version
, principal
, statement
, effect
, action
, resource
, and condition
must all begin with a letter in the same letter case.qcs:ip
condition key to restrict user access IPs. This condition key is applicable to all requests.examplebucket-bj
bucket in Beijing region and the exampleobject
object in the examplebucket-gz
bucket in Guangzhou region, on condition that the access IP falls within the IP range 192.168.1.0/24
or is 101.226.100.185
or 101.226.100.186
.{"version": "2.0","principal":{"qcs":["qcs::cam::uin/100000000001:uin/100000000002"]},"statement": [{"effect": "allow","action":["name/cos:PutObject","name/cos:GetObject"],"resource": ["qcs::cos:ap-guangzhou:uid/1250000000:examplebucket-gz-1250000000/exampleobject"],"condition":{"ip_equal":{"qcs:ip":["192.168.1.0/24","101.226.100.185","101.226.100.186"]}}}]}
vpc:requester_vpc
to restrict the vpcid
of user access. For more information on vpcid
, see Virtual Private Cloud.examplebucket-1250000000
, on condition that the VPC ID is aqp5jrc1
.{"statement": [{"action":["name/cos:*"],"condition":{"string_equal":{"vpc:requester_vpc": ["vpc-aqp5jrc1"]}},"effect": "allow","principal":{"qcs":["qcs::cam::uin/100000000001:uin/100000000002"]},"resource": ["qcs::cos:ap-beijing:uid/1250000000:examplebucket-1250000000/*"]}],"version": "2.0"}
versionid
request parameter specifies the version number of the object. For more information on versioning, see Overview. When downloading an object (GetObject
) or deleting an object (DeleteObject
), you can use versionid
to specify the object version to be manipulated. There are three different cases with versionid
:versionid
is not carried, requests will apply to the latest version of the object by default.versionid
is an empty string, this is equivalent to the case where versionId
is not carried.versionid
is "null"
, for objects that are uploaded before versioning is enabled for a bucket, their version numbers will become the "null"
string after versioning is enabled.cos:versionid
condition key to restrict the versionid
request parameter.examplebucket-1250000000
uses the following bucket policy to allow the sub-account with UIN 100000000002 to get objects of a specified version only.versionid
parameter and the value of versionid
is the version number Tg0NDUxNTc1NjIzMTQ1MDAwODg
.{"version":"2.0","statement":[{"principal":{"qcs":["qcs::cam::uin/100000000001:uin/100000000002"]},"effect":"allow","action":["name/cos:GetObject"],"condition":{"string_equal":{"cos:versionid":"MTg0NDUxNTc1NjIzMTQ1MDAwODg"}},"resource":["qcs::cos:ap-guangzhou:uid/1250000000:examplebucket-1250000000/*"]}]}
versionid
parameter or that the version number specified by versionid
is not MTg0NDUxNTc1NjIzMTQ1MDAwODg
, the request will be denied. Because the priority of the deny policy is higher than other policies, adding a deny policy can avoid permission vulnerabilities to the maximum extent.{"statement":[{"principal":{"qcs":["qcs::cam::uin/100000000001:uin/100000000002"]},"effect":"allow","action":["name/cos:GetObject"],"condition":{"string_equal":{"cos:versionid":"MTg0NDUxNTc1NjIzMTQ1MDAwODg"}},"resource":["qcs::cos:ap-guangzhou:uid/1250000000:examplebucket-1250000000/*"]},{"principal":{"qcs":["qcs::cam::uin/100000000001:uin/100000000002"]},"effect":"deny","action":["name/cos:GetObject"],"condition":{"string_not_equal_if_exist":{"cos:versionid":"MTg0NDUxNTc1NjIzMTQ1MDAwODg"}},"resource":["qcs::cos:ap-guangzhou:uid/1250000000:examplebucket-1250000000/*"]}],"version":"2.0"}
examplebucket-1250000000
uses the following bucket policy to allow the sub-account with UIN 100000000002 to get objects of the latest version only.versionid
