tencent cloud

PrevNext

Feedback

search by keyword

Recent Pages

Documentation
Cloud Object Storage
    Documentation
    Download PDF

    Bucket Policy

    Last updated: 2024-03-25 15:33:39
    Download PDF
      You can use a bucket policy to grant the operation permissions of a bucket and the objects in the bucket to CAM sub-accounts, other root accounts, and even anonymous users.

      Overview

      Note:
      A Tencent Cloud root account has the highest permission on its resources (including buckets). Even if you can set limits on almost all operations in the bucket policy, the root account always has the permission for the PUT Bucket Policy operation, and can call this operation without checking the bucket policy.
      A bucket policy is described in JSON language, and supports granting anonymous identities or any Tencent Cloud CAM account the permissions to access and perform operations on buckets and objects. In Tencent Cloud COS, the bucket policy can be used to manage almost all operations in the bucket. It is recommended that you use a bucket policy to manage access policies that cannot be described using ACLs.

      Application Scenarios

      Note:
      The permissions for the service-level operations of creating a bucket and querying a bucket list must be configured in the CAM console.
      If you want to specify which users can access a COS bucket, you are advised to configure a bucket policy. You can search for a bucket and check the bucket's policy to see who can access the bucket. A bucket policy is recommended in scenarios where you want to:
      Authorize a specific bucket.
      Use higher flexibility than that of an ACL.
      Use cross-account authorization and anonymous user authorization, which are not supported by user policies.

      Bucket Policy Elements

      A bucket policy is described in JSON language and its syntax complies with the unified specifications of the access policy language. The access policy language contains the following basic elements: principal, effect, action, resource, and condition. For more information, see Access Policy Language Overview. The resource scope of a bucket policy is restricted to the bucket, and you can perform authorization on the entire bucket, specified directories, or specified objects.
      Note:
      When adding an access policy, be sure to grant the minimum permissions needed to satisfy your business needs. There may be data security risks if you grant other users the permission to access all of your resources (resource:*) or all operations (action:*).

      Console Configuration Examples

      Note:
      When configuring a bucket policy in the COS console, you need to grant users appropriate permissions to the bucket, for example, the permissions to get bucket tags and list bucket permissions.
      The bucket policy size is limited to 20 KB.
      For example, if you want to grant a sub-account all permissions of a specified directory in a bucket, the corresponding configuration is as follows:
      Configuration Item
      Description
      Effect
      Allow
      Principal
      UIN of the sub-account, which must be a sub-account under the current root account, such as 100000000011
      Resource
      Specified directory prefix, such as folder/sub-folder/*
      Action
      All operations
      Condition
      None
      In the COS console, you can add and manage bucket policies in two modes: Visual Editor and JSON.

      Visual Editor

      Click the target bucket and choose Permission Management > Permission Policy Settings > Visual Editor. On the Visual Editor tab page, click Add Policy. In the pop-up window, configure the policy in two steps:

      Step 1: select a template (optional)

      COS provides you with different templates depending on the combination of authorized users (grantees) and resource scope you choose to help you quickly configure bucket policies. If the templates provided by COS do not meet your requirements, you can skip this step and add or delete authorized operations in Step 2: configure the policy.

      Step 2: configure the policy

      Based on the combination of authorized users, specified directories, and templates you select in step 1, COS automatically adds operations, authorized users, and resources to the configuration policy for you. If you specify a user and a directory, you need to specify the user UIN and directory during policy configuration.
      Note:
      To authorize the permissions of a directory, you need to add /* to the resource path entered. For example, to authorize the test directory, you need to enter test/*.
      If the recommended templates provided by COS do not meet your requirements, you can add or delete authorized users, resources, and operations in this step.
      The configuration items are described as follows:
      Effect: select Allow or Deny, corresponding to allow or deny in the policy syntax.
      User: add or delete authorized users. Options include Everyone (*), Root account, Sub-account, and Cloud service.
      Resource: add the whole bucket or a specific directory resource.
      Operation: add or delete authorized operations as needed.
      Condition: you can specify conditions for permission authorization. For example, you can specify a user access IP.

      JSON

      If you are familiar with bucket policies, you can click the target bucket, choose Permission Management > Permission Policy Settings > JSON, and write the bucket policy in JSON language.
      After writing the bucket policy, you can add it via API or SDK.

      JSON policy example

      The following policy is to allow root account 100000000001 (APPID: 1250000000) to grant sub-account 100000000011 with all operation permissions of the objects in the folder/sub-folder directory in the examplebucket-bj bucket of the Beijing region.
      {
        "Statement": [
          {
            "Principal": {
              "qcs": [
                "qcs::cam::uin/100000000001:uin/100000000011"
              ]
            },
            "Effect": "Allow",
            "Action": [
              "name/cos:*"
            ],
            "Resource": [
              "qcs::cos:ap-beijing:uid/1250000000:examplebucket-bj-1250000000/folder/sub-folder/*"
            ]
          }
        ],
        "version": "2.0"
      }

      Operation Methods

      COS allows you to add bucket policies by using the COS console, APIs, or SDKs. The COS console provides the Visual Editor configuration mode and common authorization templates to help users that are unfamiliar with the policy language to quickly add policies.
      Operation Method
      Description
      Web page, intuitive and easy to use
      RESTful API, sending requests directly to COS
      SDK
      Rich SDK demos, supporting various programming languages
      

      More Bucket Policy Examples

      Granting authorization through bucket policies
      Granting Sub-Account Under One Root Account Permission to Manipulate Buckets Under Another Root Account
      Note:
      When adding an access policy, be sure to grant the minimum permissions needed to satisfy your business needs. There may be data security risks if you grant other users the permission to access all of your resources (resource:*) or all operations (action:*).
      The following are examples of bucket policies used to limit subnets, principals and VPC IDs.

      Example 1

      Limit the IP range in the subnet to 10.1.1.0/24 and the VPC ID to aqp5jrc1:
      {
        "Statement": [
          {
            "Action": [
              "name/cos:*"
            ],
            "Condition": {
              "ip_equal": {
                "qcs:ip": [
                  "10.1.1.0/24"
                ]
              },
              "string_equal": {
                "vpc:requester_vpc": [
                  "vpc-aqp5jrc1"
                ]
              }
            },
            "Effect": "deny",
            "Principal": {
              "qcs": [
                "qcs::cam::anyone:anyone"
              ]
            },
            "Resource": [
              "qcs::cos:ap-guangzhou:uid/1250000000:examplebucket-1250000000/*"
            ]
          }
        ],
        "version": "2.0"
      }

      Example 2

      Limit the VPC ID to aqp5jrc1 and specify the principal and bucket:
      {
        "Statement": [
          {
            "Action": [
              "name/cos:*"
            ],
            "Condition": {
              "string_equal": {
                "vpc:requester_vpc": [
                  "vpc-aqp5jrc1"
                ]
              }
            },
            "Effect": "allow",
            "Principal": {
              "qcs": [
                "qcs::cam::uin/100000000001:uin/100000000002"
              ]
            },
            "Resource": [
              "qcs::cos:ap-beijing:uid/1250000000:examplebucket-1250000000/*"
            ]
          }
        ],
        "version": "2.0"
      }
      
      Contact Us

      Contact our sales team or business advisors to help your business.

      Contact Us
      Technical Support

      Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

      Submit a Ticket
      7x24 Phone Support
      Copyright © 2013-2024 Tencent Cloud. All Rights Reserved.
      Privacy PolicyLegalCookie Policy