doc-exports/docs/obs/umn/obs_03_0049.html

<a name="obs_03_0049"></a><a name="obs_03_0049"></a>

<h1 class="topictitle1">Principal</h1>
<div id="body1557026128761"><p id="obs_03_0049__p28805261528">This parameter specifies users on whom the bucket policy takes effect, including accounts, federated users or federated user groups, and IAM users. Target users can be specified in either of the following ways:</p>
<ul id="obs_03_0049__ul108801826115212"><li id="obs_03_0049__li7880926165213"><strong id="obs_03_0049__b9396124819353">Include</strong>: Specifies the user on whom the bucket policy statement takes effect.</li><li id="obs_03_0049__li1488092635210"><strong id="obs_03_0049__b13188853163520">Exclude</strong>: Specifies that on all users except the specified user the bucket policy statement takes effect.</li></ul>
<div class="section" id="obs_03_0049__section1896613422547"><h4 class="sectiontitle">Cloud Service User</h4><ul id="obs_03_0049__ul10202322105519"><li id="obs_03_0049__li20202822135510">IAM users in the current account<p id="obs_03_0049__p1350312548559"><a name="obs_03_0049__li20202822135510"></a><a name="li20202822135510"></a>When the <strong id="obs_03_0049__b6309548104">Principal</strong> is set to <strong id="obs_03_0049__b1032554141017">Current account</strong>, you can select IAM users in the account, so that the bucket policy applies to the selected users.</p>
</li><li id="obs_03_0049__li697612394557">Other account<p id="obs_03_0049__p1584215477567"><a name="obs_03_0049__li697612394557"></a><a name="li697612394557"></a>When the <strong id="obs_03_0049__b12296181019114">Principal</strong> is set to <strong id="obs_03_0049__b629711061111">Other account</strong>, you can enter the ID of other accounts. If you want to apply the bucket policy to IAM users in that account, you need to enter the user IDs, and use commas (,) to separate one from another.</p>
<div class="note" id="obs_03_0049__note8951376579"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="obs_03_0049__p145818142578">An authorized user can go to the <strong id="obs_03_0049__b5232132317110">My Credential</strong> page to obtain the domain ID and user ID after login.</p>
<p id="obs_03_0049__p118769434404">For <strong id="obs_03_0049__b5667118525">Account ID</strong>, input the <strong id="obs_03_0049__b048315353525">Domain ID</strong> that can be found on the <strong id="obs_03_0049__b5867174917527">My Credential</strong> page.</p>
</div></div>
</li><li id="obs_03_0049__li10921011195615">Anyone (anonymous users)<p id="obs_03_0049__p17789143015711"><a name="obs_03_0049__li10921011195615"></a><a name="li10921011195615"></a>To grant the bucket access permission to anyone, set the <strong id="obs_03_0049__b026918469112">Principal</strong> to <strong id="obs_03_0049__b327084641116">Other account</strong> and enter an asterisk (*) as the account ID.</p>
<div class="caution" id="obs_03_0049__note161581126115819"><span class="cautiontitle"><img src="public_sys-resources/caution_3.0-en-us.png"> </span><div class="cautionbody"><p id="obs_03_0049__p1413394815576">Exercise caution when granting the bucket access permissions to anonymous users. If you grant the bucket access permission to anonymous users, anyone can access your bucket, and the traffic and storage fees generated will be borne by the bucket owner (cloud service account). You are advised to set restrictions on access requests. For example, you can allow the access request from only one IP address.</p>
</div></div>
</li></ul>
</div>
<div class="section" id="obs_03_0049__section1726117455582"><h4 class="sectiontitle">Federated User</h4><p id="obs_03_0049__p485320425912">The <strong id="obs_03_0049__b930281355617">Principal</strong> of a bucket policy can also be a federated user or a federated user group.</p>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="obs_03_0074.html">Bucket Policy Parameters</a></div>
</div>
</div>