is not carried or its value is an empty string, a GetObject
request will download an object of the latest version by default. Therefore, you can use string_equal_if_exsit
in the condition:versionid
is not carried, it is considered that the condition is met (True
) by default, the allow
policy is hit, and requests are allowed.versionid
is an empty string (""
), the allow
policy will also be hit, and only requests for downloading objects of the latest version will be authorized."condition":{"string_equal_if_exist":{"cos:versionid": ""}}
{"statement":[{"principal":{"qcs":["qcs::cam::uin/100000000001:uin/100000000002"]},"effect":"allow","action":["name/cos:GetObject"],"condition":{"string_equal_if_exist":{"cos:versionid":""}},"resource":["qcs::cos:ap-guangzhou:uid/1250000000:examplebucket-1250000000/*"]},{"principal":{"qcs":["qcs::cam::uin/100000000001:uin/100000000002"]},"effect":"deny","action":["name/cos:GetObject"],"condition":{"string_not_equal":{"cos:versionid":""}},"resource":["qcs::cos:ap-guangzhou:uid/1250000000:examplebucket-1250000000/*"]}],"version":"2.0"}
DeleteObject
requests to delete objects in the bucket.DeleteObject
requests. If a DeleteObject
request carries the request parameter versionid
with the value "null"
, the request will be denied.examplebucket-1250000000
before versioning is enabled, the version number of object A becomes a "null" string after versioning is enabled.DeleteObject
request initiated by a sub-user to delete object A does not carry a version number, object A will not be permanently deleted because versioning is enabled. Instead, a delete marker will be added for object A. If the request contains the "null" version number of object A, the request will be denied, and object A will not be permanently deleted.{"statement":[{"principal":{"qcs":["qcs::cam::uin/100000000001:uin/100000000002"]},"effect":"allow","action":["name/cos:DeleteObject"],"resource":["qcs::cos:ap-guangzhou:uid/1250000000:examplebucket-1250000000/*"]},{"principal":{"qcs":["qcs::cam::uin/100000000001:uin/100000000002"]},"effect":"deny","action":["name/cos:DeleteObject"],"condition":{"string_equal":{"cos:versionid":"null"}},"resource":["qcs::cos:ap-guangzhou:uid/1250000000:examplebucket-1250000000/*"]}],"version":"2.0"}
cos:content-length
condition key to restrict the Content-Length
request header to limit the file size of the uploaded object. In this way, you can flexibly manage storage space and avoid wasting storage space and network bandwidth by uploading files that are too large or too small.examplebucket-1250000000
bucket uses the cos:content-length
condition key to restrict the value of the Content-Length
header in upload requests initiated by the sub-account with UIN 100000000002.PutObject
and PostObject
upload requests carry the Content-Length
header with a value less than or equal to 10 bytes.{"version":"2.0","statement":[{"principal":{"qcs":["qcs::cam::uin/100000000001:uin/100000000002"]},"effect":"allow","action":["name/cos:PutObject","name/cos:PostObject"],"resource":["qcs::cos:ap-guangzhou:uid/1250000000:examplebucket-1250000000/*"],"condition":{"numeric_less_than_equal":{"cos:content-length":10}}},{"principal":{"qcs":["qcs::cam::uin/100000000001:uin/100000000002"]},"effect":"deny","action":["name/cos:PutObject","name/cos:PostObject"],"resource":["qcs::cos:ap-guangzhou:uid/1250000000:examplebucket-1250000000/*"],"condition":{"numeric_greater_than_if_exist":{"cos:content-length":10}}}]}
PutObject
and PostObject
upload requests carry the Content-Length
