Skip to main content
Container access policy
Last update:

Container access policy

Access to a container can be set through a Bucket policy. The policy consists of rules that authorize or prohibit actions с resource (container or group of objects) for all or selected objects principals (users). The basic principle is that if an access policy is created, everything that is not allowed is forbidden.

The access policy only works with S3 API.

The access policy has a maximum size limit of 20 KB.

The access policy may apply to any user who is authorized to access the storage in accordance with the role model and also defines access for users with the Object Storage User role. For more information about the interaction between the role model and access policies, see the following instructions Manage access in object storage.

Only users with role The Account Owner, Account Administrator, or Administrator of the project where the container resides.

Create access policies and can be managed in the control panel or via the S3 API according to the requirements of the policy framework.

Access policy structure

The access policy has a JSON structure. Example policy:

{
"Id": "my-bucket-policy",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowObjectDeletion",
"Effect": "Allow",
"Principal": {
"AWS": [
"*"
]
},
"Action": [
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::container-name",


"arn:aws:s3:::container-name/*",


"arn:aws:s3:::container-name/${aws:userid}/*"


],
"Condition": {
"StringEquals": {
"aws:UserAgent": [
"storage-test-user-agent"
]
}
}
},
{
"Effect": "Deny",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::container-name/*"


}
]
}

Policy Content:

FieldDescriptionData typeMandatory
IdPolicy identifier, can be anyString
VersionAccess policy version, value is a constant:
"2012-10-17"
String
StatementArray rulesArray
SidName of the ruleString
EffectRule type (Allow or Deny)String
Principal:AWSPrincipals (user IDs or * for all requests)Array of strings or string
ActionsActions or * for all actionsArray of string whether string
ResourcesResources subject to the ruleArray of strings or string
ConditionArray conditions presented in a format:
[оператор]:[ключ]:[массив значений ключа]
Array

Rules

Rules are of two types: permissive (Allow) and prohibitive (Deny).

The authorization or prohibition applies to actions, resources and principals added to the rule.

If a policy contains multiple rules, they are applied as follows:

  • if at least one permissive rule is met, access will be allowed;
  • if at least one deny rule is executed, access will be denied;
  • if both permissive and deny rules are executed simultaneously, access will be denied;
  • if no rule is executed, access will be denied.

Principals

The rule applies to requests from principals (users):

  • on authorized requests of certain users, user identifiers (view service user ID can be found in the control panel);
  • to all authorized and unauthorized requests, indicated by the symbol *.

Add as principals control panel users to access policies can only be configured when configuring the policy through the control panel.

Resources

Resources — the container or set of objects to which the rule will apply. You can specify only the resources associated with the container for which the policy is configured.

Resources can be specified in formats:

  • arn:aws:s3:::<container-name> — container resource, you can specify only one resource of this format (the container for which the policy is configured). The resource will work for actions The following table describes the configuration of the container and does not apply to its objects;

  • arn:aws:s3:::<container-name>/<prefix> — the resource of container objects, where <prefix> — prefix to which objects will be subject to the rule. If you specify *The resources will include all objects in the container;

  • arn:aws:s3:::<container-name>/${<variable-name>} — the resource of container objects, where <variable-name> — substitution variable name (key), which acts as a prefix.

Actions

If you specify *, all actions will be included in the rule.

s3:AbortMultipartUploadInterruption segmented loading of an object through the S3 API
s3:DeleteObjectDeleting an object
s3:DeleteObjectVersionDeleting a version of an object
s3:GetBucketCORSReceipt CORS configurations container
s3:GetBucketLocationReceipt pool that holds the container
s3:GetBucketVersioningGetting information about container versioning (enabled or not)
s3:GetObjectReading an object
s3:GetObjectVersionReading a specific version of an object
s3:ListBucketReading the list of objects in the container (all or some of them)
s3:ListBucketMultipartUploadsReading the list of objects that are in process segmented loading via the S3 API
s3:ListBucketVersionsReading metadata of all versions of objects in the container
s3:ListMultipartUploadPartsReading the list of loaded object parts at segmented loading via the S3 API
s3:PutBucketCORSSetting the CORS configuration of the container
s3:PutBucketVersioningConnecting and disconnecting container versioning
s3:PutObjectAdding an object to a container (download or copying)

Terms and conditions

A condition defines in which cases the rule will work. A condition consists of key, operator and meanings.

If as a result of the condition execution the value is returned truethe condition is satisfied.

Keys

One key can be used in multiple conditions. Multiple values can be assigned to a key.

aws:CurrentTimeCompares the date and time of the request to the value specified in the condition
aws:RefererCompares the Referer header in the request to the value specified in the condition.

Example: https://example.com/
aws:PrincipalType

Specifies the type of entity being queried.

Possible values:

  • Account
  • User
  • AssumedRole
  • Anonymous
aws:SecureTransportChecks if the request was sent using SSL/TLS encryption.
Possible values: true or false
aws:SourceIpCompares the IP address from the request with the value from the condition
aws:UserAgent

Compares the UserAgent from the query with the value from the condition.

Examples of values:

  • Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0)
  • Gecko/20100101
  • Firefox/47.0
aws:useridCompares the identifier user with the value from the condition.
Example value: 9103a81de217448d908e53ac60c84acb
aws:usernameCompares the username with the value from the condition
s3:authType

Restricts incoming requests to the authentication method specified in the condition.

Examples of values:

  • REST-HEADER
  • REST-QUERY-STRING
  • POST
s3:delimiterSpecifies the delimiter that user requests should include.
Example value: /
s3:max-keysSets the maximum number of keys returned on a ListBucket request
s3:prefixRestricts access by prefix in the key name
s3:signatureAgeDetermines the validity time of the signature in the authentication request (in milliseconds)
s3:signatureversion

Specifies the AWS signature version for authentication requests.

Examples of values:

  • AWS
  • AWS4-HMAC-SHA256
s3:versionidSpecifies access to a specific version of the object.
Example value: L4kqtJlcpXroDTDmpUMLUo
s3:x-amz-content-sha256Disallows unsigned content in the request
s3:x-amz-copy-sourceRestricts the copy source to a specific container, prefix, or object
s3:x-amz-metadata-directiveSets the forced selection of copy or replace when copying objects
s3:x-amz-server-side-encryptionRequires server-side encryption
s3:x-amz-storage-classRestricts access by storage class

Operators

The operators compare the values from the resource request to the value specified in the key value in the condition.

The number from the query is compared to the number specified in the condition.

NumericEqualsThe value is equal to the value given in the condition
NumericGreaterThanValue greater than the value specified in the condition
NumericGreaterThanEqualsValue greater than or equal to the value specified in the condition
NumericLessThanValue less than the value specified in the condition
NumericLessThanEqualsThe value is less than or equal to the value specified in the condition
NumericNotEqualsThe value is not equal to the value specified in the condition