Access Policy

Container access policy

Access to a container can be set through a Bucket policy. The policy consists of rulesthat authorize or prohibit actions с resource (by container or group of objects) for all or selected objects principals (users). The basic principle is that if an access policy is created, everything that is not allowed is forbidden.

The access policy only works with S3 API.

The access policy has a maximum size limit of 20 KB.

The access policy may apply to any user who is authorized to access the storage in accordance with the role modeland also defines access for users with the Object Storage User role. For more information about the interaction between the role model and access policies, see the following instructions Manage access in object storage.

Only users with role The Account Owner, Account Administrator, or Administrator of the project where the container resides.

Create access policies and can be managed in the control panel or via the S3 API according to the requirements of the policy framework.

Access Policy Structure

The access policy has a JSON structure. Example policy:

{
  "Id": "my-bucket-policy",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowObjectDeletion",
      "Effect": "Allow",
      "Principal": {
          "AWS": [
             "*"
          ]
      },
      "Action": [
        "s3:DeleteObject"
      ],
      "Resource": [
        "arn:aws:s3:::container-name",

        "arn:aws:s3:::container-name/*",

        "arn:aws:s3:::container-name/${aws:userid}/*"

      ],
      "Condition": {
        "StringEquals": {
          "aws:UserAgent": [
            "storage-test-user-agent"
          ]
        }
      }
    },
    {
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::container-name/*"

    }
  ]
}

Policy Content:

Field	Description	Data type	Mandatory
Id	Policy identifier, can be any	String	✗
Version	Access policy version, value is a constant: `"2012-10-17"`	String	✓
Statement	Array rules	Array	✓
Sid	Name of the rule	String	✗
Effect	Rule type (`Allow` or `Deny`)	String	✓
Principal:AWS	Principals (user IDs or `*` for all requests)	Array of strings or string	✓
Actions	Actions or `*` for all actions	Array of string whether string	✓
Resources	Resourcessubject to the rule	Array of strings or string	✓
Condition	Array conditionspresented in a format: `[оператор]:[ключ]:[массив значений ключа]`	Array	✗

Rules

Rules are of two types: permissive (Allow) and prohibitive (Deny).

The authorization or prohibition applies to actions, resources и principalsadded to the rule.

If a policy contains multiple rules, they are applied as follows:

if at least one permissive rule is met, access will be allowed;
if at least one deny rule is executed, access will be denied;
if both permissive and deny rules are executed simultaneously, access will be denied;
if no rule is executed, access will be denied.

Principals

The rule applies to requests from principals (users):

on authorized requests of certain users, user identifiers (view service user ID can be found in the control panel);
to all authorized and unauthorized requests, indicated by the symbol *.

Add as principals control panel users to access policies can only be configured when configuring the policy through the control panel.

Resources

Resources — the container or set of objects to which the rule will apply. You can specify only the resources associated with the container for which the policy is configured.

Resources can be specified in formats:

arn:aws:s3:::<container-name> — container resource, you can specify only one resource of this format (the container for which the policy is configured). The resource will work for actionsThe following table describes the configuration of the container and does not apply to its objects;
arn:aws:s3:::<container-name>/<prefix> — the resource of container objects, where <prefix> — prefix to which objects will be subject to the rule. If you specify *The resources will include all objects in the container;
arn:aws:s3:::<container-name>/${<variable-name>} — the resource of container objects, where <variable-name> — substitution variable name (key), which acts as a prefix.

Actions

If you specify *, all actions will be included in the rule.

s3:AbortMultipartUpload	Interruption segmented loading of an object through the S3 API
s3:DeleteObject	Deleting an object
s3:DeleteObjectVersion	Deleting a version of an object
s3:GetBucketCORS	Receipt CORS configurations container
s3:GetBucketLocation	Receipt poolthat holds the container
s3:GetBucketVersioning	Getting information about container versioning (enabled or not)
s3:GetObject	Reading an object
s3:GetObjectVersion	Reading a specific version of an object
s3:ListBucket	Reading the list of objects in the container (all or some of them)
s3:ListBucketMultipartUploads	Reading the list of objects that are in process segmented loading via the S3 API
s3:ListBucketVersions	Reading metadata of all versions of objects in the container
s3:ListMultipartUploadParts	Reading the list of loaded object parts at segmented loading via the S3 API
s3:PutBucketCORS	Setting the CORS configuration of the container
s3:PutBucketVersioning	Connecting and disconnecting container versioning
s3:PutObject	Adding an object to a container (download or copying)

Terms and conditions

A condition defines in which cases the rule will work. A condition consists of key, operator and meanings.

