vpruthi/doc-exports
1
0
Fork 0
forked from docs/doc-exports
Code Pull Requests Activity
doc-exports/docs/obs/s3api/en-us_topic_0125560422.html
zhangyue 6fcdbfd13e OBS S3 API DOC 
Reviewed-by: Sabelnikov, Dmitriy <dmitriy.sabelnikov@t-systems.com>
Co-authored-by: zhangyue <zhangyue164@huawei.com>
Co-committed-by: zhangyue <zhangyue164@huawei.com>
2024-02-26 11:17:13 +00:00

656 lines
58 KiB
HTML
Raw Blame History

<a name="EN-US_TOPIC_0125560422"></a><a name="EN-US_TOPIC_0125560422"></a>
<h1 class="topictitle1">Bucket Policy</h1>
<div id="body48777803"><p id="EN-US_TOPIC_0125560422__p3823690616254">Bucket policies provide centralized, access control to buckets and objects based on a variety of conditions, including OBS operations, requesters, resources, and aspects of the request (e.g., IP address). The permissions attached to a bucket apply to all of the objects in that bucket.</p>
<p id="EN-US_TOPIC_0125560422__p858784016254">Individuals as well as companies can use bucket policies. When companies register with OBS they create an <em id="EN-US_TOPIC_0125560422__i1018170016254">account</em>. Thereafter, the company becomes synonymous with the account. Accounts are financially responsible for the resources they (and their employees) create. Accounts have the power to grant bucket policy permissions and assign employees permissions based on a variety of conditions. For example, an account could create a policy that gives a user write access:</p>
<p id="EN-US_TOPIC_0125560422__p2452643916254">To a particular bucket</p>
<p id="EN-US_TOPIC_0125560422__p1941136216254">From an account's corporate network</p>
<p id="EN-US_TOPIC_0125560422__p4048453416254">From an account's custom application</p>
<p id="EN-US_TOPIC_0125560422__p2881649316254">Unlike access control lists (ACL), which can add (grant) permissions only on individual objects, policies can either add or deny permissions across all (or a subset) of objects within a bucket. With one request an account can set the permissions of any number of objects in a bucket. An account can use wildcards (similar to regular expression operators) on Amazon resource names (ARNs) and other values, so that an account can control access to groups of objects.</p>
<p id="EN-US_TOPIC_0125560422__p597263602512">A bucket owner can perform the PUT Bucket policy operation to set a bucket access policy. However, a new policy will overwrite the existing one. A bucket owner can also perform the Get Bucket policy or DELETE Bucket policy operation to obtain or delete a bucket policy. After a policy is set for a bucket, all subsequent access to the bucket is controlled by the policy. Requests for accessing the bucket are accepted or denied according to the policy.</p>
<p id="EN-US_TOPIC_0125560422__p53491633">In the following example bucket policy, accounts <strong id="EN-US_TOPIC_0125560422__b281314437253">783fc6652cf246c096ea836694f71855</strong> (Domain ID) and <strong id="EN-US_TOPIC_0125560422__b1548834922511">219d520ceac84c5a98b237431a2cf4c2</strong> (Domain ID) are granted the <strong id="EN-US_TOPIC_0125560422__b7359165552517">GetObject</strong> permission for all objects in <strong id="EN-US_TOPIC_0125560422__b31571159192516">mybucket</strong>.</p>
<pre class="screen" id="EN-US_TOPIC_0125560422__screen16440329122320">{
"Version":"2008-10-17",
"Id":"aaaa-bbbb-cccc-dddd",
"Statement" : [
{
"Effect":"Allow",
"Sid":"1",
"Principal" : {
"AWS":["arn:aws:iam::783fc6652cf246c096ea836694f71855:root","arn:aws:iam::219d520ceac84c5a98b237431a2cf4c2:root"]
},
"Action":["s3:GetObject"],
"Resource":"arn:aws:s3:::mybucket/*"
}
]
}</pre>
<div class="section" id="EN-US_TOPIC_0125560422__section39017818"><h4 class="sectiontitle">Policy Format</h4><p id="EN-US_TOPIC_0125560422__p58687999">A policy is described in the JSON format, as shown in the following syntax:</p>
<pre class="screen" id="EN-US_TOPIC_0125560422__screen40454409122333">{
"Version" : "version",
"Id" : "id",
"Statement" : [statement]
}</pre>
<p id="EN-US_TOPIC_0125560422__p29054997">The <strong id="EN-US_TOPIC_0125560422__b918411205517">Id</strong> and <strong id="EN-US_TOPIC_0125560422__b4644555">Version</strong> parameters are optional.</p>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="EN-US_TOPIC_0125560422__table22453715" frame="border" border="1" rules="all"><caption><b>Table 1 </b>Policy</caption><thead align="left"><tr id="EN-US_TOPIC_0125560422__row60715486"><th align="left" class="cellrowborder" valign="top" width="19.05%" id="mcps1.3.10.5.2.4.1.1"><p id="EN-US_TOPIC_0125560422__p19007354">Element</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="63.78%" id="mcps1.3.10.5.2.4.1.2"><p id="EN-US_TOPIC_0125560422__p63200739">Description</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="17.169999999999998%" id="mcps1.3.10.5.2.4.1.3"><p id="EN-US_TOPIC_0125560422__p18986240">Required</p>
</th>
</tr>
</thead>
<tbody><tr id="EN-US_TOPIC_0125560422__row61490490"><td class="cellrowborder" valign="top" width="19.05%" headers="mcps1.3.10.5.2.4.1.1 "><p id="EN-US_TOPIC_0125560422__p14673784">Id</p>
</td>
<td class="cellrowborder" valign="top" width="63.78%" headers="mcps1.3.10.5.2.4.1.2 "><p id="EN-US_TOPIC_0125560422__p47725859">Indicates the ID of a policy. The value is a string that describes the policy.</p>
</td>
<td class="cellrowborder" valign="top" width="17.169999999999998%" headers="mcps1.3.10.5.2.4.1.3 "><p id="EN-US_TOPIC_0125560422__p40589346">No</p>
</td>
</tr>
<tr id="EN-US_TOPIC_0125560422__row29759797"><td class="cellrowborder" valign="top" width="19.05%" headers="mcps1.3.10.5.2.4.1.1 "><p id="EN-US_TOPIC_0125560422__p61733326">Version</p>
</td>
<td class="cellrowborder" valign="top" width="63.78%" headers="mcps1.3.10.5.2.4.1.2 "><p id="EN-US_TOPIC_0125560422__p56311059193618">Possible values are <strong id="EN-US_TOPIC_0125560422__b22584573193647">2008-10-17</strong>.</p>
</td>
<td class="cellrowborder" valign="top" width="17.169999999999998%" headers="mcps1.3.10.5.2.4.1.3 "><p id="EN-US_TOPIC_0125560422__p30357761">No</p>
</td>
</tr>
</tbody>
</table>
</div>
<p id="EN-US_TOPIC_0125560422__p4784395"></p>
<p id="EN-US_TOPIC_0125560422__p43059563">A policy can contain multiple statements and each statement contains the following elements:</p>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="EN-US_TOPIC_0125560422__table756848" frame="border" border="1" rules="all"><caption><b>Table 2 </b>statement elements</caption><thead align="left"><tr id="EN-US_TOPIC_0125560422__row30402474"><th align="left" class="cellrowborder" valign="top" width="19.05%" id="mcps1.3.10.8.2.4.1.1"><p id="EN-US_TOPIC_0125560422__p46681319">Element</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="63.970000000000006%" id="mcps1.3.10.8.2.4.1.2"><p id="EN-US_TOPIC_0125560422__p23090476">Description</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="16.98%" id="mcps1.3.10.8.2.4.1.3"><p id="EN-US_TOPIC_0125560422__p58389282">Required</p>
</th>
</tr>
</thead>
<tbody><tr id="EN-US_TOPIC_0125560422__row31911408"><td class="cellrowborder" valign="top" width="19.05%" headers="mcps1.3.10.8.2.4.1.1 "><p id="EN-US_TOPIC_0125560422__p34687295">Sid</p>
</td>
<td class="cellrowborder" valign="top" width="63.970000000000006%" headers="mcps1.3.10.8.2.4.1.2 "><p id="EN-US_TOPIC_0125560422__p58207543">Indicates the ID of a statement. The value is a string that describes the statement.</p>
