General information about access policies

Access to a container can be specified through an access policy (Bucket policy). A policy consists of rules that allow or deny actions with a resource (container or group of objects) for all or selected principals (users). The basic principle is that if an access policy is created, everything that is not allowed is prohibited.

The access policy only works with the S3 API.

The access policy has a maximum size limit of 20 KB.

An access policy can apply to any user who is allowed to access the storage according to the role model, and also defines access for users with the Object Storage User role. For more information about the interaction between the role model and access policies, see Managing Access in Object Storage.

Only users with the role of Account Owner, Account Administrator, or Administrator of the project in which the container resides can manage access policies.

Create and manage access policies You can create and manage them in the control panel or via the S3 API according to the requirements of the policy structure. policy structure.

Access policy structure⁠

The access policy has a JSON structure. Example policy:

{
  "Id": "my-bucket-policy",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowObjectDeletion",
      "Effect": "Allow",
      "Principal": {
          "AWS": [
             "*"
          ]
      },
      "Action": [
        "s3:DeleteObject"
      ],
      "Resource": [
        "arn:aws:s3:::container-name",


        "arn:aws:s3:::container-name/*",


        "arn:aws:s3:::container-name/${aws:userid}/*"


      ],
      "Condition": {
        "StringEquals": {
          "aws:UserAgent": [
            "storage-test-user-agent"
          ]
        }
      }
    },
    {
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::container-name/*"


    }
  ]
}

Policy Content:

Field	Description	Data type	Mandatory
Id	Policy identifier, can be any	String	✗
Version	Access policy version, value is a constant: `"2012-10-17"`	String	✓
Statement	Array of rules	Array	✓
Sid	Name of the rule	String	✗
Effect	Rule type `(Allow` or `Deny`)	String	✓
Principal:AWS	Principals (user IDs or `*` for all requests)	Array of strings or string	✓
Actions	Actions or `*` for all actions	Array of string whether string	✓
Resources	Resources subject to the rule	Array of strings or string	✓
Condition	An array of conditions represented in the format : `[operator]:[key]:[array of key values].`	Array	✗

Rules⁠

Rules are of two types: Allow (Allow) and Deny (Deny).

The authorization or prohibition applies to the actions, resources, and principals added to the rule.

If a policy contains multiple rules, they are applied as follows:

if at least one permissive rule is met, access will be allowed;
if at least one deny rule is executed, access will be denied;
if both permissive and deny rules are executed simultaneously, access will be denied;
if no rule is executed, access will be denied.

Principals⁠

The rule applies to requests from principals (users):

user identifiers are specified for authorized requests of certain users ((( you can view the service user identifier in the control panel);
to all authorized and unauthorized requests, indicated by the * symbol.

You can add control panel users as principals in access policies only when configuring the policy through the control panel.

Resources⁠

Resources — the container or set of objects to which the rule will apply. You can specify only the resources associated with the container for which the policy is configured.

Resources can be specified in formats:

arn:aws:s3:::<container-name> — container resource, you can specify only one resource of this format (the container for which the policy is configured). The resource will work for actions The resource will work for actions related to customizing the container, and does not apply to its objects;
arn:aws:s3:::<container-name>/<prefix> — container object resource, where <prefix> — is the prefix to which objects will be subject to the rule. If you specify *, all objects of the container will be included in the resource;
arn:aws:s3::::<container-name>/${<variable-name>} — container object resource, where <variable-name> — is the name of a wildcard variable ( key), which acts as a prefix.

Actions⁠

If you specify *, all actions will be included in the rule.

s3:AbortMultipartUpload	Interrupting segmented object loading via S3 API
s3:DeleteBucket	Removing a container
s3:DeleteObject	Deleting an object
s3:DeleteObjectVersion	Deleting a version of an object
s3:GetBucketCORS	Getting the CORS configuration of the container
s3:GetBucketLocation	Getting the pool where the container is located
s3:GetBucketVersioning	Getting information about container versioning (enabled or not)
s3:GetObject	Reading an object
s3:GetObjectVersion	Reading a specific version of an object
s3:ListBucket	Reading the list of objects in the container (all or some of them)
s3:ListBucketMultipartUploads	Reading the list of objects that are in the process of segmented loading via S3 API
s3:ListBucketVersions	Reading metadata of all versions of objects in the container
s3:ListMultipartUploadParts	Reading the list of loaded object parts during segmented loading via S3 API
s3:PutBucketCORS	Setting the CORS configuration of the container
s3:PutBucketVersioning	Connecting and disconnecting container versioning
s3:PutObject	Adding an object to a container (loading or copying)

Terms and conditions⁠

A condition defines in which cases the rule will work. A condition consists of a key, an operator and a value.

If the condition returns true, the condition is satisfied.

