(resource:*)
or all operations (action:*)
.doc
and downloads for objects prefixed with doc2
for the bucket examplebucket-1250000000
in the region "ap-beijing" under the APPID 1250000000
:{"version": "2.0","statement": [{"action": [// Upload an object by using simple upload"name/cos:PutObject",// Upload an object by using an HTML form"name/cos:PostObject",// Initialize a multipart upload"name/cos:InitiateMultipartUpload",// List all ongoing multipart uploads"name/cos:ListMultipartUploads",// List uploaded parts"name/cos:ListParts",// Upload parts"name/cos:UploadPart",// Complete a multipart upload"name/cos:CompleteMultipartUpload",// Abort a multipart upload"name/cos:AbortMultipartUpload"],"effect": "allow","resource": ["qcs::cos:ap-beijing:uid/1250000000:examplebucket-1250000000/doc/*"]},{"action": [// Download"name/cos:GetObject"],"effect": "allow","resource": ["qcs::cos:ap-beijing:uid/1250000000:examplebucket-1250000000/doc2/*"]}]}
Name | Description |
version | Policy syntax version, which is 2.0 by default. |
effect | Allow or deny. |
resource | Specific data of the authorized operation, which can be any resources, resources with a specified path prefix, resource in a specified absolute path, or their combination. |
action | COS API. You can specify one, several, or all ( * ) COS APIs as needed, such as name/cos:GetService . Note that this value is case-sensitive. |
condition |
GET Service
API, the action
field in the policy should be set to name/cos:GetService
, and the resource
field to *
.{"version": "2.0","statement": [{"action": ["name/cos:GetService"],"effect": "allow","resource": ["*"]}]}
resource
field for bucket API policies is outlined in further detail below:resource
field should be set to *
. Use this option with caution as it may present data security risks due to excessive permissions.examplebucket-1250000000
under the APPID 1250000000
in the region ap-beijing
, the resource
field should be set to qcs::cos:ap-beijing:uid/1250000000:*
.examplebucket-1250000000
under the APPID 1250000000
in the region ap-beijing
, the resource
field should be set to qcs::cos:ap-beijing:uid/1250000000:examplebucket-1250000000/*
.action
field in bucket API policies varies by operation. The following lists several bucket API policies for your reference.PUT Bucket
API, the action
field in the policy should be set to name/cos:PutBucket.1250000000
permission to create a bucket named examplebucket-1250000000
in Beijing region:{"version": "2.0","statement": [{"action": ["name/cos:PutBucket"],"effect": "allow","resource": ["qcs::cos:ap-beijing:uid/1250000000:examplebucket-1250000000/"]}]}
HEAD Bucket
API, the action
field in the policy should be set to name/cos:HeadBucket
.examplebucket-1250000000
in the region ap-beijing
under the APPID 1250000000
:{"version": "2.0","statement": [{"action": ["name/cos:HeadBucket"],"effect": "allow","resource": ["qcs::cos:ap-beijing:uid/1250000000:examplebucket-1250000000/"]}]}
GET Bucket
API, the action
field in the policy should be set to name/cos:GetBucket
.examplebucket-1250000000
in the region ap-beijing
under the APPID 1250000000
:{"version": "2.0","statement": [{"action": ["name/cos:GetBucket"],"effect": "allow","resource": ["qcs::cos:ap-beijing:uid/1250000000:examplebucket-1250000000/"]}]}
Delete Bucket
API, the action
field in the policy should be set to name/cos:DeleteBucket
.examplebucket-1250000000
in the region ap-beijing
under the APPID 1250000000
:{"version": "2.0","statement": [{"action": ["name/cos:DeleteBucket"],"effect": "allow","resource": ["qcs::cos:ap-beijing:uid/1250000000:examplebucket-1250000000/"]}]}
Put Bucket ACL
API, the action
field in the policy should be set to name/cos:PutBucketACL