</td>
<td class="cellrowborder" valign="top" width="16.98%" headers="mcps1.3.10.8.2.4.1.3 "><p id="EN-US_TOPIC_0125560422__p17190527">No</p>
</td>
</tr>
<tr id="EN-US_TOPIC_0125560422__row20497016"><td class="cellrowborder" valign="top" width="19.05%" headers="mcps1.3.10.8.2.4.1.1 "><p id="EN-US_TOPIC_0125560422__p49645628">Principal</p>
</td>
<td class="cellrowborder" valign="top" width="63.970000000000006%" headers="mcps1.3.10.8.2.4.1.2 "><p id="EN-US_TOPIC_0125560422__p1694205">Indicates the grantee of a statement. The value can be a wildcard character (*) that indicates all users. When the grantee is a domain, <strong id="EN-US_TOPIC_0125560422__b15247851">Principal</strong> is in the <strong id="EN-US_TOPIC_0125560422__b842352706172349">AWS:domainid</strong>, <strong id="EN-US_TOPIC_0125560422__b84235270617242">AWS:arn:aws:iam::domainid:root</strong>, or <strong id="EN-US_TOPIC_0125560422__b842352706102541">CanonicalUser:</strong> format. When the grantee is a user, <strong id="EN-US_TOPIC_0125560422__b93562175616120">Principal</strong> is in the <strong id="EN-US_TOPIC_0125560422__b173439141516120">AWS:arn:aws:iam::domainid:user/userId</strong> or <strong id="EN-US_TOPIC_0125560422__b842352706171843">AWS:arn:aws:iam::domainid:user/userName</strong> format.</p>
<p style="color:#000000;" id="EN-US_TOPIC_0125560422__p47015489143336">A statement grantee can specify whether the statement grantors are agency users or federated users. For agency users, the principal format is <strong id="EN-US_TOPIC_0125560422__b32826017145418">AWS:arn:aws:iam::domainid:agency/agencyName</strong>. For federated users, the principal format is <strong id="EN-US_TOPIC_0125560422__b19159022145418">Federated:arn:aws:iam::domainid:identity-provider/providername</strong> or <strong id="EN-US_TOPIC_0125560422__b38213472145418">Federated:arn:aws:iam::domainid:group/groupname</strong>.</p>
</td>
<td class="cellrowborder" valign="top" width="16.98%" headers="mcps1.3.10.8.2.4.1.3 "><p id="EN-US_TOPIC_0125560422__p61135510">No, Choose either Principal or NotPrincipal</p>
</td>
</tr>
<tr id="EN-US_TOPIC_0125560422__row13348680"><td class="cellrowborder" valign="top" width="19.05%" headers="mcps1.3.10.8.2.4.1.1 "><p id="EN-US_TOPIC_0125560422__p7501266">NotPrincipal</p>
</td>
<td class="cellrowborder" valign="top" width="63.970000000000006%" headers="mcps1.3.10.8.2.4.1.2 "><p id="EN-US_TOPIC_0125560422__p3622792">Specifies an exception to a list of principals in the statement. You can deny access to all principals except the one named in the <strong id="EN-US_TOPIC_0125560422__b32605136">NotPrincipal</strong> element. The value of this element is similar to that of <strong id="EN-US_TOPIC_0125560422__b25010772">Principal</strong>.</p>
</td>
<td class="cellrowborder" valign="top" width="16.98%" headers="mcps1.3.10.8.2.4.1.3 "><p id="EN-US_TOPIC_0125560422__p12606619">No, Choose either Principal or NotPrincipal</p>
</td>
</tr>
<tr id="EN-US_TOPIC_0125560422__row46350713"><td class="cellrowborder" valign="top" width="19.05%" headers="mcps1.3.10.8.2.4.1.1 "><p id="EN-US_TOPIC_0125560422__p63420295">Action</p>
</td>
<td class="cellrowborder" valign="top" width="63.970000000000006%" headers="mcps1.3.10.8.2.4.1.2 "><p id="EN-US_TOPIC_0125560422__p36770245">Specifies operations that a grantee can perform. The value is a case-insensitive string consisting of a set of operations supported by OBS.</p>
<p id="EN-US_TOPIC_0125560422__p62496749">The value can be a wildcard character (*) that indicates all operations.</p>
<p id="EN-US_TOPIC_0125560422__p25599835">Example:</p>
<p id="EN-US_TOPIC_0125560422__p29071927">"Action":["s3:List*", "s3:Get*"]</p>
</td>
<td class="cellrowborder" valign="top" width="16.98%" headers="mcps1.3.10.8.2.4.1.3 "><p id="EN-US_TOPIC_0125560422__p6015877">No, Choose either Action or NotAction</p>
</td>
</tr>
<tr id="EN-US_TOPIC_0125560422__row54142897"><td class="cellrowborder" valign="top" width="19.05%" headers="mcps1.3.10.8.2.4.1.1 "><p id="EN-US_TOPIC_0125560422__p23498561">NotAction</p>
</td>
<td class="cellrowborder" valign="top" width="63.970000000000006%" headers="mcps1.3.10.8.2.4.1.2 "><p id="EN-US_TOPIC_0125560422__p24335306">Specifies an exception to a list of actions in the statement. All actions are performed except the one specified in <strong id="EN-US_TOPIC_0125560422__b17691163">NotAction</strong>. The value of this element is similar to <strong id="EN-US_TOPIC_0125560422__b25002739">Action</strong>.</p>
</td>
<td class="cellrowborder" valign="top" width="16.98%" headers="mcps1.3.10.8.2.4.1.3 "><p id="EN-US_TOPIC_0125560422__p11955940">No, Choose either Action or NotAction</p>
</td>
</tr>
<tr id="EN-US_TOPIC_0125560422__row40494599"><td class="cellrowborder" valign="top" width="19.05%" headers="mcps1.3.10.8.2.4.1.1 "><p id="EN-US_TOPIC_0125560422__p58837112">Effect</p>
</td>
<td class="cellrowborder" valign="top" width="63.970000000000006%" headers="mcps1.3.10.8.2.4.1.2 "><p id="EN-US_TOPIC_0125560422__p1076806">Indicates whether permission in a statement is allowed or denied. The value is <strong id="EN-US_TOPIC_0125560422__b33804765518">Allow</strong> or <strong id="EN-US_TOPIC_0125560422__b17535142994213">Deny</strong>.</p>
</td>
<td class="cellrowborder" valign="top" width="16.98%" headers="mcps1.3.10.8.2.4.1.3 "><p id="EN-US_TOPIC_0125560422__p20112472">Yes</p>
</td>
</tr>
<tr id="EN-US_TOPIC_0125560422__row46794527"><td class="cellrowborder" valign="top" width="19.05%" headers="mcps1.3.10.8.2.4.1.1 "><p id="EN-US_TOPIC_0125560422__p32260306">Resource</p>
</td>
<td class="cellrowborder" valign="top" width="63.970000000000006%" headers="mcps1.3.10.8.2.4.1.2 "><p id="EN-US_TOPIC_0125560422__p62948031">Specifies resources that the statement covers. A resource is defined in the Amazon Resource Name (ARN) format. You can use a wildcard character (*) to represent all resources.</p>
</td>
<td class="cellrowborder" valign="top" width="16.98%" headers="mcps1.3.10.8.2.4.1.3 "><p id="EN-US_TOPIC_0125560422__p65625740">No, Choose either Resource or NotResource</p>
</td>
</tr>
<tr id="EN-US_TOPIC_0125560422__row53760750"><td class="cellrowborder" valign="top" width="19.05%" headers="mcps1.3.10.8.2.4.1.1 "><p id="EN-US_TOPIC_0125560422__p59653487">NotResource</p>
</td>
<td class="cellrowborder" valign="top" width="63.970000000000006%" headers="mcps1.3.10.8.2.4.1.2 "><p id="EN-US_TOPIC_0125560422__p94244">Specifies an exception to a list of resources in the statement. A policy is not applied to resources specified in <strong id="EN-US_TOPIC_0125560422__b848197">NotResource</strong>. The value of this parameter is similar to that of <strong id="EN-US_TOPIC_0125560422__b7633781">Resource</strong>.</p>
</td>
<td class="cellrowborder" valign="top" width="16.98%" headers="mcps1.3.10.8.2.4.1.3 "><p id="EN-US_TOPIC_0125560422__p14356556">No, Choose either Resource or NotResource</p>
</td>
</tr>
<tr id="EN-US_TOPIC_0125560422__row62100140"><td class="cellrowborder" valign="top" width="19.05%" headers="mcps1.3.10.8.2.4.1.1 "><p id="EN-US_TOPIC_0125560422__p64055428">Condition</p>
</td>
<td class="cellrowborder" valign="top" width="63.970000000000006%" headers="mcps1.3.10.8.2.4.1.2 "><p id="EN-US_TOPIC_0125560422__p21107156">Indicates the conditions for a statement to take effect.</p>
