COS resources (buckets and objects) are private by default. Only Tencent Cloud root accounts (resource owners) can access and modify buckets and objects. Other users (such as sub-accounts and anonymous users) cannot access objects by using URLs without authorization.
After creating a Tencent Cloud sub-account, you can configure an access policy to authorize the sub-account. If you want to open up resources (buckets, objects, and directories) to non-Tencent Cloud users, you only need to set the permissions of the resources to Public Read.
You can grant access permissions by specifying a person to perform a specified action on specified resources under a specified condition. Generally, the following four elements are used to describe an access policy: principal, resource, action, and condition (optional).
When you apply for a Tencent Cloud account, the system will create a root account for logging in to Tencent Cloud services. The Tencent Cloud root account manages different types of users with different roles using the user management feature. User types include collaborator, message recipient, sub-user, and role. For more information, see User Types and Glossary of CAM.
Note:Assume that you are to authorize an employee in your enterprise, you need to create a sub-account in the CAM console and then set specific permissions for the sub-account by using one or more of the following methods: Bucket Policy, ACL, and User Policy.
Buckets and objects are basic resources of the COS service. Folders are a special type of object. You can authorize objects in folders by authorizing the folders. For more information, see Setting Folder Permissions.
Buckets and objects have subresources associated with them.
The subresources associated with a bucket include:
The subresources associated with an object include:
COS provides a range of API operations on various resources. For more information, see Operation List.
COS conditions refer to conditions for permissions to take effect, such as VPC and VIP. For more information, see Condition.
Note:Tencent Cloud COS resources are private by default.
COS provides multiple permission setting methods to implement access control, including bucket policies, user policies (CAM policies), bucket ACLs, and object ACLs.
These methods can be classified into resource-based authorization and user-based authorization according to the starting point of policy setting, and classified into policy-based authorization and ACL-based authorization according to the authorization mode.
Classification method 1: resource-based authorization vs user-based authorization
Classification method 2: policy-based authorization vs ACL-based authorization
allow
or deny
effect.allow
effect.Resource-based policies are classified into three types: bucket policies, bucket ACLs, and object ACLs. COS supports access control at both the bucket and object dimensions, as detailed below:
Dimension | Type | Language | Supported Identity | Supported Resource Granularity | Supported Action | Supported Effect |
---|---|---|---|---|---|---|
Bucket | Access policy language (Policy) | JSON | Sub-accounts, roles, Tencent Cloud services, other root accounts, anonymous users, etc. | Buckets, objects, prefixes, etc. | Each specific action | Allow/Deny |
Bucket | Access Control List (ACL) | XML | Other root accounts, anonymous users, etc. | Buckets | Read and write actions | Allow |
Object | Access Control List (ACL) | XML | Other root accounts, anonymous users, etc. | Objects | Read and write actions | Allow |
A bucket policy is described in JSON language, and supports granting anonymous identities or any Tencent Cloud CAM account the permissions to access and perform operations on buckets and objects. In Tencent Cloud COS, the bucket policy can be used to manage almost all operations in the bucket. It is recommended that you use a bucket policy to manage access policies that cannot be described using ACLs. For more information, see Bucket Policy.
Note:A Tencent Cloud root account has the highest permission on its resources (including buckets). Even if you can set limits on almost all operations in the bucket policy, the root account always has the permission for the PUT Bucket Policy operation, and can call this operation without checking the bucket policy.
The following policy allows anonymous users to access all objects in the bucket examplebucket-1250000000
in Guangzhou, and to download all objects (via GetObject
) in the bucket without signature verification. In this case, any anonymous user who knows the URLs can download the objects (similar to Public Read):
{
"Statement": [
{
"Principal": "*",
"Effect": "Allow",
"Action": ["cos:GetObject"],
"Resource": ["qcs::cos:ap-guangzhou:uid/1250000000:examplebucket-1250000000/*"]
}
],
"Version": "2.0"
}
An ACL is described in the XML language. It is a list of specified grantees and permissions granted, which is associated with resources. Each bucket and object has an associated ACL to grant basic read and write permissions to anonymous users or other Tencent Clouds root accounts. For more information, see ACL.
Note:The resource owner always has the FULL_CONTROL permission on the resource, regardless of whether this is described in the issued ACL.
The bucket ACL in this example describes the full control permission of the bucket owner (UIN: 100000000001):
<AccessControlPolicy>
<Owner>
<ID>qcs::cam::uin/100000000001:uin/100000000001</ID>
</Owner>
<AccessControlList>
<Grant>
<Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="RootAccount">
<ID>qcs::cam::uin/100000000001:uin/100000000001</ID>
</Grantee>
<Permission>FULL_CONTROL</Permission>
</Grant>
</AccessControlList>
</AccessControlPolicy>
The object ACL in this example describes the full control permission of the object owner (UIN: 100000000001) and grants the read permission to all users (the public-read permission to anonymous users):
<AccessControlPolicy>
<Owner>
<ID>qcs::cam::uin/100000000001:uin/100000000001</ID>
</Owner>
<AccessControlList>
<Grant>
<Grantee>
<ID>qcs::cam::uin/100000000001:uin/100000000001</ID>
</Grantee>
<Permission>FULL_CONTROL</Permission>
</Grant>
<Grant>
<Grantee>
<URI>http://cam.qcloud.com/groups/global/AllUsers</URI>
</Grantee>
<Permission>READ</Permission>
</Grant>
</AccessControlList>
</AccessControlPolicy>
In CAM, you can grant different permissions to different types of users under the root account.
The biggest difference between a user policy and a bucket policy is that the user policy only describes effect, action, resource, and condition (optional), but not principal. Therefore, you have to write a user policy first, and then associate it manually with a sub-user, a user group or a role. Besides, the user policy cannot grant anonymous users access to resources or operations.
You can associate a preset policy for authorization, or write a user policy and associate it with a specified identity to manage access for your users. For more information, see User Policy.
The following policy example grants the permission to perform all COS operations on the bucket examplebucket-1250000000
in Guangzhou. You need to save the policy and then associate it with a CAM sub-user, a user group or a role before it takes effect.
{
"Statement": [
{
"Effect": "Allow",
"Action": ["cos:*"],
"Resource": [
"qcs::cos:ap-guangzhou:uid/1250000000:examplebucket-1250000000/*",
"qcs::cos:ap-guangzhou:uid/1250000000:examplebucket-1250000000/"
]
}
],
"Version": "2.0"
}
Was this page helpful?