version
, principal
, statement
, effect
, action
, resource
, and condition
must all begin with a letter in the same letter case.cos:PutObject
authorization operation can be completed only in the 10.217.182.3/24 or 111.21.33.72/24 IP range. In the condition:qcs:ip
, indicating that the condition type is IP.ip_equal
, indicating that the condition determination method is to determine whether IP addresses match.["10.217.182.3/24","111.21.33.72/24"]
array, listing the specified values for condition determination. If the user's IP is in any of the specified IP ranges in the array, the condition is determined as true.{"version":"2.0","statement":[{"principal":{"qcs":["qcs::cam::uin/1250000000:uin/1250000001"]},"effect":"allow","action":["name/cos:PutObject"],"resource":["qcs::cos:ap-guangzhou:uid/1250000000:examplebucket-1250000000/*"],"condition":{"ip_equal":{"qcs:ip":["10.217.182.3/24","111.21.33.72/24"]}}}]}
tls-version
condition key is supported only in the Beijing region. It will be supported in other regions later. qcs:ip
, qcs:vpc
, and cos:secure-transport
, which indicate the source IP range of the request, source VPC ID of the request, and whether the request uses HTTPS, respectively.Condition Key | Applicable Request | Meaning | Type |
All requests | Whether the request uses HTTPS | Boolean | |
All requests | Source IP range of the request | IP | |
All requests | Source VPC ID of the request | String | |
All HTTPS requests | TLS version used by HTTPS requests | Numeric |
Header
) and request parameters (Param
), condition keys from request headers and request parameters are applicable only to requests that contain such request headers or request parameters.cos:content-type
is applicable to upload requests (such as PutObject
) that need to use the request header Content-Type
, while the condition key cos:response-content-type
is applicable only to GetObject
requests because only GetObject
requests support the request parameter response-content-type
.Condition Key | Applicable Request | Check Request Header or Request Parameter | Type |
PutObject PostObject InitiateMultipartUpload AppendObject | Request header: x-cos-storage-class | String | |
GetObject DeleteObject PostObjectRestore PutObjectTagging GetObjectTagging DeleteObjectTagging HeadObject | Request parameter: versionid | String | |
GetBucket (List Objects) GET Bucket Object versions List Multipart Uploads ListLiveChannels | Request parameter: prefix | String | |
PutObject PostObject PutObjectACL PutBucket PutBucketACL AppendObject Initiate Multipart Upload | Request header: x-cos-acl | String | |
This request header has a wide applicable scope, typically requests with request bodies. | Request header: Content-Length | Numeric | |
This request header has a wide applicable scope, typically requests with request bodies. | Request header: Content-Type | String | |
GetObject | Request parameter: response-content-type | String | |
PutBucket PutBucketTagging | Request header: x-cos-tagging Request parameter: tagging | String |
Condition Operator | Description | Type |
string_equal | String equal to (case-sensitive) | String |
string_not_equal | String not equal to (case-sensitive) | String |
string_like | String similar to (case-sensitive). Currently, wildcards (*) can be prefixed or suffixed to the string, for example, image/* . | String |
ip_equal | IP equal to | IP |
ip_not_equal | IP not equal to | IP |
numeric_equal | Number equal to | Numeric |
numeric_not_equal | Number not equal to | Numeric |
numeric_greater_than | Number greater than | Numeric |
numeric_greater_than_equal | Number greater than or equal to | Numeric |
numeric_less_than | Number less than | Numeric |
numeric_less_than_equal | Number less than or equal to | Numeric |
_if_exist
to the end of all the preceding condition operators to form new condition operators, such as string_equal_if_exist
. The differences between condition operators with and without _if_exist
are as follows:_if_exist
, such as string_equal
, it is considered that the condition is met (False
) by default if the request does not contain the specified request header or parameter._if_exist
, such as string_equal_if_exist
, it is considered that the condition is met (True
) by default if the request does not contain the specified request header or parameter.Effect
is allow
, allowing GetObject
requests where the request parameter versionid
is MTg0NDUxNTc1NjIzMTQ1MDAwODg
. According to the allow
authorization policy, if the condition is met (True
), the request will be allowed; if the condition is not met (False
), the request will not be allowed and will fail.{"version":"2.0","statement":[{"principal":{"qcs":["qcs::cam::uin/1250000000:uin/1250000001"]},"effect":"allow","action":["name/cos:GetObject"],"condition":{"string_equal":{"cos:versionid":"MTg0NDUxNTc1NjIzMTQ1MDAwODg"}},"resource":["qcs::cos:ap-guangzhou:uid/1250000000:examplebucket-1250000000/*"]}]}