</td>
<td class="cellrowborder" valign="top" width="16.98%" headers="mcps1.3.10.8.2.4.1.3 "><p id="EN-US_TOPIC_0125560422__p31958085">No</p>
</td>
</tr>
</tbody>
</table>
</div>
<p id="EN-US_TOPIC_0125560422__p19187313"></p>
<div class="note" id="EN-US_TOPIC_0125560422__note38468094"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="EN-US_TOPIC_0125560422__p1996675317290">A statement contains either:</p>
<ul id="EN-US_TOPIC_0125560422__ul3730555162911"><li id="EN-US_TOPIC_0125560422__li1791021143013"><strong id="EN-US_TOPIC_0125560422__b1891117183016">Action</strong> or <strong id="EN-US_TOPIC_0125560422__b4911411309">NotAction</strong></li><li id="EN-US_TOPIC_0125560422__li19592105143012"><strong id="EN-US_TOPIC_0125560422__b1259275143019">Resource</strong> or <strong id="EN-US_TOPIC_0125560422__b15592185143015">NotResource</strong></li><li id="EN-US_TOPIC_0125560422__li773017559294"><strong id="EN-US_TOPIC_0125560422__b2073075582919">Principal</strong> or <strong id="EN-US_TOPIC_0125560422__b15730115562916">NotPrincipal</strong></li></ul>
</div></div>
<p id="EN-US_TOPIC_0125560422__p37526105">In OBS, <strong id="EN-US_TOPIC_0125560422__b12339111335514">Action</strong> can be the following operations on buckets:</p>
<ul id="EN-US_TOPIC_0125560422__ul27551653123019"><li id="EN-US_TOPIC_0125560422__li157491853203013">s3:DeleteBucket</li><li id="EN-US_TOPIC_0125560422__li375016538302">s3:ListBucket</li><li id="EN-US_TOPIC_0125560422__li4750145314309">s3:ListBucketVersions</li><li id="EN-US_TOPIC_0125560422__li13750353103012">s3:ListBucketMultipartUploads</li><li id="EN-US_TOPIC_0125560422__li6750195317308">s3:GetBucketAcl</li><li id="EN-US_TOPIC_0125560422__li1975035343014">s3:PutBucketAcl</li><li id="EN-US_TOPIC_0125560422__li1475110532305">s3:GetBucketCORS</li><li id="EN-US_TOPIC_0125560422__li12751185393012">s3:PutBucketCORS</li><li id="EN-US_TOPIC_0125560422__li107511553143016">s3:GetBucketVersioning</li><li id="EN-US_TOPIC_0125560422__li117531453113013">s3:PutBucketVersioning</li><li id="EN-US_TOPIC_0125560422__li14753145312304">s3:GetBucketLocation</li><li id="EN-US_TOPIC_0125560422__li187531053103017">s3:GetBucketLogging</li><li id="EN-US_TOPIC_0125560422__li12753175323015">s3:PutBucketLogging</li><li id="EN-US_TOPIC_0125560422__li197532532304">s3:GetBucketWebsite</li><li id="EN-US_TOPIC_0125560422__li3753135310305">s3:PutBucketWebsite</li><li id="EN-US_TOPIC_0125560422__li197531953143010">s3:DeleteBucketWebsite</li><li id="EN-US_TOPIC_0125560422__li37559537302">s3:GetLifecycleConfiguration</li><li id="EN-US_TOPIC_0125560422__li1475518531305">s3:PutLifecycleConfiguration</li><li id="EN-US_TOPIC_0125560422__li32250409143352">s3:GetBucketNotification</li><li id="EN-US_TOPIC_0125560422__li62787262143432">s3:PutBucketNotification</li><li id="EN-US_TOPIC_0125560422__li141617197236">s3:PutBucketPolicy</li><li id="EN-US_TOPIC_0125560422__li1925583419230">s3:GetBucketPolicy</li><li id="EN-US_TOPIC_0125560422__li658904219231">s3:DeleteBucketPolicy</li><li id="EN-US_TOPIC_0125560422__li2838104862315">s3:PutBucketQuota</li><li id="EN-US_TOPIC_0125560422__li5849172311246">s3:GetBucketQuota</li><li id="EN-US_TOPIC_0125560422__li10853304249">s3:PutBucketStoragePolicy</li><li id="EN-US_TOPIC_0125560422__li151116732517">s3:GetBucketStoragePolicy</li><li id="EN-US_TOPIC_0125560422__li219942582512">s3:GetBucketStorage</li><li id="EN-US_TOPIC_0125560422__li8574858262">s3:PutBucketTagging</li><li id="EN-US_TOPIC_0125560422__li19267117122611">s3:GetBucketTagging</li><li id="EN-US_TOPIC_0125560422__li625213151196"><span style="color:#494949;">s3:PutBucketObjectLockConfiguration</span></li><li id="EN-US_TOPIC_0125560422__li18744143218811">s3:<span style="color:#494949;">GetBucketObjectLockConfiguration</span></li></ul>
<p id="EN-US_TOPIC_0125560422__p1906716182417"></p>
<p id="EN-US_TOPIC_0125560422__p37494488">In OBS, <strong id="EN-US_TOPIC_0125560422__b295072015550">Action</strong> can be the following operations on objects:</p>
<ul id="EN-US_TOPIC_0125560422__ul5538123133114"><li id="EN-US_TOPIC_0125560422__li7537123203110">s3:GetObject (applies to GET Object and HEAD Object)</li><li id="EN-US_TOPIC_0125560422__li35378316315">s3:GetObjectVersion</li><li id="EN-US_TOPIC_0125560422__li1553711323114">s3:PutObject (applies to PUT Object, POST Object, Initiate Multipart Upload, Upload Part, and Complete Multipart Upload)</li><li id="EN-US_TOPIC_0125560422__li35371032314">s3:GetObjectAcl</li><li id="EN-US_TOPIC_0125560422__li753711333117">s3:GetObjectVersionAcl</li><li id="EN-US_TOPIC_0125560422__li1753715314311">s3:PutObjectAcl</li><li id="EN-US_TOPIC_0125560422__li12537123163110">s3:PutObjectVersionAcl</li><li id="EN-US_TOPIC_0125560422__li17537103153116">s3:DeleteObject</li><li id="EN-US_TOPIC_0125560422__li1553793153114">s3:DeleteObjectVersion</li><li id="EN-US_TOPIC_0125560422__li853815303119">s3:ListMultipartUploadParts</li><li id="EN-US_TOPIC_0125560422__li453810314318">s3:AbortMultipartUpload</li><li id="EN-US_TOPIC_0125560422__li1880293012217">s3:RestoreObject</li><li id="EN-US_TOPIC_0125560422__li3239185216123">s3:PutObjectRetention</li></ul>
<p id="EN-US_TOPIC_0125560422__p62936795143114"></p>
<p id="EN-US_TOPIC_0125560422__p14449517143114">OBS supports S3 resources in the ARN format:</p>
<ul id="EN-US_TOPIC_0125560422__ul65071313193114"><li id="EN-US_TOPIC_0125560422__li20507171373115">arn:aws:s3:::bucketname (operations on buckets)</li><li id="EN-US_TOPIC_0125560422__li185079139313">arn:aws:s3:::bucketname/path/objectname (operations on objects)</li></ul>
<p id="EN-US_TOPIC_0125560422__p83756171213"></p>
<p id="EN-US_TOPIC_0125560422__p3203868092822">The following policy grants all permissions (including bucket and object operations) for bucket <strong id="EN-US_TOPIC_0125560422__b1419731921161828">examplebucket</strong> to <strong id="EN-US_TOPIC_0125560422__b1614736634161828">71f3901173514e6988115ea2c26d1999</strong> (user ID) in <strong id="EN-US_TOPIC_0125560422__b434312694161828">b4bf1b36d9ca43d984fbcb9491b6fce9</strong> (domain ID).</p>
<pre class="screen" id="EN-US_TOPIC_0125560422__screen1991267092822">{
"Statement":[
{
"Sid":"test",
"Effect":"Allow",
"Principal": {"AWS": ["arn:aws:iam::b4bf1b36d9ca43d984fbcb9491b6fce9:user/71f3901173514e6988115ea2c26d1999"]},
"Action":["s3:*"],
"Resource":[
"arn:aws:s3:::examplebucket/*",
"arn:aws:s3:::examplebucket"
]
}
]
}</pre>
<p id="EN-US_TOPIC_0125560422__p451118161112">or</p>
<pre class="screen" id="EN-US_TOPIC_0125560422__screen154872292118">{
"Statement":[
{
"Sid":"test",
"Effect":"Allow",
"Principal": {"AWS": ["arn:aws:iam::b4bf1b36d9ca43d984fbcb9491b6fce9:user/user1"]},
"Action":["s3:*"],
"Resource":[
"arn:aws:s3:::examplebucket/*",
"arn:aws:s3:::examplebucket"
]
}
]
}</pre>
<div class="note" id="EN-US_TOPIC_0125560422__note4499630792822"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="EN-US_TOPIC_0125560422__p231358492822">If you do not specify a path when uploading an object, omit <strong id="EN-US_TOPIC_0125560422__b40424798171651">/path</strong> in the ARN.</p>
</div></div>
<p id="EN-US_TOPIC_0125560422__p58769241"><a href="#EN-US_TOPIC_0125560422__table6811633">Table 3</a> lists the general types of <strong id="EN-US_TOPIC_0125560422__b176071130205511">Condition</strong> that you can specify.</p>