.examplebucket-1250000000
in the region ap-beijing
under the APPID 1250000000
:{"version": "2.0","statement": [{"action": ["name/cos:PutBucketACL"],"effect": "allow","resource": ["qcs::cos:ap-beijing:uid/1250000000:examplebucket-1250000000/"]}]}
GET Bucket acl
API, the action
field in the policy should be set to name/cos:GetBucketACL
.examplebucket-1250000000
in the region ap-beijing
under the APPID 1250000000
:{"version": "2.0","statement": [{"action": ["name/cos:GetBucketACL"],"effect": "allow","resource": ["qcs::cos:ap-beijing:uid/1250000000:examplebucket-1250000000/"]}]}
PUT Bucket cors
API, the action
field in the policy should be set to name/cos:PutBucketCORS
.examplebucket-1250000000
in the region ap-beijing
under the APPID 1250000000
:{"version": "2.0","statement": [{"action": ["name/cos:PutBucketCORS"],"effect": "allow","resource": ["qcs::cos:ap-beijing:uid/1250000000:examplebucket-1250000000/"]}]}
GET Bucket cors
API, the action
field in the policy should be set to name/cos:GetBucketCORS
.examplebucket-1250000000
in the region ap-beijing
under the APPID 1250000000
:{"version": "2.0","statement": [{"action": ["name/cos:GetBucketCORS"],"effect": "allow","resource": ["qcs::cos:ap-beijing:uid/1250000000:examplebucket-1250000000/"]}]}
DELETE Bucket cors
API, the action
field in the policy should be set to name/cos:DeleteBucketCORS
.examplebucket-1250000000
in the region ap-beijing
under the APPID 1250000000
:{"version": "2.0","statement": [{"action": ["name/cos:DeleteBucketCORS"],"effect": "allow","resource": ["qcs::cos:ap-beijing:uid/1250000000:examplebucket-1250000000/"]}]}
PUT Bucket lifecycle
API, the action
field in the policy should be set to name/cos:PutBucketLifecycle
.examplebucket-1250000000
in the region ap-beijing
under the APPID 1250000000
:{"version": "2.0","statement": [{"action": ["name/cos:PutBucketLifecycle"],"effect": "allow","resource": ["qcs::cos:ap-beijing:uid/1250000000:examplebucket-1250000000/"]}]}
GET Bucket lifecycle
API, the action
field in the policy should be set to name/cos:GetBucketLifecycle
.examplebucket-1250000000
in the region ap-beijing
under the APPID 1250000000
:{"version": "2.0","statement": [{"action": ["name/cos:GetBucketLifecycle"],"effect": "allow","resource": ["qcs::cos:ap-beijing:uid/1250000000:examplebucket-1250000000/"]}]}
DELETE Bucket lifecycle
API, the action
field in the policy should be set to name/cos:DeleteBucketLifecycle
.examplebucket-1250000000
in the region ap-beijing
under the APPID 1250000000
:{"version": "2.0","statement": [{"action": ["name/cos:DeleteBucketLifecycle"],"effect": "allow","resource": ["qcs::cos:ap-beijing:uid/1250000000:examplebucket-1250000000/"]}]}
resource
field for object API policies is outlined in further detail below:resource
field should be set to *
.examplebucket-1250000000
in the region ap-beijing
under the APPID 1250000000
, the resource
field should be set to qcs::cos:ap-beijing:uid/1250000000:examplebucket-1250000000/*
.doc
in the bucket examplebucket-1250000000
in the region ap-beijing
under the APPID 1250000000
, the resource
field should be set to qcs::cos:ap-beijing:uid/1250000000:examplebucket-1250000000/doc/*
.doc/audio.mp3
in the bucket examplebucket-1250000000
in the region ap-beijing
under the APPID 1250000000
, the resource
field should be set to qcs::cos:ap-beijing:uid/1250000000:examplebucket-1250000000/doc/audio.mp3
.action
field in object API policies varies by operation. All object API policies are as listed below.PUT Object
API, the action
field in the policy should be set to name/cos:PutObject
.doc
in the bucket examplebucket-1250000000
in the region ap-beijing
under the APPID 1250000000
