• Object Storage Service

obs
  1. Help Center
  2. Object Storage Service
  3. User Guide
  4. OBS Console Operation Guide
  5. Bucket Permissions
  6. Bucket Policy Condition

Bucket Policy Condition

In addition to effects, users, resources, and actions, you can also specify the conditions for the bucket policy to take effect. The bucket policy takes effect only when the specified conditions are met. Otherwise, the bucket policy is invalid. Condition is an optional parameter. You can determine whether to use this parameter based on service requirements. For example, if account A needs to be granted with full control permissions on an object uploaded by account B in bucket example, you can specify that the upload request must contain the acl key and set the value to bucket-owner-full-control. The complete condition expression is as follows:

Condition Operator

Key

Value

StringEquals

acl

bucket-owner-full-control

A condition consists of three parts: condition operator, key, and value. Condition operators and keys are associated with each other. For example:

  • If a string type condition operator is selected, such as StringEquals, the key can only be of the string type, such as UserAgent.
  • If a date type key is selected, such as CurrentTime, the condition operator can only be of the date type, such as DateEquals.

Table 1 describes the predefined condition operators provided by OBS.

Table 1 Condition operators

Type

Key

Description

String

StringEquals

Strict matching. Short version: streq

StringNotEquals

Strict negated matching. Short version: strneq

StringEqualsIgnoreCase

Strict matching, ignoring case. Short version: streqi

StringNotEqualsIgnoreCase

Strict negated matching, ignoring case. Short version: strneqi

StringLike

Loose case-insensitive matching. The values can include a multi-character match wildcard (*) or a single-character match wildcard (?) anywhere in the string. Short version: strl

StringNotLike

Negated loose case-insensitive matching. The values can include a multi-character match wildcard (*) or a single-character match wildcard (?) anywhere in the string. Short version: strnl

Numeric

NumericEquals

Strict matching. Short version: numeq

NumericNotEquals

Strict negated matching. Short version: numneq

NumericLessThan

"Less than" matching. Short version: numlt

NumericLessThanEquals

"Less than or equals" matching. Short version: numlteq

NumericGreaterThan

"Greater than" matching. Short version: numgt

NumericGreaterThanEquals

"Greater than or equals" matching. Short version: numgteq

Date

DateEquals

Strict matching. Short version: dateeq

DateNotEquals

Strict negated matching. Short version: dateneq

DateLessThan

A point in time at which a key stops taking effect. Short version: datelt

DateLessThanEquals

A point in time at which a key stops taking effect. Short version: datelteq

DateGreaterThan

A point in time at which a key starts taking effect Short version: dategt

DateGreaterThanEquals

A point in time at which a key starts taking effect. Short version: dategteq

Boolean

Bool

Strict Boolean matching

IP address

IpAddress

Approved based IP address or range

NotIpAddress

Denial based on the IP address or range

A condition can contain either of the three types of keys: general keys, keys related to bucket actions, and keys related to object actions.

Table 2 General keys

Key

Type

Description

CurrentTime

Date

Indicates the date when the request is received by the server. The date format must comply with ISO 8601.

EpochTime

Numeric

Indicates the time when the request is received by the server, which is expressed as seconds since 1970.1.1 00:00:00 UTC, regardless of the leap seconds.

SecureTransport

Bool

Requests whether to use SSL.

SourceIp

IP address

Source IP address from which the request is sent

UserAgent

String

Requested client software agent

Referer

String

Indicates the link from which the request is sent.

Table 3 Keys related to bucket actions

Action

Optional Key

Description

ListBucket

prefix

Type: String. Lists objects that begin with the specified prefix.

delimiter

Type: String. Groups objects in a bucket.

max-keys

Type: Numeric. Sets the maximum number of objects. Returned objects are listed in alphabetic order.

ListBucketVersions

prefix

Type: String

delimiter

Type: String

max-keys

Type: Numeric

PutBucketAcl

acl

x-amz-acl can contain the canned ACL.

Valid values: private| public-read| public-read-write|authenticated-read|bucket-owner-read|bucket-owner-full-control|log-delivery-write

Table 4 Keys related to object actions

Action

Optional Key

Description

PutObject

acl

x-amz-acl can contain the canned ACL.

Valid values: private| public-read| public-read-write|authenticated-read|bucket-owner-read|bucket-owner-full-control|log-delivery-write

copysource

Type: String. Specifies names of the source bucket and the source object. Format: /bucketname/keyname

metadatadirective

Type: String. Specifies whether to copy the metadata from the source object or replace with the metadata in the request. Values: COPY| REPLACE

PutObjectAcl

acl

x-amz-acl can contain the canned ACL.

Valid values: private| public-read| public-read-write|authenticated-read|bucket-owner-read|bucket-owner-full-control|log-delivery-write

GetObjectVersion

VersionId

Type: String. Indicates the version of the object.

GetObjectVersionAcl

VersionId

Type: String

PutObjectVersionAcl

VersionId

Type: String

acl

x-amz-acl can contain the canned ACL.

Valid values: private| public-read| public-read-write|authenticated-read|bucket-owner-read|bucket-owner-full-control|log-delivery-write

DeleteObjectVersion

VersionId

Type: String. Indicates the version of the object.