<div class="tablenoborder"><a name="EN-US_TOPIC_0125560422__table6811633"></a><a name="table6811633"></a><table cellpadding="4" cellspacing="0" summary="" id="EN-US_TOPIC_0125560422__table6811633" frame="border" border="1" rules="all"><caption><b>Table 3 </b>Condition</caption><thead align="left"><tr id="EN-US_TOPIC_0125560422__row14369203"><th align="left" class="cellrowborder" valign="top" width="16.6%" id="mcps1.3.10.26.2.4.1.1"><p id="EN-US_TOPIC_0125560422__p23054829">Type</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="32.96%" id="mcps1.3.10.26.2.4.1.2"><p id="EN-US_TOPIC_0125560422__p55501888">Element</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="50.44%" id="mcps1.3.10.26.2.4.1.3"><p id="EN-US_TOPIC_0125560422__p66467923">Description</p>
</th>
</tr>
</thead>
<tbody><tr id="EN-US_TOPIC_0125560422__row15192654"><td class="cellrowborder" rowspan="6" valign="top" width="16.6%" headers="mcps1.3.10.26.2.4.1.1 "><p id="EN-US_TOPIC_0125560422__p22645466">String</p>
</td>
<td class="cellrowborder" valign="top" width="32.96%" headers="mcps1.3.10.26.2.4.1.2 "><p id="EN-US_TOPIC_0125560422__p22343454">StringEquals</p>
</td>
<td class="cellrowborder" valign="top" width="50.44%" headers="mcps1.3.10.26.2.4.1.3 "><p id="EN-US_TOPIC_0125560422__p64989379">Strict matching</p>
<p id="EN-US_TOPIC_0125560422__p48033505">Short version: streq</p>
</td>
</tr>
<tr id="EN-US_TOPIC_0125560422__row29648369"><td class="cellrowborder" valign="top" headers="mcps1.3.10.26.2.4.1.1 "><p id="EN-US_TOPIC_0125560422__p52707663">StringNotEquals</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.10.26.2.4.1.2 "><p id="EN-US_TOPIC_0125560422__p41462277">Strict negated matching</p>
<p id="EN-US_TOPIC_0125560422__p37616177">Short version: strneq</p>
</td>
</tr>
<tr id="EN-US_TOPIC_0125560422__row3001276"><td class="cellrowborder" valign="top" headers="mcps1.3.10.26.2.4.1.1 "><p id="EN-US_TOPIC_0125560422__p41776795">StringEqualsIgnoreCase</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.10.26.2.4.1.2 "><p id="EN-US_TOPIC_0125560422__p28477259">Strict matching, ignoring case</p>
<p id="EN-US_TOPIC_0125560422__p54968745">Short version: streqi</p>
</td>
</tr>
<tr id="EN-US_TOPIC_0125560422__row24956660"><td class="cellrowborder" valign="top" headers="mcps1.3.10.26.2.4.1.1 "><p id="EN-US_TOPIC_0125560422__ole_link41">StringNotEqualsIgnoreCase</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.10.26.2.4.1.2 "><p id="EN-US_TOPIC_0125560422__p62127694">Strict negated matching, ignoring case</p>
<p id="EN-US_TOPIC_0125560422__p22278337">Short version: strneqi</p>
</td>
</tr>
<tr id="EN-US_TOPIC_0125560422__row66287312"><td class="cellrowborder" valign="top" headers="mcps1.3.10.26.2.4.1.1 "><p id="EN-US_TOPIC_0125560422__p563178">StringLike</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.10.26.2.4.1.2 "><p id="EN-US_TOPIC_0125560422__p533911500313">Loose case-insensitive matching. The values can include a multi-character match wildcard (*) or a single-character match wildcard (?) anywhere in the string.</p>
<p id="EN-US_TOPIC_0125560422__p45617477">Short version: strl</p>
</td>
</tr>
<tr id="EN-US_TOPIC_0125560422__row7904114"><td class="cellrowborder" valign="top" headers="mcps1.3.10.26.2.4.1.1 "><p id="EN-US_TOPIC_0125560422__p36253521">StringNotLike</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.10.26.2.4.1.2 "><p id="EN-US_TOPIC_0125560422__p50854084">Negated loose case-insensitive matching. The values can include a multi-character match wildcard (*) or a single-character match wildcard (?) anywhere in the string.</p>
<p id="EN-US_TOPIC_0125560422__p55033577">Short version: strnl</p>
</td>
</tr>
<tr id="EN-US_TOPIC_0125560422__row25540148"><td class="cellrowborder" rowspan="6" valign="top" width="16.6%" headers="mcps1.3.10.26.2.4.1.1 "><p id="EN-US_TOPIC_0125560422__p55486088">Numeric</p>
</td>
<td class="cellrowborder" valign="top" width="32.96%" headers="mcps1.3.10.26.2.4.1.2 "><p id="EN-US_TOPIC_0125560422__p65188137">NumericEquals</p>
</td>
<td class="cellrowborder" valign="top" width="50.44%" headers="mcps1.3.10.26.2.4.1.3 "><p id="EN-US_TOPIC_0125560422__p45747710">Strict matching</p>
<p id="EN-US_TOPIC_0125560422__p9076207">Short version: numeq</p>
</td>
</tr>
<tr id="EN-US_TOPIC_0125560422__row14577007"><td class="cellrowborder" valign="top" headers="mcps1.3.10.26.2.4.1.1 "><p id="EN-US_TOPIC_0125560422__p39886950">NumericNotEquals</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.10.26.2.4.1.2 "><p id="EN-US_TOPIC_0125560422__p9617480">Strict negated matching</p>
<p id="EN-US_TOPIC_0125560422__p19448462">Short version: numneq</p>
</td>
</tr>
<tr id="EN-US_TOPIC_0125560422__row40818431"><td class="cellrowborder" valign="top" headers="mcps1.3.10.26.2.4.1.1 "><p id="EN-US_TOPIC_0125560422__p17958643">NumericLessThan</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.10.26.2.4.1.2 "><p id="EN-US_TOPIC_0125560422__p45363979">"Less than" matching</p>
<p id="EN-US_TOPIC_0125560422__p5622632">Short version: numlt</p>
</td>
</tr>
<tr id="EN-US_TOPIC_0125560422__row50603696"><td class="cellrowborder" valign="top" headers="mcps1.3.10.26.2.4.1.1 "><p id="EN-US_TOPIC_0125560422__p5258697">NumericLessThanEquals</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.10.26.2.4.1.2 "><p id="EN-US_TOPIC_0125560422__p23301311">"Less than or equals" matching</p>
<p id="EN-US_TOPIC_0125560422__p8385208">Short version: numlteq</p>
</td>
</tr>
<tr id="EN-US_TOPIC_0125560422__row8358009"><td class="cellrowborder" valign="top" headers="mcps1.3.10.26.2.4.1.1 "><p id="EN-US_TOPIC_0125560422__p5910111">NumericGreaterThan</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.10.26.2.4.1.2 "><p id="EN-US_TOPIC_0125560422__p8957019">"Greater than" matching</p>
<p id="EN-US_TOPIC_0125560422__p13504307">Short version: numgt</p>
</td>
</tr>
<tr id="EN-US_TOPIC_0125560422__row54429906"><td class="cellrowborder" valign="top" headers="mcps1.3.10.26.2.4.1.1 "><p id="EN-US_TOPIC_0125560422__p46746286">NumericGreaterThanEquals</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.10.26.2.4.1.2 "><p id="EN-US_TOPIC_0125560422__p28352855">"Greater than or equals" matching</p>
<p id="EN-US_TOPIC_0125560422__p53849108">Short version: numgteq</p>
</td>
</tr>
<tr id="EN-US_TOPIC_0125560422__row14879924"><td class="cellrowborder" rowspan="6" valign="top" width="16.6%" headers="mcps1.3.10.26.2.4.1.1 "><p id="EN-US_TOPIC_0125560422__p64423214">Date</p>
</td>
<td class="cellrowborder" valign="top" width="32.96%" headers="mcps1.3.10.26.2.4.1.2 "><p id="EN-US_TOPIC_0125560422__p50897836">DateEquals</p>
</td>
<td class="cellrowborder" valign="top" width="50.44%" headers="mcps1.3.10.26.2.4.1.3 "><p id="EN-US_TOPIC_0125560422__p29084055">Strict matching</p>
<p id="EN-US_TOPIC_0125560422__p60429904">Short version: dateeq</p>
</td>
</tr>
<tr id="EN-US_TOPIC_0125560422__row6998230"><td class="cellrowborder" valign="top" headers="mcps1.3.10.26.2.4.1.1 "><p id="EN-US_TOPIC_0125560422__p29985746">DateNotEquals</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.10.26.2.4.1.2 "><p id="EN-US_TOPIC_0125560422__p12926322">Strict negated matching</p>
<p id="EN-US_TOPIC_0125560422__p49228035">Short version: dateneq</p>