If as a result of the condition execution the value is returned truethe condition is satisfied.

Keys

One key can be used in multiple conditions. Multiple values can be assigned to a key.

aws:CurrentTime	Compares the date and time of the request to the value specified in the condition
aws:Referer	Compares the Referer header in the request to the value specified in the condition. Example: `https://example.com/`
aws:PrincipalType	Specifies the type of entity being queried. Possible values: `Account` `User` `AssumedRole` `Anonymous`
aws:SecureTransport	Checks if the request was sent using SSL/TLS encryption. Possible values: `true` or `false`
aws:SourceIp	Compares the IP address from the request with the value from the condition
aws:UserAgent	Compares the UserAgent from the query with the value from the condition. Examples of values: `Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0)` `Gecko/20100101` `Firefox/47.0`
aws:userid	Compares the identifier user with the value from the condition. Example Value: `9103a81de217448d908e53ac60c84acb`
aws:username	Compares the username with the value from the condition
s3:authType	Restricts incoming requests to the authentication method specified in the condition. Examples of values: `REST-HEADER` `REST-QUERY-STRING` `POST`
s3:delimiter	Specifies the delimiter that user requests should include. Example Value: `/`
s3:max-keys	Sets the maximum number of keys returned on a ListBucket request
s3:prefix	Restricts access by prefix in the key name
s3:signatureAge	Determines the validity time of the signature in the authentication request (in milliseconds)
s3:signatureversion	Specifies the AWS signature version for authentication requests. Examples of values: `AWS` `AWS4-HMAC-SHA256`
s3:versionid	Specifies access to a specific version of the object. Example Value: `L4kqtJlcpXroDTDmpUMLUo`
s3:x-amz-content-sha256	Disallows unsigned content in the request
s3:x-amz-copy-source	Restricts the copy source to a specific container, prefix, or object
s3:x-amz-metadata-directive	Sets the forced selection of copy or replace when copying objects
s3:x-amz-server-side-encryption	Requires server-side encryption
s3:x-amz-storage-class	Restricts access by storage class

Operators

The operators compare the values from the resource request to the value specified in the key value in the condition.

The number from the query is compared to the number specified in the condition.

NumericEquals	The value is equal to the value given in the condition
NumericGreaterThan	Value greater than the value specified in the condition
NumericGreaterThanEquals	Value greater than or equal to the value specified in the condition
NumericLessThan	Value less than the value specified in the condition
NumericLessThanEquals	The value is less than or equal to the value specified in the condition
NumericNotEquals	The value is not equal to the value specified in the condition

The string from the query is compared to the string specified in the condition.

StringEquals	The value corresponds to the value specified in the condition (case sensitive)
StringEqualsIgnoreCase	The value corresponds to the value specified in the condition (case insensitive)
StringLike	The value matches the pattern given in the condition. Use symbols for substitution: `*` — of several characters; `?` — single character
StringNotEqualsThan	Value does not match the value specified in the condition (case sensitive)
StringNotEqualsIgnoreCase	Value does not match the value specified in the condition (case insensitive)
StringNotLike	The value does not match the pattern specified in the condition. Use symbols for substitution: `*` — of several characters; `?` — single character

The date and time from the query is compared to the date and time specified in the condition.

DateEquals	Corresponds to the set date
DateGreaterThan	Corresponds to a date later than the specified date
DateGreaterThanEquals	Matches the set date or later date
DateLessThan	Corresponds to a date earlier than the specified date
DateLessThanEquals	Matches the set date or earlier date
DateNotEquals	Does not match the set date

The CIDR-formatted IP address from the request is compared to the IP address from the condition.

IPAddress	The key value corresponds to the specified IP address or is within the range of addresses
NotIPAddress	The key value does not match the specified IP address or is not in the address range

Operator Bool compares the boolean value from the query (true or false) with the value from the key.

The condition is satisfied if the value from the query matches the value from the condition.

Operator IfExists allows you to relax the condition in case the key specified in the condition is not present in the query.

IfExists can only be used in conjunction with other operators (except for Null). Addendum Format: <имя оператора>IfExists — For example, StringEqualsIfExists.

The data type corresponds to the data type of the operator to which it is added IfExists.

Satisfying the condition with IfExists depends on whether the key from the query is present in the condition:

if the key is present, the condition is processed according to the rules of the operator with which it was used IfExists and may take the value true or false;
if the key is missing, the condition takes the value true.

Operator Null checks if the key from the query is present in the condition.

The data type is boolean.

Condition with operator Null is satisfied:

if there is no key from the condition in the query;
if the key is present in the query but its value is not specified.