string_equal
and string_equal_if_exist
.Condition Operator | Request | Condition Met | Request Allowed |
string_equal | Without versionid | FALSE | No |
string_equal_if_exist | Without versionid | TRUE | Yes |
string_equal | With versionid , whose value is specified | TRUE | Yes |
string_equal_if_exist | With versionid , whose value is specified | TRUE | Yes |
string_equal | With versionid , whose value is not specified | FALSE | No |
string_equal_if_exist | With versionid , whose value is not specified | FALSE | No |
Effect
is deny
, disallowing GetObject
requests where the request parameter versionid
is MTg0NDUxNTc1NjIzMTQ1MDAwODg
. According to the deny
authorization policy, if the condition is met (True
), the request will fail; if the condition is not met (False
), the request will not be denied.{"version":"2.0","statement":[{"principal":{"qcs":["qcs::cam::uin/1250000000:uin/1250000001"]},"effect":"deny","action":["name/cos:GetObject"],"condition":{"string_equal":{"cos:versionid":"MTg0NDUxNTc1NjIzMTQ1MDAwODg"}},"resource":["qcs::cos:ap-guangzhou:uid/1250000000:examplebucket-1250000000/*"]}]}
string_equal
and string_equal_if_exist
.Condition Operator | Request | Condition Met | Request Denied |
string_equal | Without versionid | FALSE | No |
string_equal_if_exist | Without versionid | TRUE | Yes |
string_equal | With versionid , whose value is specified | TRUE | Yes |
string_equal_if_exist | With versionid , whose value is specified | TRUE | Yes |
string_equal | With versionid , whose value is not specified | FALSE | No |
string_equal_if_exist | With versionid , whose value is not specified | FALSE | No |
cos:response-content-type
condition key in a bucket policy, the condition value image/jpeg
must be encoded (URL encoding) into image%2Fjpeg
before it is entered into the bucket policy.GetObject
do not support using the request parameter response-content-type
.True
by default. Therefore, when you initiate requests such as PutObject
and PutBucket
, the deny
statement will be met and the requests will be denied.False
by default. Therefore, when you initiate requests such as PutObject
and PutBucket
, the allow
statement will not be met and the requests will not be allowed.{"version":"2.0","statement":[{"principal":{"qcs":["qcs::cam::uin/1250000000:uin/1250000001"]},"effect":"allow","action":["*"],"resource":["qcs::cos:ap-guangzhou:uid/1250000000:examplebucket-1250000000/*"],"condition":{"string_equal":{"cos:response-content-type":"image%2Fjpeg"}}},{"principal":{"qcs":["qcs::cam::uin/1250000000:uin/1250000001"]},"effect":"deny","action":["*"],"resource":["qcs::cos:ap-guangzhou:uid/1250000000:examplebucket-1250000000/*"],"condition":{"string_not_equal_if_exist":{"cos:response-content-type":"image%2Fjpeg"}}}]}
response-content-type
request parameter.False
by default. Therefore, when you initiate requests such as PutObject
and PutBucket
, the deny
statement will not be met and the requests will not be denied.True
by default. Therefore, when you initiate requests such as PutObject
and PutBucket
, the allow
statement will be met and the requests will be allowed.GetObject
request carries the response-content-type
request parameter. A GetObject
request without the response-content-type
request parameter will be allowed by default like other requests. Only when the GetObject
request carries the response-content-type
request parameter, you can use your specified condition to check whether the content of the request parameter is the same as what you expect to implement conditional authorization.{"version":"2.0","statement":[{"principal":{"qcs":["qcs::cam::uin/1250000000:uin/1250000001"]},"effect":"allow","action":["*"],"resource":["qcs::cos:ap-guangzhou:uid/1250000000:examplebucket-1250000000/*"],"condition":{"string_equal_if_exist":{"cos:response-content-type":"image%2Fjpeg"}}},{"principal":{"qcs":["qcs::cam::uin/1250000000:uin/1250000001"]},"effect":"deny","action":["*"],"resource":["qcs::cos:ap-guangzhou:uid/1250000000:examplebucket-1250000000/*"],"condition":{"string_not_equal":{"cos:response-content-type":"image%2Fjpeg"}}}]}
GetObject
requests without using the * wildcard.GetObject
requests carrying the response-content-type
request parameter with value image%2Fjpeg
.{"version":"2.0","statement":[{"principal":{"qcs":["qcs::cam::uin/1250000000:uin/1250000001"]},"effect":"allow","action":["name/cos:GetObject"],"resource":["qcs::cos:ap-guangzhou:uid/1250000000:examplebucket-1250000000/*"],"condition":{"string_equal":{"cos:response-content-type":"image%2Fjpeg"}}},{"principal":{"qcs":["qcs::cam::uin/1250000000:uin/1250000001"]},"effect":"deny","action":["name/cos:GetObject"],"resource":["qcs::cos:ap-guangzhou:uid/1250000000:examplebucket-1250000000/*"],"condition":{"string_not_equal_if_exist":{"cos:response-content-type":"image%2Fjpeg"}}}]}
Was this page helpful?