</td>
</tr>
<tr id="EN-US_TOPIC_0125560422__row40399134"><td class="cellrowborder" valign="top" headers="mcps1.3.10.26.2.4.1.1 "><p id="EN-US_TOPIC_0125560422__p51104447">DateLessThan</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.10.26.2.4.1.2 "><p id="EN-US_TOPIC_0125560422__p45819581">A point in time at which a key stops taking effect</p>
<p id="EN-US_TOPIC_0125560422__p9723050">Short version: datelt</p>
</td>
</tr>
<tr id="EN-US_TOPIC_0125560422__row20398591"><td class="cellrowborder" valign="top" headers="mcps1.3.10.26.2.4.1.1 "><p id="EN-US_TOPIC_0125560422__p41673198">DateLessThanEquals</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.10.26.2.4.1.2 "><p id="EN-US_TOPIC_0125560422__p20085873">A point in time at which a key stops taking effect</p>
<p id="EN-US_TOPIC_0125560422__p46555134">Short version: datelteq</p>
</td>
</tr>
<tr id="EN-US_TOPIC_0125560422__row16343025"><td class="cellrowborder" valign="top" headers="mcps1.3.10.26.2.4.1.1 "><p id="EN-US_TOPIC_0125560422__p48716629">DateGreaterThan</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.10.26.2.4.1.2 "><p id="EN-US_TOPIC_0125560422__p53732870">A point in time at which a key starts to take effect</p>
<p id="EN-US_TOPIC_0125560422__p13833782">Short version: dategt</p>
</td>
</tr>
<tr id="EN-US_TOPIC_0125560422__row57395179"><td class="cellrowborder" valign="top" headers="mcps1.3.10.26.2.4.1.1 "><p id="EN-US_TOPIC_0125560422__p18497900">DateGreaterThanEquals</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.10.26.2.4.1.2 "><p id="EN-US_TOPIC_0125560422__p21934963">A point in time at which a key starts to take effect</p>
<p id="EN-US_TOPIC_0125560422__p63196939">Short version: dategteq</p>
</td>
</tr>
<tr id="EN-US_TOPIC_0125560422__row31901541"><td class="cellrowborder" valign="top" width="16.6%" headers="mcps1.3.10.26.2.4.1.1 "><p id="EN-US_TOPIC_0125560422__p33888044">Boolean</p>
</td>
<td class="cellrowborder" valign="top" width="32.96%" headers="mcps1.3.10.26.2.4.1.2 "><p id="EN-US_TOPIC_0125560422__p60577072">Bool</p>
</td>
<td class="cellrowborder" valign="top" width="50.44%" headers="mcps1.3.10.26.2.4.1.3 "><p id="EN-US_TOPIC_0125560422__p7795800">Strict Boolean matching</p>
</td>
</tr>
<tr id="EN-US_TOPIC_0125560422__row3053341"><td class="cellrowborder" rowspan="2" valign="top" width="16.6%" headers="mcps1.3.10.26.2.4.1.1 "><p id="EN-US_TOPIC_0125560422__p45994103">IP address</p>
</td>
<td class="cellrowborder" valign="top" width="32.96%" headers="mcps1.3.10.26.2.4.1.2 "><p id="EN-US_TOPIC_0125560422__p34534890">IpAddress</p>
</td>
<td class="cellrowborder" valign="top" width="50.44%" headers="mcps1.3.10.26.2.4.1.3 "><p id="EN-US_TOPIC_0125560422__p45862685">Approved based on the IP address or range</p>
</td>
</tr>
<tr id="EN-US_TOPIC_0125560422__row10110982"><td class="cellrowborder" valign="top" headers="mcps1.3.10.26.2.4.1.1 "><p id="EN-US_TOPIC_0125560422__p13683196">NotIpAddress</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.10.26.2.4.1.2 "><p id="EN-US_TOPIC_0125560422__p34597128">Denial based on the IP address or range</p>
</td>
</tr>
</tbody>
</table>
</div>
<div class="note" id="EN-US_TOPIC_0125560422__note42938696"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="EN-US_TOPIC_0125560422__p50903951">Elements in <strong id="EN-US_TOPIC_0125560422__b12884163810557">Condition</strong> are case-sensitive. Date conditions must be in the ISO 8601 format. For details, see <a href="http://www.w3.org/TR/NOTE-datetime" target="_blank" rel="noopener noreferrer">http://www.w3.org/TR/NOTE-datetime</a>.</p>
</div></div>
<p id="EN-US_TOPIC_0125560422__p55482381">A <strong id="EN-US_TOPIC_0125560422__b3997164419559">Condition</strong> block (element) can contain multiple key value pairs. The following example <strong id="EN-US_TOPIC_0125560422__b41511754105513">Condition</strong> block specifies requests initiated between 2009-04-16T12:00:00Z and 2009-04-16T15:00:00Z from IP addresses on network segment 192.168.176.0/24 or 192.168.143.0/24:</p>
<pre class="screen" id="EN-US_TOPIC_0125560422__screen36311305122426">"Condition" : {
"DateGreaterThan": {
"aws:CurrentTime" : "2009-04-16T12:00:00Z"
},
"DateLessThan": {
"aws:CurrentTime" : "2009-04-16T15:00:00Z"
},
"IpAddress": {
"aws:SourceIp" : ["192.168.176.0/24", "192.168.143.0/24"]
}
}</pre>
<p id="EN-US_TOPIC_0125560422__p9612155183517">A <strong id="EN-US_TOPIC_0125560422__b3531191135617">Condition</strong> block can contain two types of keys:</p>
<ul id="EN-US_TOPIC_0125560422__ul427655917355"><li id="EN-US_TOPIC_0125560422__li135681619363">General keys that have nothing to do with <strong id="EN-US_TOPIC_0125560422__b256815673610">Action</strong>.</li><li id="EN-US_TOPIC_0125560422__li92767598353">S3 service-specific keys associated with <strong id="EN-US_TOPIC_0125560422__b8530162311364">Action</strong>.</li></ul>
<p id="EN-US_TOPIC_0125560422__p8929795"><a href="#EN-US_TOPIC_0125560422__table61304705">Table 4</a> lists the general keys.</p>
<div class="tablenoborder"><a name="EN-US_TOPIC_0125560422__table61304705"></a><a name="table61304705"></a><table cellpadding="4" cellspacing="0" summary="" id="EN-US_TOPIC_0125560422__table61304705" frame="border" border="1" rules="all"><caption><b>Table 4 </b>Common Condition Key</caption><thead align="left"><tr id="EN-US_TOPIC_0125560422__row43801132"><th align="left" class="cellrowborder" valign="top" width="50%" id="mcps1.3.10.33.2.3.1.1"><p id="EN-US_TOPIC_0125560422__p58230842">Condition Key</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="50%" id="mcps1.3.10.33.2.3.1.2"><p id="EN-US_TOPIC_0125560422__p19077772">Condition Type</p>
</th>
</tr>
</thead>
<tbody><tr id="EN-US_TOPIC_0125560422__row1795723"><td class="cellrowborder" valign="top" width="50%" headers="mcps1.3.10.33.2.3.1.1 "><p id="EN-US_TOPIC_0125560422__p11235870">aws:CurrentTime</p>
</td>
<td class="cellrowborder" valign="top" width="50%" headers="mcps1.3.10.33.2.3.1.2 "><p id="EN-US_TOPIC_0125560422__p37690286">Date</p>
</td>
</tr>
<tr id="EN-US_TOPIC_0125560422__row3668256"><td class="cellrowborder" valign="top" width="50%" headers="mcps1.3.10.33.2.3.1.1 "><p id="EN-US_TOPIC_0125560422__p28693301">aws:EpochTime</p>
</td>
<td class="cellrowborder" valign="top" width="50%" headers="mcps1.3.10.33.2.3.1.2 "><p id="EN-US_TOPIC_0125560422__p42456059">Numeric</p>
</td>
</tr>
<tr id="EN-US_TOPIC_0125560422__row46560216"><td class="cellrowborder" valign="top" width="50%" headers="mcps1.3.10.33.2.3.1.1 "><p id="EN-US_TOPIC_0125560422__p13281129">aws:SecureTransport</p>
</td>
<td class="cellrowborder" valign="top" width="50%" headers="mcps1.3.10.33.2.3.1.2 "><p id="EN-US_TOPIC_0125560422__p2029696">Boolean</p>
</td>
</tr>
<tr id="EN-US_TOPIC_0125560422__row18267264"><td class="cellrowborder" valign="top" width="50%" headers="mcps1.3.10.33.2.3.1.1 "><p id="EN-US_TOPIC_0125560422__p3253400">aws:SourceIp</p>
</td>
<td class="cellrowborder" valign="top" width="50%" headers="mcps1.3.10.33.2.3.1.2 "><p id="EN-US_TOPIC_0125560422__p62198824">IP address</p>
</td>
</tr>
<tr id="EN-US_TOPIC_0125560422__row22918509"><td class="cellrowborder" valign="top" width="50%" headers="mcps1.3.10.33.2.3.1.1 "><p id="EN-US_TOPIC_0125560422__p44459941">aws:UserAgent</p>
</td>
