Adding Bucket Policies

Last updated: 2021-12-16 14:56:49

    Overview

    You can add a policy for a bucket via the COS console to allow/forbid an account, IP, or IP range to access the COS resources. For more information about bucket policy and examples, please see Access Policy Language Overview and Examples of Bucket Policies. The following describes how to add a bucket policy.

    Note:

    Each root account can create up to 1,000 bucket ACL rules.

    Prerequisites

    You have created a bucket. For more information, please see Creating Buckets.

    Directions

    1. Log in to the COS console.

    2. On the left sidebar, click Bucket List. Then, click the bucket for which you want to add a bucket.

    3. Click Permission Management > Permission Policy Settings. Then, you can add a bucket policy using Visual Editor or JSON as detailed below. For more information about the configuration items, please see Access Policy Language Overview.

    4. After confirming that the configuration information is correct, click OK or Save. In this way, if a sub-account logs in to the COS console, it can only access resources allowed by the policy.

    Visual Editor

    On the Visual Editor tab page, click Add Policy. In the pop-up window, configure the policy in two steps: select a template and configure the policy.

    Step 1: select a template

    COS provides you with different templates depending on the combination of authorized users (grantees) and resource scope you choose to help you quickly configure bucket policies.

    • Grantee
      • All users (allow anonymous access): if you want to grant operation permissions to anonymous users, select this option. If you select this option, all users (*) will be automatically selected for you during policy configuration in step 2. Because it is risky to grant permissions on operations such as listing buckets (ListBucket) and configuring bucket configuration permissions to anonymous users, COS does not provide corresponding templates when this option is selected. You can add policies during policy configuration in step 2 if necessary.
      • Specified user: you can select designated users when you want to grant operation permissions to designated sub-accounts, root accounts, or cloud services. During policy configuration in step 2, you need to further specify the account UINs.
    • Resource Scope
      • The whole bucket: if you want to configure bucket configuration permissions or set the resource scope to the entire bucket, you can select this option to automatically add the entire bucket as a resource for you during policy configuration in step 2.
      • Specified directory: select this option if you want to restrict the resource scope to a specified folder. During policy configuration in step 2, you need to further specify the specific directory. When this option is selected, COS does not provide policy templates related to bucket configuration, because for such permissions, the entire bucket must be specified as the resource.
    • Template: collection of operations that you want to authorize.
      • Custom (no preset configuration): if you do not need to use a template, select this option and add policies as needed during policy configuration in step 2.
      • Other templates: COS provides you with different recommended templates depending on the combination of authorized users and resource scope you choose. After you select a template, COS automatically adds the corresponding operation permissions for you during policy configuration in step 2.
    Note:

    If the authorized operations provided by the template do not meet your requirements, you can add or delete authorized operations during policy configuration in step 2.

    Templates are described in the following table.

    Grantee Resource Scope Policy Template Description
    All combinations Custom For any combination of authorized users and resource scopes, this template does not provide any preset policies. You can add policies during policy configuration in step 2.
    All users (allow anonymous access) The whole bucket Read-Only objects (listing objects is not included) For anonymous users, COS provides you with recommended templates for reading files (such as downloading files) and writing files (such as uploading and modifying files).

    COS's recommended templates do not list all objects in your bucket, and sensitive permissions, such as read and write permissions and bucket configuration permissions, are not allowed to improve data security.

    You can add or delete operation permissions during policy configuration in step 2 as needed.
    Read/Write objects (listing objects is not included)
    Specified directory Read-Only objects (listing objects is not included)
    Read/Write objects (listing objects is not included)
    Specified user The whole bucket Read-Only objects (listing objects is not included) COS provides the most recommended templates for the combination of Specified user and The whole bucket. In addition to reading, writing, and listing files, COS provides the following sensitive permission templates for trusted users:
  • Read/Write buckets and object ACLs: get and modify buckets and object ACLs. Options include GetObjectACL, PutObjectACL, GetBucketACL, and PutBucketACL.
  • General bucket configuration items: non-sensitive permissions such as bucket tagging, CORS, and origin-pull.
  • Bucket sensitive configuration item: sensitive permissions such as bucket policies, bucket ACLs, and bucket deletion. Sensitive permissions should be used with caution.
  • Read-Only objects (listing objects is included)
    Read/Write objects (listing objects is not included)
    Read/Write objects (listing objects is included)
    Read/Write buckets and object ACLs
    General bucket configuration items
    Bucket sensitive configuration item
    Specified directory Read-Only objects (listing objects is not included) For the combination of Specified user and Specified directory, COS provides you with recommended templates for reading files (such as downloading files) and writing files (such as uploading and modifying files), as well as recommended templates for listing objects.

    If you need to grant read, write, and list permissions to a specified folder to a specified user, this combination is recommended.

    You can add or delete operation permissions during policy configuration in step 2 as needed.
    Read-Only objects (listing objects is included)
    Read/Write objects (listing objects is not included)
    Read/Write objects (listing objects is included)

    Step 2: configure the policy

    Based on the combination of authorized users, specified directories, and templates you select in step 1, COS automatically adds operations, authorized users, and resources to the configuration policy for you. If you specify a user and a directory, you need to specify the user UIN and directory during policy configuration.

    If the recommended templates provided by COS do not meet your requirements, you can add or delete authorized users, resources, and operations in this step. The configuration items are described as follows:

    • Effect: select Allow or Deny, corresponding to allow or deny in the policy syntax.
    • User: add or delete authorized users. Options include Everyone (*), Root account, Sub-account, and Cloud service.
    • Resource: add the whole bucket or a specific directory resource.
    • Operation: add or delete authorized operations as needed.
    • Condition: you can specify conditions for permission authorization. For example, you can specify a user access IP.

    Policy Syntax

    Click Edit to enter the user-defined policy syntax. COS provides policy syntax for various scenarios. For more information, please see Examples of Bucket Policies.