Bucket Policy是阿里云OSS推出的针对Bucket的授权策略,您可以通过Bucket Policy授权其他用户访问您指定的OSS资源。例如您可以对同账号以及跨账号下的不同RAM用户授予访问或管理Bucket资源的不同权限,例如只读、读写权限等。
通用说明
以下均为资源拥有者(即UID为174649585760xxxx的Bucket Owner)通过Bucket Policy授权指定用户(例如UID为27737962156157xxxx的RAM用户)不同权限的示例。与RAM Policy不同的是,Bucket Policy还包含了用于指定授权用户的Principal元素。Bucket Policy的其他元素,例如Action,Condition等用法遵循RAM Policy的语法规则。关于各元素的更多信息,请参见RAM Policy概述。
注意事项
-
配置Bucket Policy时,如果授权用户(Principal)选择了包含匿名请求在内的所有账号(*),且不包含Condition的情况下,则Bucket Policy仅对Bucket Owner以外的所有用户生效。更多信息,请参见示例三。
-
配置Bucket Policy时,如果授权用户(Principal)选择了包含匿名请求在内的所有账号(*),且包含Condition的情况下,则Bucket Policy会对包含Bucket Owner在内的所有用户生效。更多信息,请参见示例五。
示例一:授予指定RAM用户对某个Bucket的读写权限
以下示例用于授权UID为27737962156157xxxx以及20214760404935xxxx的RAM用户拥有目标存储空间examplebucket的读写权限。
{
"Version": "1",
"Statement": [{
"Effect": "Allow",
"Action": [
"oss:GetObject",
"oss:PutObject",
"oss:GetObjectAcl",
"oss:PutObjectAcl",
"oss:AbortMultipartUpload",
"oss:ListParts",
"oss:RestoreObject",
"oss:GetVodPlaylist",
"oss:PostVodPlaylist",
"oss:PublishRtmpStream",
"oss:ListObjectVersions",
"oss:GetObjectVersion",
"oss:GetObjectVersionAcl",
"oss:RestoreObjectVersion"
],
"Principal": [
"27737962156157xxxx",
"20214760404935xxxx"
],
"Resource": [
"acs:oss:*:174649585760xxxx:examplebucket/*"
]
}, {
"Effect": "Allow",
"Action": [
"oss:ListObjects"
],
"Principal": [
"27737962156157xxxx",
"20214760404935xxxx"
],
"Resource": [
"acs:oss:*:174649585760xxxx:examplebucket"
],
"Condition": {
"StringLike": {
"oss:Prefix": [
"*"
]
}
}
}
]
}示例二:授予指定用户拥有某个Bucket下指定目录的只读权限
以下示例用于授权UID为20214760404935xxxx的RAM用户拥有目标存储空间examplebucket下hangzhou/2020和shanghai/2015目录的只读权限。
{
"Version": "1",
"Statement": [
{
"Action": [
"oss:GetObject",
"oss:GetObjectAcl",
"oss:GetObjectVersion",
"oss:GetObjectVersionAcl"
],
"Effect": "Allow",
"Principal": [
"20214760404935xxxx"
],
"Resource": [
"acs:oss:*:174649585760xxxx:examplebucket/hangzhou/2020/*",
"acs:oss:*:174649585760xxxx:examplebucket/shanghai/2015/*"
]
},
{
"Action": [
"oss:ListObjects",
"oss:ListObjectVersions"
],
"Condition": {
"StringLike": {
"oss:Prefix": [
"hangzhou/2020/*",
"shanghai/2015/*"
]
}
},
"Effect": "Allow",
"Principal": [
"20214760404935xxxx"
],
"Resource": [
"acs:oss:*:174649585760xxxx:examplebucket"
]
}
]
}示例三:授予所有用户仅拥有列举某个Bucket下所有文件的权限
以下示例用于授予所有用户仅拥有列举目标存储空间examplebucket下所有文件的权限。
{
"Version": "1",
"Statement": [
{
"Action": [
"oss:ListObjects",
"oss:ListObjectVersions"
],
"Effect": "Allow",
"Principal": [
"*"
],
"Resource": [
"acs:oss:*:174649585760xxxx:examplebucket"
]
}
]
}示例四:授予所有用户读取某个指定Bucket的所有数据以及Bucket配置的权限
以下示例用于授予所有用户拥有读取examplebucket下的所有数据以及该Bucket相关配置的权限。
{
"Version": "1",
"Statement": [
{
"Action": [
"oss:Get*"
"oss:ListObjects",
"oss:ListObjectVersions"
],
"Effect": "Allow",
"Principal": [
"*"
],
