General information about access policies
Access to a container can be specified through an access policy (Bucket policy). A policy consists of rules that allow or deny actions with a resource (container or group of objects) for all or selected principals (users). The basic principle is that if an access policy is created, everything that is not allowed is prohibited.
The access policy only works with the S3 API.
The access policy has a maximum size limit of 20 KB.
An access policy can apply to any user who is allowed to access the storage according to the role model, and also defines access for users with the Object Storage User role. For more information about the interaction between the role model and access policies, see Managing Access in Object Storage.
Only users with the role of Account Owner, Account Administrator, or Administrator of the project in which the container resides can manage access policies.
Create and manage access policies You can create and manage them in the control panel or via the S3 API according to the requirements of the policy structure. policy structure.
Access policy structure
The access policy has a JSON structure. Example policy:
{
"Id": "my-bucket-policy",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowObjectDeletion",
"Effect": "Allow",
"Principal": {
"AWS": [
"*"
]
},
"Action": [
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::container-name",
"arn:aws:s3:::container-name/*",
"arn:aws:s3:::container-name/${aws:userid}/*"
],
"Condition": {
"StringEquals": {
"aws:UserAgent": [
"storage-test-user-agent"
]
}
}
},
{
"Effect": "Deny",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::container-name/*"
}
]
}
Policy Content:
Rules
Rules are of two types: Allow
(Allow) and Deny (Deny
).
The authorization or prohibition applies to the actions, resources, and principals added to the rule.
If a policy contains multiple rules, they are applied as follows:
- if at least one permissive rule is met, access will be allowed;
- if at least one deny rule is executed, access will be denied;
- if both permissive and deny rules are executed simultaneously, access will be denied;
- if no rule is executed, access will be denied.
Principals
The rule applies to requests from principals (users):
- user identifiers are specified for authorized requests of certain users ((( you can view the service user identifier in the control panel);
- to all authorized and unauthorized requests, indicated by the
*
symbol.
You can add control panel users as principals in access policies only when configuring the policy through the control panel.
Resources
Resources — the container or set of objects to which the rule will apply. You can specify only the resources associated with the container for which the policy is configured.
Resources can be specified in formats:
arn:aws:s3:::<container-name>
— container resource, you can specify only one resource of this format (the container for which the policy is configured). The resource will work for actions The resource will work for actions related to customizing the container, and does not apply to its objects;arn:aws:s3:::<container-name>/<prefix>
— container object resource, where<prefix>
— is the prefix to which objects will be subject to the rule. If you specify*
, all objects of the container will be included in the resource;arn:aws:s3::::<container-name>/${<variable-name>}
— container object resource, where<variable-name>
— is the name of a wildcard variable ( key), which acts as a prefix.
Actions
If you specify *
, all actions will be included in the rule.
Terms and conditions
A condition defines in which cases the rule will work. A condition consists of a key, an operator and a value.
If the condition returns true
, the condition is satisfied.
Keys
One key can be used in multiple conditions. Multiple values can be assigned to a key.
Operators
The operators compare the values from the resource request to the value specified in the key value in the condition.
Numbers
Lines
Date and time
IP addresses
Bool
IfExists
Null
The number from the query is compared to the number specified in the condition.
The string from the query is compared to the string specified in the condition.
The date and time from the query is compared to the date and time specified in the condition.
The CIDR-formatted IP address from the request is compared to the IP address from the condition.
The Bool
operator compares the logical value from the query ( true
or false
) to the value from the key.
The condition is satisfied if the value from the query matches the value from the condition.
The IfExists
operator allows you to relax a condition in case the key specified in the condition is not present in the query.
IfExists
can only be used in conjunction with other operators (except for Null
). Addition format: <operator name>IfExists
— For example, StringEqualsIfExists
.
The data type corresponds to the data type of the statement to which IfExists
is appended.
Satisfying a condition with IfExists
depends on whether the key from the query is present in the condition:
- if the key is present, the condition is processed according to the rules of the operator with which
IfExists
was used and can take the valuetrue
orfalse
; - if the key is missing, the condition takes the value
true
.
The Null
operator checks if the key from the query exists in the condition.
The data type is boolean.
The condition with the Null
operator is satisfied:
- if there is no key from the condition in the query;
- if the key is present in the query but its value is not specified.