Bucket Policy

最近更新时间:2020-04-03 03:05:49

Bucket Policy


When you are the owner of a Bucket, you can set the access control policies for KS3 resources (Buckets and Objects).

Users' request for access to Buckets and their Objects will be controlled by the Bucket policy, specifically, allowing or denying. Whether to accept or deny a request depends on your description in the Bucket policy.

Permission judgment logic

When a policy judges permissions, each Statement will have three types of results: explicit deny, allow, and default deny. For multiple Statements in a Policy, the Bucket Policy uses the following rules to determine: The Bucket Policy makes judgments of Explicit Deny, Allow and Default Deny against each Statement included in the Policy. And the final judgment will follow the rule of explicit deny > allow > default deny:

  • If there is no explicit Deny and Allow, the Statement’s request permission is determined as Default Deny
  • Explicit Deny overrides Allow
  • Allow overrides the Default Deny
  • The order of Statements has no effect
  • If the final result of multiple Statements’ judgments is Default Deny, whether the resource can be finally accessed depends on whether the resource's ACL is public.

To set a Bucket policy:

1. Set the location: "Bucket Settings" -> "Bucket Policy", and click Add Policy

image.png

2. Set the Bucket Policy

image.png

Where:

  • Effect: refers to the operation effects, i.e., allow or deny. “Allow” means permission, and “deny” means prohibition.
  • Actions: refer to the operation keywords. For the detailed types of “allow” or “deny” operations, see The corresponding relationship between operation keywords and operations.
  • Principal: refers to the assigned principal. The principal can be another master account or a sub-user under the current account. Currently, sub-users under other accounts are not supported. The master account is represented by the account id. And any account can view its account ID by clicking “View Account ID” in its own console. Sub-users are represented by account ID/ sub-user username.
  • Resource: resources (Buckets and Objects). If there is no clear resource orientation, it is recommended to fill in the complete set of resources (bucketname, bucketname/*), as shown in the example above.
  • Condition: Specifies the conditions under which this policy takes effect. Currently, the requester's IP address (ksc:SourceIp), the request header (ksc:RequestHeader) and the subnet ID of the VPC where the requester is located are used as conditions.

3. Click the [policy language] and view the contents of the Bucket Policy

image.png

image.png

Correspondence between operation keywords and operations

Permission keyword Corresponding KS3 operation Operation level
ks3:ListBucket List files in a Bucket and query the Bucket information Bucket level
ks3:DeleteBucket Delete the current Bucket Bucket level
ks3:GetBucketAcl Get the Bucket’s ACL information Bucket level
ks3:PutBucketAcl Set the Bucket’s ACL information Bucket level
ks3:GetBucketCORS Get the CORS configuration information for Bucket Bucket level
ks3:PutBucketCORS Set the CORS for Bucket Bucket level
ks3ListBucketMultipartUploads List the multiple parts to upload Bucket level
ks3:PutObject Upload files, including post, PUT and multiple-part upload Object level
ks3:DeleteObject Delete files Object level
ks3:GetObject GET Object and HEAD Object Object level
ks3:GetObjectAcl Get ACL information of a file Object level
ks3:PutObjectAcl Set the ACL of a file Object level
ks3ListMultipartUploadParts List the multiple parts Object level
ks3:AbortMultipartUpload Cancel the multiple-part upload Object level
ks3:PostObjectRestore Restore the archived storage objects Object level

Note:Operations at different levels need to specify equivalent resources. For example, if you want to authorize ks3:ListBucket operation, its corresponding resource must be bucket, e.g.: krn:ksc:ks3:::bucket01, which represents the Buckets named bucket01. If you want to authorize ks3:PutObject operation, you need to specify a file resource, e.g.: krn:ksc:ks3:::Bucket01/*, which represents all files in bucket01. If you want to grant permissions at both Bucket and Object levels, you should authorize both of the corresponding resources.

Detailed explanation of Condition

IP address (ksc:SourceIp) supports the following conditional operators:

Conditional operator Value range Description
IpAddress Strict IP address format and CIDR format. Only support IPV4 If the client requested source IP address is an IP address specified in the value or within the range of the value, the policy will take effect.
NotIpAddress Strict IP address format and CIDR format. Only support IPV4 If the client requested source IP address is an IP address outside the specified addresses and range, the policy will take effect.

The request header (ksc:RequestHeader) supports the following conditional operators:

Conditional operator Value range Description
StringEquals String in the form of key-value, e.g., "x-kss-cdn:kingsoftcdn" If the request has the specified header and the value of the request header can be exactly matched (case sensitive), the policy will take effect
StringNotEquals String in the form of key-value, e.g., "x-kss-cdn:kingsoftcdn" If the request has the specified header and the value of the request header cannot be matched (case sensitive), the policy will take effect
StringEqualsIgnoreCase String in the form of key-value, e.g., "x-kss-cdn:kingsoftcdn" If the request has the specified header and the value of the request header can be exactly matched (not case sensitive), the policy will take effect
StringNotEqualsIgnoreCase String in the form of key-value, e.g., "x-kss-cdn:kingsoftcdn" If the request has the specified header and the value of the request header cannot be matched (not case sensitive), the policy will take effect
StringLike String in the form of key-value, which can include any multi-character matching wildcard () or single-character matching wildcard (?) in the string, such as "x-kss-cdn:" If the request has the specified header and the value of the request header can be fuzzy-matched (case sensitive), the policy will take effect
StringNotLike String in the form of key-value, which can include any multi-character matching wildcard () or single-character matching wildcard (?) in the string, such as "x-kss-cdn:" If the request has the specified header and the value of the request header cannot be fuzzy-matched (not case sensitive), the policy will take effect

VPC subnet ID (ksc:SubnetID) supports the following conditional operators:

Conditional operator Value range Description
StringEquals Strict AccountID format and SubnetID format If the client's request comes from the VPC subnet corresponding to the SubnetID specified in the value, the policy will take effect
StringNotEquals Strict AccountID format and SubnetID format If the client's request does not come from the VPC subnet specified in the value, the policy will take effect

金山云,开启您的云计算之旅

注册有礼