:{"version": "2.0","statement": [{"action": ["name/cos:PutObject"],"effect": "allow","resource": ["qcs::cos:ap-beijing:uid/1250000000:examplebucket-1250000000/doc/*"]}]}
Initiate Multipart Upload
, List Multipart Uploads
, List Parts
, Upload Part
, Complete Multipart Upload
, and Abort Multipart Upload
. To grant access to these APIs, the action
field in the policy should be a collection of "name/cos:InitiateMultipartUpload","name/cos:ListMultipartUploads","name/cos:ListParts","name/cos:UploadPart","name/cos:CompleteMultipartUpload","name/cos:AbortMultipartUpload"
.doc
in the bucket examplebucket-1250000000
in the region ap-beijing
under the APPID 1250000000
:{"version": "2.0","statement": [{"action": ["name/cos:InitiateMultipartUpload","name/cos:ListMultipartUploads","name/cos:ListParts","name/cos:UploadPart","name/cos:CompleteMultipartUpload","name/cos:AbortMultipartUpload"],"effect": "allow","resource": ["qcs::cos:ap-beijing:uid/1250000000:examplebucket-1250000000/doc/*"]}]}
action
field in the policy should be set to name/cos:ListMultipartUploads
.examplebucket-1250000000
in the region ap-beijing
under the APPID 1250000000
:{"version": "2.0","statement": [{"action": ["name/cos:ListMultipartUploads"],"effect": "allow","resource": ["qcs::cos:ap-beijing:uid/1250000000:examplebucket-1250000000/"]}]}
POST Object
API, the action
field in the policy should be set to name/cos:PostObject
.POST
method to upload only objects with the path prefix doc
in the bucket examplebucket-1250000000
in the region ap-beijing
under the APPID 1250000000
:{"version": "2.0","statement": [{"action": ["name/cos:PostObject"],"effect": "allow","resource": ["qcs::cos:ap-beijing:uid/1250000000:examplebucket-1250000000/doc/*"]}]}
Append Object
API, the action
field in the policy should be set to name/cos:AppendObject
.doc
in the bucket examplebucket-1250000000
in the region ap-beijing
under the APPID 1250000000
:{"version": "2.0","statement": [{"action": ["name/cos:AppendObject"],"effect": "allow","resource": ["qcs::cos:ap-beijing:uid/1250000000:examplebucket-1250000000/doc/*"]}]}
HEAD Object
API, the action
field in the policy should be set to name/cos:HeadObject
.doc
in the bucket examplebucket-1250000000
in the region ap-beijing
under the APPID 1250000000
:{"version": "2.0","statement": [{"action": ["name/cos:HeadObject"],"effect": "allow","resource": ["qcs::cos:ap-beijing:uid/1250000000:examplebucket-1250000000/doc/*"]}]}
GET Object
API, the action
field in the policy should be set to name/cos:GetObject
.doc
in the bucket examplebucket-1250000000
in the region ap-beijing
under the APPID 1250000000
:{"version": "2.0","statement": [{"action": ["name/cos:GetObject"],"effect": "allow","resource": ["qcs::cos:ap-beijing:uid/1250000000:examplebucket-1250000000/doc/*"]}]}
Put Object Copy
API, the action
field for the destination object should be set to name/cos:PutObject
, and the action
field for the source object should be set to name/cos:GetObject
.doc
to the path prefixed with doc2
in the bucket examplebucket-1250000000
in the region ap-beijing
under the APPID 1250000000
:{"version": "2.0","statement": [{"action": ["name/cos:PutObject"],"effect": "allow","resource": ["qcs::cos:ap-beijing:uid/1250000000:examplebucket-1250000000/doc/*"]},{"action": ["name/cos:GetObject"],"effect": "allow","resource": ["qcs::cos:ap-beijing:uid/1250000000:examplebucket-1250000000/doc2/*"]}]}
"qcs::cos:ap-beijing:uid/1250000000:examplebucket-1250000000/doc2/*"
is the source object.Upload Part - Copy
API, the action
field for the destination object should be a collection of "name/cos:InitiateMultipartUpload","name/cos:ListMultipartUploads","name/cos:ListParts","name/cos:PutObject","name/cos:CompleteMultipartUpload","name/cos:AbortMultipartUpload"
