On the Visual Editor tab page, click Add Policy. In the pop-up window, configure the policy in the following steps:
(1) Select a template
COS provides you with different templates depending on the combination of authorized users (grantees) and resource scope you choose to help you quickly configure bucket policies.
Grantee
All users (allow anonymous access): Select this option if you want to grant operation permissions to anonymous users. If you select this option, all users (*
) will be automatically selected for you during policy configuration in step 2. Because it is risky to grant permissions on operations such as listing buckets (ListBucket
) and configuring bucket configuration permissions to anonymous users, COS does not provide corresponding templates when this option is selected. You can add policies during policy configuration in step 2 if necessary.
Specified user: Select this option if you want to grant operation permissions to specified sub-accounts, root accounts, or cloud services. During policy configuration in step 2, you need to further specify the specific account UINs.
Note:
If Grantee is set as Specified user, an object request needs to carry a signature for identity verification. For more information on signature, see Request Signature. If Grantee is set as All users (allow anonymous access), an object request doesn't need to carry a signature, and all users can directly access the object at the URL. However, your data may be leaked. Therefore, proceed with caution.
Resource Scope
The whole bucket: If you want to configure bucket configuration permissions or set the resource scope to the entire bucket, you can select this option to automatically add the entire bucket as a resource for you during policy configuration in step 2.
Specified directory: Select this option if you want to restrict the resource scope to a specified folder. During policy configuration in step 2, you need to further specify the specific directory. When this option is selected, COS does not provide policy templates related to bucket configuration, because for such permissions, the entire bucket must be specified as the resource.
Template: Collection of operations that you want to authorize.
Custom (no preset configuration): If you do not need to use a template, select this option and add policies as needed during policy configuration in step 2.
Other templates: COS provides you with different recommended templates depending on the combination of authorized users and resource scope you choose. After you select a template, COS automatically adds the corresponding operation permissions for you during policy configuration in step 2.
Note: If the authorized operations provided by the template do not meet your requirements, you can add or delete authorized operations during policy configuration in step 2.
Templates are described in the following table.
|
All combinations |
| Custom | For any combination of authorized users and resource scopes, this template does not provide any preset policies. You can add policies during policy configuration in step 2. |
All users (allow anonymous access) | The whole bucket | Read-Only objects (listing objects is not included) | For anonymous users, COS provides you with recommended templates for reading files (such as downloading files) and writing files (such as uploading and modifying files).COS's recommended templates do not list all objects in your bucket, and sensitive permissions, such as read and write permissions and bucket configuration permissions, are not allowed to improve data security. You can add or delete operation permissions during policy configuration in step 2 as needed. |
|
|
| Read/Write objects (listing objects is not included) |
|
| Specified directory | Read-Only objects (listing objects is not included) |
|
|
| Read/Write objects (listing objects is not included) |
Specified user | The whole bucket | Read-Only objects (listing objects is not included) | COS provides the most recommended templates for the combination of **Specified user** and **The whole bucket**. In addition to reading, writing, and listing files, COS provides the following sensitive permission templates for trusted users: Read/Write buckets and object ACLs: get and modify buckets and object ACLs. Options include GetObjectACL, PutObjectACL, GetBucketACL, and PutBucketACL. General bucket configuration items: non-sensitive permissions such as bucket tagging, CORS, and origin-pull. Bucket sensitive configuration item: sensitive permissions such as bucket policies, bucket ACLs, and bucket deletion. Sensitive permissions should be used with caution. |
|
|
| Read-Only objects (listing objects is included) |
|
|
| Read/Write objects (listing objects is not included) |
|
|
| Read/Write objects (listing objects is included) |
|
|
| Read/Write buckets and object ACLs |
|
|
| General bucket configuration items |
|
|
| Bucket sensitive configuration item |
| Specified directory | Read-Only objects (listing objects is not included) | For the combination of **Specified user** and **Specified directory**, COS provides you with recommended templates for reading files (such as downloading files) and writing files (such as uploading and modifying files), as well as recommended templates for listing objects. If you need to grant read, write, and list permissions to a specified folder to a specified user, this combination is recommended. You can add or delete operation permissions during policy configuration in step 2 as needed. |
|
|
| Read-Only objects (listing objects is included) |
|
|
| Read/Write objects (listing objects is not included) |
|
|
| Read/Write objects (listing objects is included) |
(2) Configure the policy
Based on the combination of authorized users, specified directories, and templates you select in step 1, COS automatically adds operations, authorized users, and resources to the configuration policy for you. If you specify a user and a directory, you need to specify the user UIN and directory during policy configuration.
If the recommended templates provided by COS do not meet your requirements, you can add or delete authorized users, resources, and operations in this step. The configuration items are described as follows:
Effect: Select Allow or Deny, corresponding to allow or deny in the policy syntax.
User: Add or delete authorized users. Options include Everyone (*
), Root account, Sub-account, and Cloud service.
Resource: Add the whole bucket or a specific directory resource.
Operation: Add or delete authorized operations as needed.
Condition: You can specify conditions for permission authorization. For example, you can specify a user access IP.
(3) Confirm the configuration information
After confirming that the configuration information is correct, click Finish. In this way, if a sub-account logs in to the COS console, it can only access resources allowed by the policy.
Was this page helpful?