<td class="cellrowborder" valign="top" width="50%" headers="mcps1.3.10.33.2.3.1.2 "><p id="EN-US_TOPIC_0125560422__p44485482">String</p>
</td>
</tr>
<tr id="EN-US_TOPIC_0125560422__row64825020"><td class="cellrowborder" valign="top" width="50%" headers="mcps1.3.10.33.2.3.1.1 "><p id="EN-US_TOPIC_0125560422__p16335295">aws:Referer</p>
</td>
<td class="cellrowborder" valign="top" width="50%" headers="mcps1.3.10.33.2.3.1.2 "><p id="EN-US_TOPIC_0125560422__p48090498">String</p>
</td>
</tr>
</tbody>
</table>
</div>
<p id="EN-US_TOPIC_0125560422__p3016237"><a href="#EN-US_TOPIC_0125560422__table14871440">Table 5</a> lists the OBS service-specific keys.</p>
<div class="tablenoborder"><a name="EN-US_TOPIC_0125560422__table14871440"></a><a name="table14871440"></a><table cellpadding="4" cellspacing="0" summary="" id="EN-US_TOPIC_0125560422__table14871440" frame="border" border="1" rules="all"><caption><b>Table 5 </b>OBS Action Condition Key</caption><thead align="left"><tr id="EN-US_TOPIC_0125560422__row5680913"><th align="left" class="cellrowborder" valign="top" width="33.33333333333333%" id="mcps1.3.10.35.2.4.1.1"><p id="EN-US_TOPIC_0125560422__p57500814">Action</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="33.33333333333333%" id="mcps1.3.10.35.2.4.1.2"><p id="EN-US_TOPIC_0125560422__p27054376">Key</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="33.33333333333333%" id="mcps1.3.10.35.2.4.1.3"><p id="EN-US_TOPIC_0125560422__p43920838">Description</p>
</th>
</tr>
</thead>
<tbody><tr id="EN-US_TOPIC_0125560422__row818129"><td class="cellrowborder" rowspan="3" valign="top" width="33.33333333333333%" headers="mcps1.3.10.35.2.4.1.1 "><p id="EN-US_TOPIC_0125560422__p66268464">s3:CreateBucket</p>
</td>
<td class="cellrowborder" valign="top" width="33.33333333333333%" headers="mcps1.3.10.35.2.4.1.2 "><p id="EN-US_TOPIC_0125560422__p66145356">s3:x-amz-acl</p>
</td>
<td class="cellrowborder" valign="top" width="33.33333333333333%" headers="mcps1.3.10.35.2.4.1.3 "><p id="EN-US_TOPIC_0125560422__p56173580"><strong id="EN-US_TOPIC_0125560422__b431374214362">x-amz-acl</strong> can contain the canned ACL.</p>
<p id="EN-US_TOPIC_0125560422__p35800173">Valid values: private| public-read| public-read-write|authenticated-read|bucket-owner-read|bucket-owner-full-control|log-delivery-write</p>
</td>
</tr>
<tr id="EN-US_TOPIC_0125560422__row25664850115252"><td class="cellrowborder" valign="top" headers="mcps1.3.10.35.2.4.1.1 "><p style="color:#000000;" id="EN-US_TOPIC_0125560422__p13354193115316">s3:x-amz-grant-permission</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.10.35.2.4.1.2 "><p style="color:#000000;" id="EN-US_TOPIC_0125560422__p7947833115316">Not supported</p>
</td>
</tr>
<tr id="EN-US_TOPIC_0125560422__row25039621115256"><td class="cellrowborder" valign="top" headers="mcps1.3.10.35.2.4.1.1 "><p style="color:#000000;" id="EN-US_TOPIC_0125560422__p22608102115316">s3:LocationConstraint</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.10.35.2.4.1.2 "><p style="color:#000000;" id="EN-US_TOPIC_0125560422__p19316974115316">Not supported</p>
</td>
</tr>
<tr id="EN-US_TOPIC_0125560422__row53766104"><td class="cellrowborder" rowspan="3" valign="top" width="33.33333333333333%" headers="mcps1.3.10.35.2.4.1.1 "><p id="EN-US_TOPIC_0125560422__p60087193">s3:ListBucket</p>
</td>
<td class="cellrowborder" valign="top" width="33.33333333333333%" headers="mcps1.3.10.35.2.4.1.2 "><p id="EN-US_TOPIC_0125560422__p35224503">s3:prefix</p>
</td>
<td class="cellrowborder" valign="top" width="33.33333333333333%" headers="mcps1.3.10.35.2.4.1.3 "><p id="EN-US_TOPIC_0125560422__p34612505">String</p>
</td>
</tr>
<tr id="EN-US_TOPIC_0125560422__row43077096"><td class="cellrowborder" valign="top" headers="mcps1.3.10.35.2.4.1.1 "><p id="EN-US_TOPIC_0125560422__p66692715">s3:delimiter</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.10.35.2.4.1.2 "><p id="EN-US_TOPIC_0125560422__p33400872">String</p>
</td>
</tr>
<tr id="EN-US_TOPIC_0125560422__row32172395"><td class="cellrowborder" valign="top" headers="mcps1.3.10.35.2.4.1.1 "><p id="EN-US_TOPIC_0125560422__p55827183">s3:max-keys</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.10.35.2.4.1.2 "><p id="EN-US_TOPIC_0125560422__p25707968">Numeric</p>
</td>
</tr>
<tr id="EN-US_TOPIC_0125560422__row30045120"><td class="cellrowborder" rowspan="3" valign="top" width="33.33333333333333%" headers="mcps1.3.10.35.2.4.1.1 "><p id="EN-US_TOPIC_0125560422__p17735662">s3:ListBucketVersions</p>
</td>
<td class="cellrowborder" valign="top" width="33.33333333333333%" headers="mcps1.3.10.35.2.4.1.2 "><p id="EN-US_TOPIC_0125560422__p27302557">s3:prefix</p>
</td>
<td class="cellrowborder" valign="top" width="33.33333333333333%" headers="mcps1.3.10.35.2.4.1.3 "><p id="EN-US_TOPIC_0125560422__p64023541">String</p>
</td>
</tr>
<tr id="EN-US_TOPIC_0125560422__row39340959"><td class="cellrowborder" valign="top" headers="mcps1.3.10.35.2.4.1.1 "><p id="EN-US_TOPIC_0125560422__p32501126">s3:delimiter</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.10.35.2.4.1.2 "><p id="EN-US_TOPIC_0125560422__p15345578">String</p>
</td>
</tr>
<tr id="EN-US_TOPIC_0125560422__row3892478"><td class="cellrowborder" valign="top" headers="mcps1.3.10.35.2.4.1.1 "><p id="EN-US_TOPIC_0125560422__p46855303">s3:max-keys</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.10.35.2.4.1.2 "><p id="EN-US_TOPIC_0125560422__p37183233">Numeric</p>
</td>
</tr>
<tr id="EN-US_TOPIC_0125560422__row66213648"><td class="cellrowborder" rowspan="2" valign="top" width="33.33333333333333%" headers="mcps1.3.10.35.2.4.1.1 "><p id="EN-US_TOPIC_0125560422__p61705270">s3:PutBucketAcl</p>
</td>
<td class="cellrowborder" valign="top" width="33.33333333333333%" headers="mcps1.3.10.35.2.4.1.2 "><p id="EN-US_TOPIC_0125560422__p32070944">s3:x-amz-acl</p>
</td>
<td class="cellrowborder" valign="top" width="33.33333333333333%" headers="mcps1.3.10.35.2.4.1.3 "><p id="EN-US_TOPIC_0125560422__p47609654"><strong id="EN-US_TOPIC_0125560422__b42193815562">x-amz-acl</strong> can contain the canned ACL.</p>
<p id="EN-US_TOPIC_0125560422__p25833710">Valid values: private| public-read| public-read-write|authenticated-read|bucket-owner-read|bucket-owner-full-control|log-delivery-write</p>
</td>
</tr>
<tr id="EN-US_TOPIC_0125560422__row32406958115327"><td class="cellrowborder" valign="top" headers="mcps1.3.10.35.2.4.1.1 "><p style="color:#000000;" id="EN-US_TOPIC_0125560422__p20161470115344">s3:x-amz-grant-permission</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.10.35.2.4.1.2 "><p style="color:#000000;" id="EN-US_TOPIC_0125560422__p22466403115344">Not supported</p>
</td>
</tr>
<tr id="EN-US_TOPIC_0125560422__row31176802"><td class="cellrowborder" rowspan="5" valign="top" width="33.33333333333333%" headers="mcps1.3.10.35.2.4.1.1 "><p id="EN-US_TOPIC_0125560422__p42293001">s3:PutObject</p>
</td>
<td class="cellrowborder" valign="top" width="33.33333333333333%" headers="mcps1.3.10.35.2.4.1.2 "><p id="EN-US_TOPIC_0125560422__p3181077">s3:x-amz-acl</p>
</td>
<td class="cellrowborder" valign="top" width="33.33333333333333%" headers="mcps1.3.10.35.2.4.1.3 "><p id="EN-US_TOPIC_0125560422__p56340718"><strong id="EN-US_TOPIC_0125560422__b1851016250567">x-amz-acl</strong> can contain the canned ACL.</p>