header with a value not less than 2 bytes.{"version":"2.0","statement":[{"principal":{"qcs":["qcs::cam::uin/100000000001:uin/100000000002"]},"effect":"allow","action":["name/cos:PutObject","name/cos:PostObject"],"resource":["qcs::cos:ap-guangzhou:uid/1250000000:examplebucket-1250000000/*"],"condition":{"numeric_greater_than_equal":{"cos:content-length":2}}},{"principal":{"qcs":["qcs::cam::uin/100000000001:uin/100000000002"]},"effect":"deny","action":["name/cos:PutObject","name/cos:PostObject"],"resource":["qcs::cos:ap-guangzhou:uid/1250000000:examplebucket-1250000000/*"],"condition":{"numeric_less_than_if_exist":{"cos:content-length":2}}}]}
Content-Type
must be an HTTP request content type as defined in RFC 2616 (MIME), such as application/xml
and image/jpeg
. For more information, see Common Request Headers.cos:content-type
condition key to restrict the Content-Type
request header.examplebucket-1250000000
bucket uses the cos:content-type
condition key to restrict the content of the Content-Type
header in upload requests initiated by the sub-account with UIN 100000000002.PutObject
) must carry the Content-Type
header and with the value image/jpeg
.string_equal
requires that the request must carry the Content-Type
header with a value exactly the same as the specified value. In a real request, you need to explicitly specify the Content-Type header of the request. Otherwise, if your request does not carry the Content-Type
header, the request will fail. In addition, if you use a certain tool to initiate a request and do not explicitly specify Content-Type
, the tool may automatically add an unexpected Content-Type
header to the request, the request may also fail.{"version":"2.0","statement":[{"principal":{"qcs":["qcs::cam::uin/100000000001:uin/100000000002"]},"effect":"allow","action":["name/cos:PutObject"],"resource":["qcs::cos:ap-guangzhou:uid/1250000000:examplebucket-1250000000/*"],"condition":{"string_equal":{"cos:content-type":"image/jpeg"}}},{"principal":{"qcs":["qcs::cam::uin/100000000001:uin/100000000002"]},"effect":"deny","action":["name/cos:PutObject"],"resource":["qcs::cos:ap-guangzhou:uid/1250000000:examplebucket-1250000000/*"],"condition":{"string_not_equal_if_exist":{"cos:content-type":"image/jpeg"}}}]}
GetObject
API allows you to add the response-content-type
request parameter to specify the value of the Content-Type
header in the response.cos:response-content-type
condition key to specify whether requests need to carry response-content-type
.examplebucket-1250000000
bucket uses the following bucket policy to require that GetObject
requests initiated by the sub-account with UIN 100000000002 carry the response-content-type
request parameter with the value image/jpeg
. response-content-type
is a request parameter and needs to be URL-encoded when the request is initiated (encoded value: response-content-type=image%2Fjpeg
). Therefore, when you set the policy, "image/jpeg" also needs to be URL-encoded, that is, image%2Fjpeg
needs to be entered.{"version":"2.0","statement":[{"principal":{"qcs":["qcs::cam::uin/100000000001:uin/100000000002"]},"effect":"allow","action":["name/cos:GetObject"],"resource":["qcs::cos:ap-guangzhou:uid/1250000000:examplebucket-1250000000/*"],"condition":{"string_equal":{"cos:response-content-type":"image%2Fjpeg"}}},{"principal":{"qcs":["qcs::cam::uin/100000000001:uin/100000000002"]},"effect":"deny","action":["name/cos:GetObject"],"resource":["qcs::cos:ap-guangzhou:uid/1250000000:examplebucket-1250000000/*"],"condition":{"string_not_equal_if_exist":{"cos:response-content-type":"image%2Fjpeg"}}}]}
cos:secure-transport
condition key to require requests to use the HTTPS protocol.examplebucket-1250000000
