Container access policy
Access to a container can be set through a Bucket policy. The policy consists of rules that authorize or prohibit actions с resource (container or group of objects) for all or selected objects principals (users). The basic principle is that if an access policy is created, everything that is not allowed is forbidden.
The access policy only works with S3 API.
The access policy has a maximum size limit of 20 KB.
The access policy may apply to any user who is authorized to access the storage in accordance with the role model and also defines access for users with the Object Storage User role. For more information about the interaction between the role model and access policies, see the following instructions Manage access in object storage.
Only users with role The Account Owner, Account Administrator, or Administrator of the project where the container resides.
Create access policies and can be managed in the control panel or via the S3 API according to the requirements of the policy framework.
Access policy structure
The access policy has a JSON structure. Example policy:
{
"Id": "my-bucket-policy",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowObjectDeletion",
"Effect": "Allow",
"Principal": {
"AWS": [
"*"
]
},
"Action": [
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::container-name",
"arn:aws:s3:::container-name/*",
"arn:aws:s3:::container-name/${aws:userid}/*"
],
"Condition": {
"StringEquals": {
"aws:UserAgent": [
"storage-test-user-agent"
]
}
}
},
{
"Effect": "Deny",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::container-name/*"
}
]
}
Policy Content:
Rules
Rules are of two types: permissive (Allow
) and prohibitive (Deny
).
The authorization or prohibition applies to actions, resources and principals added to the rule.
If a policy contains multiple rules, they are applied as follows:
- if at least one permissive rule is met, access will be allowed;
- if at least one deny rule is executed, access will be denied;
- if both permissive and deny rules are executed simultaneously, access will be denied;
- if no rule is executed, access will be denied.
Principals
The rule applies to requests from principals (users):
- on authorized requests of certain users, user identifiers (view service user ID can be found in the control panel);
- to all authorized and unauthorized requests, indicated by the symbol
*
.
Add as principals control panel users to access policies can only be configured when configuring the policy through the control panel.
Resources
Resources — the container or set of objects to which the rule will apply. You can specify only the resources associated with the container for which the policy is configured.
Resources can be specified in formats:
-
arn:aws:s3:::<container-name>
— container resource, you can specify only one resource of this format (the container for which the policy is configured). The resource will work for actions The following table describes the configuration of the container and does not apply to its objects; -
arn:aws:s3:::<container-name>/<prefix>
— the resource of container objects, where<prefix>
— prefix to which objects will be subject to the rule. If you specify*
The resources will include all objects in the container; -
arn:aws:s3:::<container-name>/${<variable-name>}
— the resource of container objects, where<variable-name>
— substitution variable name (key), which acts as a prefix.
Actions
If you specify *
, all actions will be included in the rule.
Terms and conditions
A condition defines in which cases the rule will work. A condition consists of key, operator and meanings.
If as a result of the condition execution the value is returned true
the condition is satisfied.
Keys
One key can be used in multiple conditions. Multiple values can be assigned to a key.
Operators
The operators compare the values from the resource request to the value specified in the key value in the condition.
Numbers
Strings
Date and time
IP addresses
Bool
IfExists
Null
The number from the query is compared to the number specified in the condition.
The string from the query is compared to the string specified in the condition.
The date and time from the query is compared to the date and time specified in the condition.
The CIDR-formatted IP address from the request is compared to the IP address from the condition.
Operator Bool
compares the boolean value from the query (true
or false
) with the value from the key.
The condition is satisfied if the value from the query matches the value from the condition.
Operator IfExists
allows you to relax the condition in case the key specified in the condition is not present in the query.
IfExists
can only be used in conjunction with other operators (except for Null
). Addendum Format: <имя оператора>IfExists
— For example, StringEqualsIfExists
.
The data type corresponds to the data type of the operator to which it is added IfExists
.
Satisfying the condition with IfExists
depends on whether the key from the query is present in the condition:
- if the key is present, the condition is processed according to the rules of the operator with which it was used
IfExists
and may take the valuetrue
orfalse
; - if the key is missing, the condition takes the value
true
.
Operator Null
checks if the key from the query is present in the condition.
The data type is boolean.
Condition with operator Null
is satisfied:
- if there is no key from the condition in the query;
- if the key is present in the query but its value is not specified.