"Resource": [
"acs:oss:*:174649585760xxxx:examplebucket"
]
}
]
}示例五:拒绝非指定VPC ID且非指定内网IP地址段的用户访问某个Bucket资源
以下示例用于拒绝VPC ID不为t4nlw426y44rd3iq4****,且该VPC ID不在192.168.0.0/16 IP地址段范围内的用户访问目标存储空间examplebucket。即只有指定VPC内的指定IP地址段才可以在满足其他鉴权条件的情况下访问examplebucket,其他任何来源都会被禁止访问该Bucket。该示例主要用于限制访问来源。
{
"Version": "1",
"Statement": [
{
"Effect": "Deny",
"Action": [
"oss:GetObject"
],
"Principal": [
"*"
],
"Resource": [
"acs:oss:*:174649585760xxxx:examplebucket/*"
],
"Condition": {
"StringNotEquals": {
"acs:SourceVpc": [
"vpc-t4nlw426y44rd3iq4****"
]
}
}
},
{
"Effect": "Deny",
"Action": [
"oss:GetObject"
],
"Principal": [
"*"
],
"Resource": [
"acs:oss:*:174649585760xxxx:examplebucket/*"
],
"Condition": {
"StringEquals": {
"acs:SourceVpc": [
"vpc-t4nlw426y44rd3iq4****"
]
},
"NotIpAddress": {
"acs:SourceIp": [
"192.168.0.0/16"
]
}
}
}
]
}示例六:拒绝非指定VPC ID且非指定公网地址的用户访问某个Bucket资源
以下示例用于拒绝VPC ID不为t4nlw426y44rd3iq4****,且公网IP地址不为192.0.2.0的用户访问目标存储空间examplebucket。即只有VPC ID为t4nlw426y44rd3iq4****或者192.0.2.0的公网IP地址才可以在满足其他鉴权条件的情况下访问examplebucket,其他任何来源都会被禁止访问该Bucket。该示例主要用于限制访问来源。
{
"Version": "1",
"Statement": [
{
"Effect": "Deny",
"Action": [
"oss:GetObject"
],
"Principal": [
"*"
],
"Resource": [
"acs:oss:*:174649585760xxxx:examplebucket/*"
],
"Condition": {
"StringNotLike": {
"acs:SourceVpc": [
"vpc-*"
]
},
"NotIpAddress": {
"acs:SourceIp": [
"192.0.2.0"
]
}
}
},
{
"Effect": "Deny",
"Action": [
"oss:GetObject"
],
"Principal": [
"*"
],
"Resource": [
"acs:oss:*:174649585760xxxx:examplebucket/*"
],
"Condition": {
"StringLike": {
"acs:SourceVpc": [
"vpc-*"
]
},
"StringNotEquals": {
"acs:SourceVpc": [
"vpc-t4nlw426y44rd3iq4****"
]
}
}
}
]
}示例七:拒绝非指定VPC ID的用户访问某个Bucket资源的权限
以下示例用于拒绝VPC ID不为t4nlw426y44rd3iq4****的用户访问目标存储空间examplebucket的权限。
{
"Version": "1",
"Statement": [
{
"Effect": "Deny",
"Action": [
"oss:GetObject"
],
"Principal": [
"*"
],
"Resource": [
"acs:oss:*:174649585760xxxx:examplebucket/*"
],
"Condition": {
"StringNotEquals": {
"acs:SourceVpc": [
"vpc-t4nlw426y44rd3iq4****"
]
}
}
}
]
}示例八:拒绝非指定公网IP地址的用户访问某个Bucket资源的权限
以下示例用于拒绝公网IP地址不为192.0.2.0的用户访问目标存储空间examplebucket的权限。
{
"Version": "1",
"Statement": [
{
"Effect": "Deny",
"Action": [
"oss:GetObject"
],
"Principal": [
"*"
],
"Resource": [
"acs:oss:*:174649585760xxxx:examplebucket/*"
],
"Condition": {
"StringNotLike": {
"acs:SourceVpc": [
"vpc-*"
]
},
"NotIpAddress": {
"acs:SourceIp": [
"192.0.2.0"
]
}
}
},
{
"Effect": "Deny",
"Action": [
"oss:GetObject"
],
"Principal": [
"*"
],
"Resource": [
"acs:oss:*:174649585760xxxx:examplebucket/*"
],
"Condition": {
"StringLike": {
"acs:SourceVpc": [
"vpc-*"
]
}
}
}
]
}内容没看懂? 不太想学习?想快速解决? 有偿解决: 联系专家
阿里云企业补贴进行中: 马上申请
腾讯云限时活动1折起,即将结束: 马上收藏
同尘科技为腾讯云授权服务中心。
购买腾讯云产品享受折上折,更有现金返利:同意关联,立享优惠
转转请注明出处:https://www.yunxiaoer.com/159473.html