bucket uses the following bucket policy to allow only HTTPS-based GetObject
requests sent by the sub-account with UIN 100000000002.{"version":"2.0","statement":[{"principal":{"qcs":["qcs::cam::uin/100000000001:uin/100000000002"]},"effect":"allow","action":["name/cos:GetObject"],"resource":["qcs::cos:ap-guangzhou:uid/1250000000:examplebucket-1250000000/*"],"condition":{"bool_equal":{"cos:secure-transport":"true"}}}]}
examplebucket-1250000000
uses the following bucket policy to deny any non-HTTPS requests sent by the sub-account with UIN 100000000002.{"version":"2.0","statement":[{"principal":{"qcs":["qcs::cam::uin/100000000001:uin/100000000002"]},"effect":"deny","action":["*"],"resource":["qcs::cos:ap-guangzhou:uid/1250000000:examplebucket-1250000000/*"],"condition":{"bool_equal":{"cos:secure-transport":"false"}}}]}
x-cos-storage-class
request parameter to specify or modify the storage class of an object when uploading the object.cos:x-cos-storage-class
condition key to restrict the x-cos-storage-class
request header to restrict storage class modification requests.STANDARD
, MAZ_STANDARD
, STANDARD_IA
, MAZ_STANDARD_IA
, INTELLIGENT_TIERING
, MAZ_INTELLIGENT_TIERING
, ARCHIVE
, and DEEP_ARCHIVE
.examplebucket-1250000000
bucket uses the following bucket policy to require PutObject
requests sent by the sub-account with UIN 100000000002 to carry the x-cos-storage-class
header with the value STANDARD
.{"version":"2.0","statement":[{"principal":{"qcs":["qcs::cam::uin/100000000001:uin/100000000002"]},"effect":"allow","action":["name/cos:PutObject"],"resource":["qcs::cos:ap-guangzhou:uid/1250000000:examplebucket-1250000000/*"],"condition":{"string_equal":{"cos:x-cos-storage-class":"STANDARD"}}},{"principal":{"qcs":["qcs::cam::uin/100000000001:uin/100000000002"]},"effect":"deny","action":["name/cos:PutObject"],"resource":["qcs::cos:ap-guangzhou:uid/1250000000:examplebucket-1250000000/*"],"condition":{"string_not_equal_if_exist":{"cos:x-cos-storage-class":"STANDARD"}}}]}
x-cos-acl
request header to specify an ACL or modify the object or bucket ACL. For more information, see ACL.private
, public-read
, public-read-write
, authenticated-read
default
, private
, public-read
, authenticated-read
, bucket-owner-read
, bucket-owner-full-control
cos:x-cos-acl
condition key to restrict the x-cos-acl
request header to restrict object/bucket ACL modification requests.examplebucket-1250000000
bucket uses the following bucket policy to allow the sub-account with UIN 100000000002 to upload private objects only. The policy requires that all PutObject
requests carry the x-cos-acl
header with the value private
.{"version":"2.0","statement":[{"principal":{"qcs":["qcs::cam::uin/100000000001:uin/100000000002"]},"effect":"allow","action":["name/cos:PutObject"],"resource":["qcs::cos:ap-guangzhou:uid/1250000000:examplebucket-1250000000/*"],"condition":{"string_equal":{"cos:x-cos-acl":"private"}}},{"principal":{"qcs":["qcs::cam::uin/100000000001:uin/100000000002"]},"effect":"deny","action":["name/cos:PutObject"],"resource":["qcs::cos:ap-guangzhou:uid/1250000000:examplebucket-1250000000/*"],"condition":{"string_not_equal_if_exist":{"cos:x-cos-acl":"private"}}}]}
cos:prefix
condition key to restrict the prefix
request parameter.prefix
contains special characters such as /
, the value must be URL-encoded before being written into the bucket policy.examplebucket-1250000000
uses the following bucket policy to restrict the sub-account with UIN 100000000002 to list only the objects in the folder1
directory of the bucket. The policy requires that all GetBucket