<p id="EN-US_TOPIC_0125560422__p37304419">Valid values: private| public-read| public-read-write|authenticated-read|bucket-owner-read|bucket-owner-full-control|log-delivery-write</p>
</td>
</tr>
<tr id="EN-US_TOPIC_0125560422__row195451"><td class="cellrowborder" valign="top" headers="mcps1.3.10.35.2.4.1.1 "><p id="EN-US_TOPIC_0125560422__p15831589">s3:x-amz-copy-source</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.10.35.2.4.1.2 "><p id="EN-US_TOPIC_0125560422__p4815152883710">String</p>
<p id="EN-US_TOPIC_0125560422__p516273613372">Example format:</p>
<p id="EN-US_TOPIC_0125560422__p7290323"><strong id="EN-US_TOPIC_0125560422__b17192438378">/bucketname/keyname</strong></p>
</td>
</tr>
<tr id="EN-US_TOPIC_0125560422__row65612911"><td class="cellrowborder" valign="top" headers="mcps1.3.10.35.2.4.1.1 "><p id="EN-US_TOPIC_0125560422__p13045599">s3:x-amz-metadata-di</p>
<p id="EN-US_TOPIC_0125560422__p50301533">rective</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.10.35.2.4.1.2 "><p id="EN-US_TOPIC_0125560422__p47892361">Valid values: COPY| REPLACE</p>
</td>
</tr>
<tr id="EN-US_TOPIC_0125560422__row1640328811547"><td class="cellrowborder" valign="top" headers="mcps1.3.10.35.2.4.1.1 "><p style="color:#000000;" id="EN-US_TOPIC_0125560422__p35667538115436">s3:x-amz-grant-permission</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.10.35.2.4.1.2 "><p style="color:#000000;" id="EN-US_TOPIC_0125560422__p3389448115436">Not supported</p>
</td>
</tr>
<tr id="EN-US_TOPIC_0125560422__row4607717611542"><td class="cellrowborder" valign="top" headers="mcps1.3.10.35.2.4.1.1 "><p style="color:#000000;" id="EN-US_TOPIC_0125560422__p57997724115442">s3:x-amz-storage-class</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.10.35.2.4.1.2 "><p style="color:#000000;" id="EN-US_TOPIC_0125560422__p195166115442">Not supported</p>
</td>
</tr>
<tr id="EN-US_TOPIC_0125560422__row28378065"><td class="cellrowborder" rowspan="2" valign="top" width="33.33333333333333%" headers="mcps1.3.10.35.2.4.1.1 "><p id="EN-US_TOPIC_0125560422__p16921890">s3:PutObjectAcl</p>
</td>
<td class="cellrowborder" valign="top" width="33.33333333333333%" headers="mcps1.3.10.35.2.4.1.2 "><p id="EN-US_TOPIC_0125560422__p28495844">s3:x-amz-acl</p>
</td>
<td class="cellrowborder" valign="top" width="33.33333333333333%" headers="mcps1.3.10.35.2.4.1.3 "><p id="EN-US_TOPIC_0125560422__p26462014"><strong id="EN-US_TOPIC_0125560422__b2653173485619">x-amz-acl</strong> can contain the canned ACL.</p>
<p id="EN-US_TOPIC_0125560422__p36831540">Valid values: private| public-read| public-read-write|authenticated-read|bucket-owner-read|bucket-owner-full-control|log-delivery-write</p>
</td>
</tr>
<tr id="EN-US_TOPIC_0125560422__row17061708115450"><td class="cellrowborder" valign="top" headers="mcps1.3.10.35.2.4.1.1 "><p style="color:#000000;" id="EN-US_TOPIC_0125560422__p3304895115457">s3:x-amz-grant-permission</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.10.35.2.4.1.2 "><p style="color:#000000;" id="EN-US_TOPIC_0125560422__p66369966115457">Not supported</p>
</td>
</tr>
<tr id="EN-US_TOPIC_0125560422__row63048409"><td class="cellrowborder" valign="top" width="33.33333333333333%" headers="mcps1.3.10.35.2.4.1.1 "><p id="EN-US_TOPIC_0125560422__p6647517">s3:GetObjectVersion</p>
</td>
<td class="cellrowborder" valign="top" width="33.33333333333333%" headers="mcps1.3.10.35.2.4.1.2 "><p id="EN-US_TOPIC_0125560422__p1577968">s3:VersionId</p>
</td>
<td class="cellrowborder" valign="top" width="33.33333333333333%" headers="mcps1.3.10.35.2.4.1.3 "><p id="EN-US_TOPIC_0125560422__p60706621">String</p>
</td>
</tr>
<tr id="EN-US_TOPIC_0125560422__row9488680"><td class="cellrowborder" valign="top" width="33.33333333333333%" headers="mcps1.3.10.35.2.4.1.1 "><p id="EN-US_TOPIC_0125560422__p30385596">s3:GetObjectVersionAcl</p>
</td>
<td class="cellrowborder" valign="top" width="33.33333333333333%" headers="mcps1.3.10.35.2.4.1.2 "><p id="EN-US_TOPIC_0125560422__p45314205">s3:VersionId</p>
</td>
<td class="cellrowborder" valign="top" width="33.33333333333333%" headers="mcps1.3.10.35.2.4.1.3 "><p id="EN-US_TOPIC_0125560422__p46571954">String</p>
</td>
</tr>
<tr id="EN-US_TOPIC_0125560422__row16494403"><td class="cellrowborder" rowspan="3" valign="top" width="33.33333333333333%" headers="mcps1.3.10.35.2.4.1.1 "><p style="color:#000000;" id="EN-US_TOPIC_0125560422__p60978306">s3:PutObjectVersionAcl</p>
</td>
<td class="cellrowborder" valign="top" width="33.33333333333333%" headers="mcps1.3.10.35.2.4.1.2 "><p style="color:#000000;" id="EN-US_TOPIC_0125560422__p40295786">s3:VersionId</p>
</td>
<td class="cellrowborder" valign="top" width="33.33333333333333%" headers="mcps1.3.10.35.2.4.1.3 "><p style="color:#000000;" id="EN-US_TOPIC_0125560422__p42733218">String</p>
</td>
</tr>
<tr id="EN-US_TOPIC_0125560422__row49054643"><td class="cellrowborder" valign="top" headers="mcps1.3.10.35.2.4.1.1 "><p style="color:#000000;" id="EN-US_TOPIC_0125560422__p14003175">s3:x-amz-acl</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.10.35.2.4.1.2 "><p style="color:#000000;" id="EN-US_TOPIC_0125560422__p60515391"><strong id="EN-US_TOPIC_0125560422__b5496340175617">x-amz-acl</strong> can contain the canned ACL.</p>
<p style="color:#000000;" id="EN-US_TOPIC_0125560422__p7767612">Valid values: private| public-read| public-read-write|authenticated-read|bucket-owner-read|bucket-owner-full-control|log-delivery-write</p>
</td>
</tr>
<tr id="EN-US_TOPIC_0125560422__row13860262115516"><td class="cellrowborder" valign="top" headers="mcps1.3.10.35.2.4.1.1 "><p style="color:#000000;" id="EN-US_TOPIC_0125560422__p64419481115532">s3:x-amz-grant-permission</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.10.35.2.4.1.2 "><p style="color:#000000;" id="EN-US_TOPIC_0125560422__p50595509115532">Not supported</p>
</td>
</tr>
<tr id="EN-US_TOPIC_0125560422__row2799652"><td class="cellrowborder" valign="top" width="33.33333333333333%" headers="mcps1.3.10.35.2.4.1.1 "><p style="color:#000000;" id="EN-US_TOPIC_0125560422__p25445245">s3:DeleteObjectVersion</p>
</td>
<td class="cellrowborder" valign="top" width="33.33333333333333%" headers="mcps1.3.10.35.2.4.1.2 "><p style="color:#000000;" id="EN-US_TOPIC_0125560422__p47798963">s3:VersionId</p>
</td>
<td class="cellrowborder" valign="top" width="33.33333333333333%" headers="mcps1.3.10.35.2.4.1.3 "><p style="color:#000000;" id="EN-US_TOPIC_0125560422__p46510765">String</p>
</td>
</tr>
<tr id="EN-US_TOPIC_0125560422__row24023584115536"><td class="cellrowborder" rowspan="4" valign="top" width="33.33333333333333%" headers="mcps1.3.10.35.2.4.1.1 "><p style="color:#000000;" id="EN-US_TOPIC_0125560422__p1754097111565">s3:*</p>
<p style="color:#000000;" id="EN-US_TOPIC_0125560422__p2365101111565">(Actions or any of the S3 Actions)</p>
</td>
<td class="cellrowborder" valign="top" width="33.33333333333333%" headers="mcps1.3.10.35.2.4.1.2 "><p style="color:#000000;" id="EN-US_TOPIC_0125560422__p5745940911560">s3:signatureversion</p>
</td>
<td class="cellrowborder" valign="top" width="33.33333333333333%" headers="mcps1.3.10.35.2.4.1.3 "><p style="color:#000000;" id="EN-US_TOPIC_0125560422__p2370054711560">Not supported</p>
</td>
</tr>