Keys⁠

One key can be used in multiple conditions. Multiple values can be assigned to a key.

aws:CurrentTime	Compares the date and time of the request to the value specified in the condition
aws:Referer	Compares the Referer header in the request to the value specified in the condition. Example: `https://example.com/`
aws:PrincipalType	Specifies the type of entity being queried. Possible values: `Account` `User` `AssumedRole` `Anonymous`
aws:SecureTransport	Checks if the request was sent using SSL/TLS encryption. Possible values: `True` or `false`
aws:SourceIp	Compares the IP address from the request with the value from the condition
aws:UserAgent	Compares the UserAgent from the query with the value from the condition. Examples of values: `Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0)` `Gecko/20100101` `Firefox/47.0.`
aws:userid	Compares the user ID with the value from the condition. Example value: `9103a81de217448d908e53ac60c84acb`
aws:username	Compares the username with the value from the condition
s3:authType	Restricts incoming requests to the authentication method specified in the condition. Examples of values: `REST-HEADER` `REST-QUERY-STRING` `POST`
s3:delimiter	Specifies the delimiter that user requests should include. Example value: `/`
s3:max-keys	Sets the maximum number of keys returned on a ListBucket query
s3:prefix	Restricts access by prefix in the key name
s3:signatureAge	Determines the validity time of the signature in the authentication request (in milliseconds)
s3:signatureversion	Specifies the AWS signature version for authentication requests. Examples of values: `AWS` `AWS4-HMAC-SHA256`
s3:versionid	Specifies access to a specific version of the object. Example value: `L4kqtJlcpXroDTDDmpUMLUo`
s3:x-amz-content-sha256	Prohibits unsigned content in the request
s3:x-amz-copy-source	Restricts the copy source to a specific container, prefix, or object
s3:x-amz-metadata-directive	Sets the forced selection of copy or replace when copying objects
s3:x-amz-server-side-encryption	Requires server-side encryption
s3:x-amz-storage-class	Restricts access by storage class

Operators⁠

The operators compare the values from the resource request to the value specified in the key value in the condition.

The number from the query is compared to the number specified in the condition.

NumericEquals	The value is equal to the value given in the condition
NumericGreaterThan	Value greater than the value specified in the condition
NumericGreaterThanEquals	Value greater than or equal to the value specified in the condition
NumericLessThan	Value less than the value specified in the condition
NumericLessThanEquals	Value less than or equal to the value specified in the condition
NumericNotEquals	The value is not equal to the value specified in the condition

The string from the query is compared to the string specified in the condition.

StringEquals	The value corresponds to the value specified in the condition (case sensitive)
StringEqualsIgnoreCase	The value corresponds to the value specified in the condition (case insensitive)
StringLike	The value matches the pattern given in the condition. Use symbols for substitution: `*` — of several characters; — single character
StringNotEqualsThan	Value does not match the value specified in the condition (case sensitive)
StringNotEqualsIgnoreCase	Value does not match the value specified in the condition (case insensitive)
StringNotLike	The value does not match the pattern specified in the condition. Use symbols for substitution: `*` — of several characters; — single character

The date and time from the query is compared to the date and time specified in the condition.

DateEquals	Corresponds to the set date
DateGreaterThan	Corresponds to a date later than the specified date
DateGreaterThanEquals	Matches the set date or later date
DateLessThan	Corresponds to a date earlier than the specified date
DateLessThanEquals	Matches the set date or earlier date
DateNotEquals	Does not correspond to the set date

The CIDR-formatted IP address from the request is compared to the IP address from the condition.

IPAddress	The key value corresponds to the specified IP address or is within the range of addresses
NotIPAddress	The key value does not match the specified IP address or is not in the address range

The Bool operator compares the logical value from the query ( true or false) to the value from the key.

The condition is satisfied if the value from the query matches the value from the condition.

The IfExists operator allows you to relax a condition in case the key specified in the condition is not present in the query.

IfExists can only be used in conjunction with other operators (except for Null). Addition format: <operator name>IfExists — For example, StringEqualsIfExists.

The data type corresponds to the data type of the statement to which IfExists is appended.

Satisfying a condition with IfExists depends on whether the key from the query is present in the condition:

if the key is present, the condition is processed according to the rules of the operator with which IfExists was used and can take the value true or false;
if the key is missing, the condition takes the value true.

The Null operator checks if the key from the query exists in the condition.

The data type is boolean.

The condition with the Null operator is satisfied:

if there is no key from the condition in the query;
if the key is present in the query but its value is not specified.

General information about access policies

Access policy structure⁠​

Rules⁠​

Principals⁠​

Resources⁠​

Actions⁠​

Terms and conditions⁠​

Keys⁠​

Operators⁠​