requests carry the prefix
parameter with the value folder1
.{"statement":[{"principal":{"qcs":["qcs::cam::uin/100000000001:uin/100000000002"]},"effect":"allow","action":["name/cos:GetBucket"],"resource":["qcs::cos:ap-guangzhou:uid/1250000000:examplebucket-1250000000/*"],"condition":{"string_equal":{"cos:prefix":"folder1"}}},{"principal":{"qcs":["qcs::cam::uin/100000000001:uin/100000000002"]},"effect":"deny","action":["name/cos:GetBucket"],"resource":["qcs::cos:ap-guangzhou:uid/1250000000:examplebucket-1250000000/*"],"condition":{"string_equal_if_exist":{"cos:prefix":"folder1"}}}],"version":"2.0"}
cos:tls-version
condition key to restrict the TLS version of HTTPS requests. Its value is of the numeric type and supports floating points, such as 1.0, 1.1, or 1.2.Request Scenario | Expected Result |
HTTPS request using TLS v1.0 | 403, failed |
HTTPS request using TLS v1.2 | 200, successful |
{"version":"2.0","statement":[{"principal":{"qcs":["qcs::cam::uin/100000000001:uin/100000000002"]},"effect":"allow","action":["*"],"resource":["qcs::cos:ap-guangzhou:uid/1250000000:examplebucket-1250000000/*"],"condition":{"numeric_equal":{"cos:tls-version":1.2}}}]}
Request Scenario | Expected Result |
HTTPS request using TLS v1.0 | 403, failed |
HTTPS request using TLS v1.2 | 200, successful |
{"version":"2.0","statement":[{"principal":{"qcs":["qcs::cam::uin/100000000001:uin/100000000002"]},"effect":"allow","action":["*"],"resource":["qcs::cos:ap-guangzhou:uid/1250000000:examplebucket-1250000000/*"],"condition":{"numeric_greater_than_equal":{"cos:tls-version":1.2}}},{"principal":{"qcs":["qcs::cam::uin/100000000001:uin/100000000002"]},"effect":"deny","action":["*"],"resource":["qcs::cos:ap-guangzhou:uid/1250000000:examplebucket-1250000000/*"],"condition":{"numeric_less_than_if_exist":{"cos:tls-version":1.2}}}]}
request_tag
condition key is only applicable to PutBucket
and PutBucketTagging
operations but not GetService
, PutObject
, or PutObjectTagging
.qcs:request_tag
condition key to restrict that a user must include a specified bucket tag when initiating a PutBucket
or PutBucketTagging
request.<a,b>
and <c,d>
when creating a bucket.for_any_value
and for_all_value
to indicate different meanings.for_any_value:string_equal
indicates that the request takes effect if A and B have an intersection.for_all_value:string_equal
indicates that the request takes effect if A is a subset of B.for_any_value:string_equal
is used, the corresponding policy and request are as shown below:Request Scenario | Expected Result |
PutBucket, request header x-cos-tagging: a=b&c=d | 200, successful |
PutBucket, request header x-cos-tagging: a=b | 200, successful |
PutBucket, request header x-cos-tagging: a=b&c=d&e=f | 200, successful |
{"version": "2.0","statement": [{"principal":{"qcs":["qcs::cam::uin/100000000001:uin/100000000002"]},"effect": "allow","action":["name/cos:PutBucket"],"resource": "*","condition":{"for_any_value:string_equal": {"qcs:request_tag": ["a&b","c&d"]}}}]}
for_all_value:string_equal
is used, the corresponding policy and request are as shown below:Request Scenario | Expected Result |
PutBucket, request header x-cos-tagging: a=b&c=d | 200, successful |
PutBucket, request header x-cos-tagging: a=b | 200, successful |
PutBucket, request header x-cos-tagging: a=b&c=d&e=f | 403, failed |
{"version": "2.0","statement": [{"principal":{"qcs":["qcs::cam::uin/100000000001:uin/100000000002"]},"effect": "allow","action":["name/cos:PutBucket"],"resource": "*","condition":{"for_all_value:string_equal": {"qcs:request_tag": ["a&b","c&d"]}}}]}
Apakah halaman ini membantu?