Configuring a Custom Bucket Policy (Common Mode)

You can customize bucket policies based on your needs. A custom bucket policy consists of five basic elements: effect, principals, resources, actions, and conditions.

This section describes how to configure a custom bucket policy in common mode (GUI).

Procedure

  1. In the bucket list, click the bucket you want to operate to go to the Objects page.

  2. In the navigation pane, choose Permissions > Bucket Policies.

  3. Click Create.

  4. Configure a bucket policy.

    **Figure 1** Configuring a bucket policy

    Figure 1 Configuring a bucket policy

    Table 1 Parameters for configuring a custom bucket policy

    Parameter

    Description

    Policy View

    Visual editor or JSON. The visual editor is used here. For details about configurations in the JSON view, see Configuring a Custom Bucket Policy (Coding Mode).

    Policy Name

    Enter a bucket policy name.

    Effect

    • Allow: The policy allows the matched requests.

    • Deny: The policy denies the matched requests.

    Principals

    • All accounts: The bucket policy applies to anonymous users.

    • Current account: Specify one or more IAM users under the current account.

    • Other accounts: Specify one or more accounts.

      Note

      The account ID and IAM user ID can be obtained from the My Credentials page.

      The format is Account ID/IAM User ID. To specify multiple accounts, enter each one on a separate line.

      Account ID/* indicates that permission is granted to all users under the account.

    • Delegated accounts: Delegated accounts can be added only after Other accounts is selected.

      Note

      The format is Account ID/Agency Name. To specify multiple agencies, enter each one on a separate line.

    • Federated user: Users who access the cloud system through federated identity authentication. If you select Federated user, you can specify the user to be an Identity provider or a User group.

    Resources

    • Entire bucket (including the objects in it): The policy applies to the bucket and the objects in it. You can configure bucket and object actions in this policy.

    • Current bucket: The policy applies to the current bucket. You can configure bucket actions in this policy.

    • Specified objects: The policy applies to specified objects in the bucket. You can configure object actions in this policy.

      Note

      • Multiple resource paths can be specified.

      • A resource path should be configured in the Folder name/Object name format, for example, testdir/a.txt. To specify the testdir folder and all objects in it, enter testdir/*.

      • You can specify a specific object, an object set, or a directory. * indicates all objects in the bucket.

        To specify a specific object, enter the object name.

        To specify a set of objects, enter Object name prefix*, *Object name suffix, or *. For example, testdir/* indicates objects in the testdir folder, and testprefix* indicates objects whose prefix is testprefix.

    Actions

    • Actions: Choose Customize.

    • Select Actions: See Actions.

      Note

      1. If you select Entire bucket (including the objects in it) for Resources, common actions, bucket actions, and object actions will be available for you to choose from.

      2. If you select Current bucket for Resources, common actions and bucket actions will be available for you to choose from.

      3. If you select Specified objects for Resources, common actions and object actions will be available for you to choose from.

      4. If you select both Current bucket and Specified objects for Resources, common actions, bucket actions, and object actions will be available for you to choose from.

    Conditions (Optional)

    • Key: See Conditions.

    • Conditional Operator: See Conditions.

    • Value: The entered value is associated with the key.

    Advanced Settings > Exclude (Optional)

    • Specified principals: By selecting this option, the bucket policy applies to users except the specified ones.

      Note

      • Exclude not selected: The bucket policy applies to the specified users.

      • Exclude selected: The bucket policy applies to users except the specified ones.

    • Specified resources: By selecting this option, the bucket policy applies to resources except the specified ones.

      Note

      • Exclude not selected: The bucket policy applies to the specified OBS resources.

      • Exclude selected: The bucket policy applies to OBS resources except the specified ones.

    • Specified actions: By selecting this option, the bucket policy applies to actions except the specified ones.

      Note

      • Exclude not selected: The bucket policy applies to the specified actions.

      • Exclude selected: The bucket policy applies to actions except the specified ones.

      • By default, Specified actions is selected for Exclude in the bucket read/write template only. The action exclusion setting in bucket policy templates cannot be modified.

  5. Click Create in the lower right corner.

last updated: 2025-09-03 15:17 UTC - commit: d920494ebfe281dadf5648a673e837f6f3f30c8b