, and the action
field for the source object should be set to name/cos:GetObject
.doc
to the path prefixed with doc2
in the bucket examplebucket-1250000000
in the region ap-beijing
under the APPID 1250000000
:{"version": "2.0","statement": [{"action": ["name/cos:InitiateMultipartUpload","name/cos:ListMultipartUploads","name/cos:ListParts","name/cos:PutObject","name/cos:CompleteMultipartUpload","name/cos:AbortMultipartUpload"],"effect": "allow","resource": ["qcs::cos:ap-beijing:uid/1250000000:examplebucket-1250000000/doc/*"]},{"action": ["name/cos:GetObject"],"effect": "allow","resource": ["qcs::cos:ap-beijing:uid/1250000000:examplebucket-1250000000/doc2/*"]}]}
"qcs::cos:ap-beijing:uid/1250000000:examplebucket-1250000000/doc2/*"
is the source object.Put Object ACL
API, the action
field in the policy should be set to name/cos:PutObjectACL
.doc
in the bucket examplebucket-1250000000
in the region ap-beijing
under the APPID 1250000000
:{"version": "2.0","statement": [{"action": ["name/cos:PutObjectACL"],"effect": "allow","resource": ["qcs::cos:ap-beijing:uid/1250000000:examplebucket-1250000000/doc/*"]}]}
Get Object ACL
API, the action
field in the policy should be set to name/cos:GetObjectACL
.doc
in the bucket examplebucket-1250000000
in the region ap-beijing
under the APPID 1250000000
:{"version": "2.0","statement": [{"action": ["name/cos:GetObjectACL"],"effect": "allow","resource": ["qcs::cos:ap-beijing:uid/1250000000:examplebucket-1250000000/doc/*"]}]}
OPTIONS Object
API, the action
field in the policy should be set to name/cos:OptionsObject
.OPTIONS
request only for objects with the path prefix doc
in the bucket examplebucket-1250000000
in the region ap-beijing
under the APPID 1250000000
:{"version": "2.0","statement": [{"action": ["name/cos:OptionsObject"],"effect": "allow","resource": ["qcs::cos:ap-beijing:uid/1250000000:examplebucket-1250000000/doc/*"]}]}
Post Object Restore
API, the action
field in the policy should be set to name/cos:PostObjectRestore
.doc
in the bucket examplebucket-1250000000
in the region ap-beijing
under the APPID 1250000000
:{"version": "2.0","statement": [{"action": ["name/cos:PostObjectRestore"],"effect": "allow","resource": ["qcs::cos:ap-beijing:uid/1250000000:examplebucket-1250000000/doc/*"]}]}
DELETE Object
API, the action
field in the policy should be set to name/cos:DeleteObject
.audio.mp3
in the bucket examplebucket-1250000000
in the region ap-beijing
under the APPID 1250000000
:{"version": "2.0","statement": [{"action": ["name/cos:DeleteObject"],"effect": "allow","resource": ["qcs::cos:ap-beijing:uid/1250000000:examplebucket-1250000000/audio.mp3"]}]}
DELETE Multiple Objects
API, the action
field in the policy should be set to name/cos:DeleteObject
.audio.mp3
and video.mp4
in the bucket examplebucket-1250000000
in the region ap-beijing
under the APPID 1250000000
:{"version": "2.0","statement": [{"action": ["name/cos:DeleteObject"],"effect": "allow","resource": ["qcs::cos:ap-beijing:uid/1250000000:examplebucket-1250000000/audio.mp3","qcs::cos:ap-beijing:uid/1250000000:examplebucket-1250000000/video.mp4"]}]}
{"version": "2.0","statement": [{"action": ["*"],"effect": "allow","resource": ["*"]}]}
{"version": "2.0","statement": [{"action": ["name/cos:HeadObject","name/cos:GetObject","name/cos:GetBucket","name/cos:OptionsObject"],"effect": "allow","resource": ["*"]}]}
doc
in the bucket examplebucket-1250000000
and does not allow any operations on files in other paths:{"version": "2.0","statement": [{"action": ["*"],"effect": "allow","resource": ["qcs::cos:ap-shanghai:uid/1250000000:examplebucket-1250000000/doc/*"]}]}
Apakah halaman ini membantu?