<tr id="EN-US_TOPIC_0125560422__row26068960115540"><td class="cellrowborder" valign="top" headers="mcps1.3.10.35.2.4.1.1 "><p style="color:#000000;" id="EN-US_TOPIC_0125560422__p3072095511560">s3:authType</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.10.35.2.4.1.2 "><p style="color:#000000;" id="EN-US_TOPIC_0125560422__p536943711560">Not supported</p>
</td>
</tr>
<tr id="EN-US_TOPIC_0125560422__row30617701115544"><td class="cellrowborder" valign="top" headers="mcps1.3.10.35.2.4.1.1 "><p style="color:#000000;" id="EN-US_TOPIC_0125560422__p2200603111560">s3:signatureAge</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.10.35.2.4.1.2 "><p style="color:#000000;" id="EN-US_TOPIC_0125560422__p3765812411560">Not supported</p>
</td>
</tr>
<tr id="EN-US_TOPIC_0125560422__row6883371115548"><td class="cellrowborder" valign="top" headers="mcps1.3.10.35.2.4.1.1 "><p style="color:#000000;" id="EN-US_TOPIC_0125560422__p524728311560">s3:x-amz-content-sha256</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.10.35.2.4.1.2 "><p style="color:#000000;" id="EN-US_TOPIC_0125560422__p2237677211560">Not supported</p>
</td>
</tr>
</tbody>
</table>
</div>
</div>
<div class="section" id="EN-US_TOPIC_0125560422__section15616050"><h4 class="sectiontitle">Policy Permission Judgment Logic</h4><p id="EN-US_TOPIC_0125560422__p16371571">A policy results in a default deny if conditions in any statement of the policy are not met. If all conditions in statements are met, the policy results in either an allow or an explicit deny. If a bucket policy contains multiple statements, the policy determines which statement prevails according to the following rules:</p>
<p id="EN-US_TOPIC_0125560422__p13126415">1. If conditions in any statement of a policy are not met, the policy results in a default deny.</p>
<p id="EN-US_TOPIC_0125560422__p51028871">2. An explicit deny overrides allows.</p>
<p id="EN-US_TOPIC_0125560422__p56606662">3. An allow overrides default denies.</p>
<p id="EN-US_TOPIC_0125560422__p39697916">4. Statements can be in any order in a policy.</p>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="EN-US_TOPIC_0125560422__table66734104" frame="border" border="1" rules="all"><caption><b>Table 6 </b>Statement results</caption><thead align="left"><tr id="EN-US_TOPIC_0125560422__row44885282"><th align="left" class="cellrowborder" valign="top" width="23.5%" id="mcps1.3.11.7.2.3.1.1"><p id="EN-US_TOPIC_0125560422__p11829216">Name</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="76.5%" id="mcps1.3.11.7.2.3.1.2"><p id="EN-US_TOPIC_0125560422__p18642443">Description</p>
</th>
</tr>
</thead>
<tbody><tr id="EN-US_TOPIC_0125560422__row33642890"><td class="cellrowborder" valign="top" width="23.5%" headers="mcps1.3.11.7.2.3.1.1 "><p id="EN-US_TOPIC_0125560422__p40719558">explicit deny</p>
</td>
<td class="cellrowborder" valign="top" width="76.5%" headers="mcps1.3.11.7.2.3.1.2 "><p id="EN-US_TOPIC_0125560422__p1458616568388">A statement defines effect="deny".</p>
<p id="EN-US_TOPIC_0125560422__p9949862">All requests for resources to which the statement applies are denied. No permission is returned.</p>
</td>
</tr>
<tr id="EN-US_TOPIC_0125560422__row22439895"><td class="cellrowborder" valign="top" width="23.5%" headers="mcps1.3.11.7.2.3.1.1 "><p id="EN-US_TOPIC_0125560422__p5692201">allow</p>
</td>
<td class="cellrowborder" valign="top" width="76.5%" headers="mcps1.3.11.7.2.3.1.2 "><p id="EN-US_TOPIC_0125560422__p1519515073913">A statement defines effect="allow".</p>
<p id="EN-US_TOPIC_0125560422__p58415123">All requests for resources to which the statement applies are allowed.</p>
</td>
</tr>
<tr id="EN-US_TOPIC_0125560422__row55974065"><td class="cellrowborder" valign="top" width="23.5%" headers="mcps1.3.11.7.2.3.1.1 "><p id="EN-US_TOPIC_0125560422__p37605427">default deny</p>
</td>
<td class="cellrowborder" valign="top" width="76.5%" headers="mcps1.3.11.7.2.3.1.2 "><p id="EN-US_TOPIC_0125560422__p26140770">Conditions defined in a statement are not met. Requests are denied.</p>
</td>
</tr>
</tbody>
</table>
</div>
</div>
<div class="section" id="EN-US_TOPIC_0125560422__ole_link35"><h4 class="sectiontitle">URL Validation Settings</h4><p id="EN-US_TOPIC_0125560422__p64813138">OBS is charged based on the services that you use. To prevent user data from being stolen, OBS supports URL validation based on HTTP headers. OBS also supports both whitelist and blacklist settings.</p>
<ul id="EN-US_TOPIC_0125560422__ul46447333"><li id="EN-US_TOPIC_0125560422__li15372815">Whitelist settings<p id="EN-US_TOPIC_0125560422__p62782511142935"><a name="EN-US_TOPIC_0125560422__li15372815"></a><a name="li15372815"></a>Users can set a whitelist to allow requests from the websites added in the whitelist and deny requests from any other website.</p>
<p id="EN-US_TOPIC_0125560422__p37429288143335">For the requests that are initialized from browsers' address boxes, that is, those HTTP requests with a blank <strong id="EN-US_TOPIC_0125560422__b84235270616856">referer</strong>, users can add the <strong id="EN-US_TOPIC_0125560422__b84235270616656">${null}</strong> field to <strong id="EN-US_TOPIC_0125560422__b84235270616720">"aws:Referer"</strong> of <strong id="EN-US_TOPIC_0125560422__b84235270616716">Condition</strong> to specify whether to allow the requests with a blank <strong id="EN-US_TOPIC_0125560422__b84235270616851">referer</strong>.</p>
<p id="EN-US_TOPIC_0125560422__p5627436792911">Set a whitelist based on the following policy setting:</p>
<pre class="screen" id="EN-US_TOPIC_0125560422__screen3670725792911">"Statement": [
{"Sid": "1",
"Effect": "Allow",
"Principal": {"CanonicalUser":["*"]},
"Action": "s3:*",
"Resource":["arn:aws:s3:::bucket/*"],
},
{"Sid": "2",
"Effect": "Deny",
"Principal":{"CanonicalUser":["*"]},
"Action": ["s3:*"],
"Resource": ["arn:aws:s3:::bucket/*"],
"Condition":{
"StringNotEquals":{
"aws:Referer": ["www.example01.com","${null}"]
}
}
}
]</pre>
<p id="EN-US_TOPIC_0125560422__p6192986592911">If you set a whitelist in this way, you can perform operations on resources in buckets only when the value of the <strong id="EN-US_TOPIC_0125560422__b14735440">referer</strong> parameter is <strong id="EN-US_TOPIC_0125560422__b65510096">www.example01.com</strong> or is blank.</p>
</li></ul>
<ul id="EN-US_TOPIC_0125560422__ul35976103"><li id="EN-US_TOPIC_0125560422__li55349471">Blacklist settings<p id="EN-US_TOPIC_0125560422__p28383193"><a name="EN-US_TOPIC_0125560422__li55349471"></a><a name="li55349471"></a>You can refer to the following policy settings to set a blacklist for access.</p>
<pre class="screen" id="EN-US_TOPIC_0125560422__screen54122151">"Statement": [
{"Sid":"1",
"Effect":"Deny",
"Principal":{"CanonicalUser":["*"]},
"Action":["s3: *"],
"Resource":["arn:aws:s3:::bucket/*"],
"Condition":{
"StringEquals":{
"aws:Referer":["www.example01.com", "www.example02.com"]
}
}
}
]</pre>
<p id="EN-US_TOPIC_0125560422__p17337312">If you set a blacklist in this way, you cannot perform operations on resources in buckets when the value of the <strong id="EN-US_TOPIC_0125560422__b08161047115612">referer</strong> parameter is <strong id="EN-US_TOPIC_0125560422__b19671331104418">www.example01.com</strong> or <strong id="EN-US_TOPIC_0125560422__b66717315445">www.example02.com</strong>.</p>
</li></ul>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="en-us_topic_0125560354.html">Access Control</a></div>
</div>
</div>
View Git Blame Copy Permalink