Conditions¶
In addition to effect, principals, resources, and actions, you can specify conditions for a bucket policy. A bucket policy takes effect only when its condition expressions match values contained in the request. Conditions is an optional parameter. You can determine whether to use this parameter based on service requirements.
For example, if account A needs to be granted with full control permissions for an object uploaded by account B in bucket example, you can specify that the upload request must contain the acl key and set the policy effect to Allow for account A. The complete condition expression is as follows:
Condition Operator | Key | Value |
|---|---|---|
StringEquals | acl | bucket-owner-full-control |
A condition consists of three parts: condition operator, key, and value. Condition operators and keys are associated with each other. For example:
If a string type condition operator is selected, such as StringEquals, the key can only be of the string type, such as UserAgent.
If a date type key is selected, such as CurrentTime, the condition operator can only be of the date type, such as DateEquals.
Table 1 describes the predefined condition operators provided by OBS.
Type | Key | Description |
|---|---|---|
String | StringEquals | Strict matching. Short version: streq |
StringNotEquals | Strict negated matching. Short version: strneq | |
StringEqualsIgnoreCase | Strict matching, ignoring case. Short version: streqi | |
StringNotEqualsIgnoreCase | Strict negated matching, ignoring case. Short version: strneqi | |
StringLike | Loose case-sensitive matching. The values can include a multi-character match wildcard ( | |
StringNotLike | Negated loose case-sensitive matching. The values can include a multi-character match wildcard ( | |
Numeric | NumericEquals | Strict matching. Short version: numeq |
NumericNotEquals | Strict negated matching. Short version: numneq | |
NumericLessThan | "Less than" matching. Short version: numlt | |
NumericLessThanEquals | "Less than or equals" matching. Short version: numlteq | |
NumericGreaterThan | "Greater than" matching. Short version: numgt | |
NumericGreaterThanEquals | "Greater than or equals" matching. Short version: numgteq | |
Date | DateEquals | Strict matching. Short version: dateeq |
DateNotEquals | Strict negated matching. Short version: dateneq | |
DateLessThan | Indicates that the date is earlier than a specific date. Short version: datelt | |
DateLessThanEquals | Indicates that the date is earlier than or equal to a specific date. Short version: datelteq | |
DateGreaterThan | Indicates that the date is later than a specific date. Short version: dategt | |
DateGreaterThanEquals | Indicates that the date is later than or equal to a specific date. Short version: dategteq | |
Boolean | Bool | Strict Boolean matching |
IP address | IpAddress | Takes effect only on a specified IP address or IP address range. Example: x.x.x.x/24 |
NotIpAddress | Takes effect only on all except the specified IP address or IP address range. Example: x.x.x.x/24 |
A condition can contain any of the three types of keys: general keys, keys related to bucket actions, and keys related to object actions.
Key | Type | Description |
|---|---|---|
CurrentTime | Date | Indicates the date when the request is received by the server. The date format must comply with ISO 8601. |
EpochTime | Numeric | Indicates the time when the request is received by the server, which is expressed as seconds since 1970.01.01 00:00:00 UTC, regardless of the leap seconds. |
SecureTransport | Bool | Requests whether to use SSL. |
SourceIp | IP address | Source IP address from which the request is sent |
UserAgent | String | Requested client software agent |
Referer | String | Indicates the link from which the request is sent. |
Action | Optional Key | Description | Description |
|---|---|---|---|
ListBucket | prefix | Type: String. Lists objects that begin with the specified prefix. | If prefix, delimiter, and max-keys are configured, the key-value pair meeting the conditions must be specified in the List operation for the bucket policy to take effect. For example, if a bucket policy (with the conditional operator set to NumericEquals, the key to max-keys, and the value to 100) that allows anonymous users to read data is configured for a bucket, the anonymous users must add ?max-keys=100 to the end of the bucket domain name for listing objects. The listed objects are the first 100 objects in alphabetic order. |
max-keys | Type: Numeric. Sets the maximum number of objects. Returned objects are listed in alphabetic order. | ||
ListBucketVersions | prefix | Type: String. Lists multi-version objects whose name starts with the specified prefix. | |
max-keys | Type: Numeric. Sets the maximum number of objects. Returned objects are listed in alphabetic order. | ||
PutBucketAcl | acl | Type: String. Configures the bucket ACL. When modifying a bucket ACL, you can use the request that contains a canned ACL setting in its header. Value options of a canned ACL setting: private|public-read|public-read-write|authenticated-read|bucket-owner-read|bucket-owner-full-control|log-delivery-write | None |
Action | Optional Key | Description |
|---|---|---|
PutObject | acl | Type: String. Configures the object ACL. When uploading an object, you can use the request that contains a canned ACL setting in its header. Value options of a canned ACL setting: private|public-read|public-read-write|authenticated-read|bucketowner-read|bucket-owner-full-control|log-delivery-write. |
copysource | Type: String. Specifies names of the source bucket and the source object. Format: /bucketname/keyname | |
metadata-directive | Type: String. Specifies whether to copy the metadata from the source object or replace with the metadata in the request. Values: COPY|REPLACE | |
PutObjectAcl | acl | Type: String. Configures the object ACL. When uploading an object, you can use the request that contains a canned ACL setting in its header. Value options of a canned ACL setting: private|public-read|public-read-write|authenticated-read|bucketowner-read|bucket-owner-full-control|log-delivery-write. |
GetObjectVersion | VersionId | Type: String. Obtains the object with the specified version ID. |
GetObjectVersionAcl | VersionId | Type: String. Obtains the ACL of the object with specified version ID. |
PutObjectVersionAcl | VersionId | Type: String. Specifies a version ID. |
acl | Type: String. Configures the ACL of the object with the specified version ID. When uploading an object, you can use the request that contains a canned ACL setting in its header. Value options of a canned ACL setting: private|public-read|public-read-write|authenticated-read|bucketowner-read|bucket-owner-full-control|log-delivery-write. | |
DeleteObjectVersion | VersionId | Type: String. Deletes the object with the specified version ID. |