions
  6. Bucket Policy Overview

Bucket Policy Overview

Except for bucket ACL, a bucket owner can edit a bucket policy to control access permissions of the bucket. A bucket owner can use one bucket policy to set permissions for any number of objects in the bucket. After a bucket policy is created, access requests to the bucket are controlled by the bucket policy. The bucket policy controls access requests by allowing or denying the requests. Compared with bucket ACLs, bucket policies provide fine-grained permission control and implement centralized access control for buckets and objects based on the following parameters:

  • Effect: Specifies whether the bucket policy is denied or allowed. For details, see Bucket Policy Effect.
  • Principal: Specifies the user to which the bucket policy applies. For details, see Bucket Policy Principal.
  • Resource: Specifies the bucket and object to which the bucket policy applies. For details, see Bucket Policy Resource.
  • Action: Specifies the operations that can be performed by a bucket policy. Buckets and objects support separate groups of operations. For details, see Bucket Policy Action.
  • Condition: Specifies conditions for a bucket policy to take effect. For details, see Bucket Policy Condition.

Bucket policies have general settings and advanced settings. They can implement different rules based on the preceding parameters.

Bucket Policies with General Settings

With general settings, you have the following three options of bucket policies:

  • Private: Only the bucket owner has the full control over the bucket. Unauthorized users do not have any permission to access the bucket.
  • Public Read: Any user can read objects in the bucket. Only the bucket owner can write objects in the bucket.
  • Public Read and Write: Any user can read, write, and delete objects in the bucket.

Table 1 lists parameters involved in the general settings.

Table 1 Parameter description

Parameter

Private

Public Read

Public Read and Write

Effect

None

Allow

Allow

Principal

None

* (Any user)

* (Any user)

Resource

None

* (All objects in the bucket)

* (All objects in the bucket)

Action

None

  • GetObject (Obtains object content and metadata.)
  • GetObjectVersion (Obtains the content and metadata of specified object versions.)
  • GetObject (Obtains object content and metadata.)
  • GetObjectVersion (Obtains the content and metadata of specified object versions.)
  • PutObject (Uploads objects.)
  • DeleteObject (Deletes objects.)
  • DeleteObjectVersion (Deletes specified object versions.)

Condition

None

None

None

NOTE:
  • If you select the Private policy, only the bucket owner has the full control permissions for the bucket.
  • To ensure data security, it is recommended that you do not use the Public Read or Public Read and Write policies.

Advanced Settings

You can define the specific operation permissions that you want to grant to users and accounts by configuring the parameters of Effect, Principal, Resource, Action, and Condition.

Determination When Bucket Policies Conflict

If two bucket policies conflict, the one that have the Effect set to Deny prevails.

With advanced settings, a bucket policy provides fine-grained permission control, which can deny or allow access requests. However, the general settings of a bucket policy are designed only for the scenario that access requests are allowed. Therefore, if a conflict occurs between the advanced settings and general settings, the advanced settings prevail.

In the following example, a Public Read policy is selected for General Settings, and the Customized policy mode is adopted for Advanced Settings, which denies account B (a cloud service account) to obtain object lists. The example explains the determination logic behind the general settings and advanced settings of a bucket.

When account B requests for obtaining the object list in bucket example, the determination logic is as follows:

Though the general settings are set to Public Read, account B is denied to obtain the object list, because account B's permission to obtain the object list is denied in the advanced settings.

Application Scenarios of Bucket Policies

If an account needs to access an OBS bucket, you can use the bucket ACL to grant permissions to the account. If you want to grant access permissions to an IAM user, you can use either the IAM user permission settings or bucket policy. However, to meet the requirements of the following scenarios, you need to use the bucket policy:

  • Obtaining the object content: Bucket ACLs can only be used to obtain object lists and upload objects (for details, see Table 2). Object content and metadata cannot be obtained by leveraging bucket ACLs. To obtain the content of an object in a bucket, you must configure the bucket policy (set General Settings to Public Read or configure the Customized mode in the Advanced Settings) to grant such fine-grained permissions to users.
  • Management of cross-account access permissions: Bucket ACLs can manage access permissions of only accounts and user groups, but cannot manage those of IAM users. IAM user permission settings can only control cloud resource operation permissions of users under their own accounts, but cannot manage permissions of users in other accounts. To grant an IAM user in an account with the access permission to resources under another account, you must configure a bucket policy with advanced settings.
  • Management of all OBS operation permissions: Table 1 lists operation permissions that can be managed by bucket ACL and bucket policy. Bucket ACL can manage only some simple operation permissions. For example, a bucket ACL cannot grant users the permission to delete a bucket policy, but a bucket policy can grant users the permission to delete a bucket ACL. Therefore, you must configure bucket policies with advanced settings to manage all operation permissions for buckets and objects.