Create IAM Policy
最終更新日:2022-05-20 15:51:01
Permission Policy Example
{
"version": "1",
"statement": [
{
"action": [
"wos:GetBucket"
],
"resource": [
"wsc:wos:*:*:testbucket"
],
"effect": "allow"
},
{
"action": [
"wos:PutObject",
"wos:GetObject",
"wos:DeleteObject"
],
"resource": [
"wsc:wos:*:*:testbucket/*"
],
"effect": "allow"
}
]
}
This is an authorization policy. The parent account can use such a policy to authorize the sub-account through IAM. There is one statement in the policy (there can be multiple statements in one policy). The corresponding action, resource, and effect are specified in the statement.
The permissions of this policy configuration: list the information of all files in the space testbucket; upload files to the space testbucket; download the files in the space testbucket; delete the files in the space testbucket.
Configuration Rules
Version
version defines the version of the permission policy, and the currently supported version is “1”.
Statement
Authorization semantics are described through statements, which can contain multiple semantics according to business scenarios, each containing a description of action, effect, and resource. Each time a request is made, the system will match and check one by one. All successfully matched statements will be divided into allow and deny according to the effect setting, among which deny takes precedence. If all matches are passed, the request is authenticated. If the match is successful, there is a prohibition, or if no entry is matched successfully, the request is forbidden to access.
Action
Action refers to the operation of the S3 API or console provided by wos. The action rule is wos:{action_name}, which supports * wildcard, and can use * to represent 0 or more arbitrary English letters. For example, wos:List* means all S3 API or console operations provided by wos whose action_name starts with List. .
Action is a list, you can choose one or more of the actions, all action_name must be prefixed with “wos:”. There can be multiple actions.
Actions are divided into three categories: • Service-level operations, corresponding to operations similar to wos:GetService.
• Bucket level operations, corresponding to operations similar to wos:PutBucketLifecycle, wos:GetBucket, etc. The object of the operation is Bucket.
• Object level operation, corresponding to similar to wos:GetObject, wos:PutObject, wos:DeleteObject and wos:AbortMultipartUpload, the operation object is Object.
The corresponding relationship between specific action and S3 API is as follows:
- Service level
| S3 API | action |
|---|---|
| GetService | wos:GetService |
Note: If the GetService permission is assigned to the sub-account, the sub-account can obtain all the space owned by its parent account. (For the space created by the sub-account, the owner of the space is its parent account)
• Bucket level
| S3 API | action |
|---|---|
| GetBucket(ListObjects) | wos: GetBucket |
| GetBucketLifecycle | wos: GetBucketLifecycle |
| PutBucketLifecycle | wax: PutBucketLifecycle |
| DeleteBucketLifecycle | wos:DeleteBucketLifecycle |
| ListMultipartUploads | wos: ListMultipartUploads |
• Object level
| S3 API | action |
|---|---|
| GetObject | wos:GetObject |
| HeadObject | wax: HeadObject |
| PutObject | wax: PutObject |
| PostObject | wax: PutObject |
| InitiateMultipartUpload | wax: PutObject |
| UploadPart | wax: PutObject |
| CompleteMultipartUpload | wax: PutObject |
| DeleteObject | wos:DeleteObject |
| MultiDelete | wos:DeleteObject |
| AbortMultipartUpload | wos: AbortMultipartUpload |
| ListParts | wos: ListParts |
| CopyObject | wos:GetObject,wos:PutObject |
| RestoreObject | wos:RestoreObject |
The corresponding relationship between specific actions and console operations is as follows:
• Service level
| Console operation | action |
|---|---|
| storage | |
| View | wos:GetService |
| Storage space-space management-basic data / appraisal statistics / overview statistics | |
| View | wos: GetBucketAnalysis |
Note:
- If the GetService permission is assigned to the sub-account, the sub-account can obtain all the space owned by its parent account. (For the space created by the sub-account, the owner of the space is its parent account)
- All sub-accounts using the console must have GetService permission, otherwise other operations on the console may not be able to be used normally.
- If the GetBucketAnalysis permission is assigned to the sub-account, the sub-account can view all the menu items under statistical analysis.
• Bucket level
| Console operation | action |
|---|---|
| storage | |
| New space | wax: PutBucket |
| Storage space-space management-file management | |
| Query (view) | wos: GetBucket |
| Storage space-space management-basic settings | |
| View-mirror storage | wos: GetBucketMirror |
| Edit-mirror storage | wax: PutBucketMirror |
| Delete-mirror storage | wos:DeleteBucketMirror |
| View-life cycle settings | wos: GetBucketLifecycle |
| Create rule-life cycle settings | wax: PutBucketLifecycle |
| Edit-life cycle settings | wax: PutBucketLifecycle |
| Clear all rules-life cycle settings | wos:DeleteBucketLifecycle |
| Delete-life cycle settings | wos:DeleteBucketLifecycle |
| Create rules-cross-domain settings | wax: PutBucketCors |
| Edit-cross-domain settings | wax: PutBucketCors |
| View-cross-domain settings | wos: GetBucketCors |
| Delete-cross-domain settings | wos:DeleteBucketCors |
| Clear all rules-cross-domain settings | wos:DeleteBucketCors |
| Delete space | wos:DeleteBucket |
| Storage space-space management-domain name settings | |
| View-domain name | wos: GetBucketDomain |
| Bind a custom domain name | wax: PutBucketDomain |
| Modify the agreement | wax: PutBucketDomain |
| Delete-domain | wos:DeleteBucketDomain |
Object level
| Console operation | action |
|---|---|
| Storage space-space management-file management | |
| new folder | wos: PutFolder |
| upload files | wax: PutObject |
| delete | wos:DeleteObject |
| Rename | wax: PutObject |
| thaw | wos:RestoreObject |
| Set expiration time | wos:DeleteObject |
resource
Resource refers to the resource stored on wos. The rule of resource is wsc:wos:{region}:{bucket_owner}:{bucket_name}/{object_name}, which supports * wildcard. You can use * to represent 0 or more arbitrary English letters. The region field is temporarily not supported and is set to “*”.
resource is also a list, which can contain one or more resources. There can be multiple resources.
For all service-level operations, it is not supported to assign specific resources, ie wsc:wos::😗.
For all bucket-level operations, only specific spaces are supported, ie wsc:wos:{region}:{bucket_owner}:{bucket_name}.
For all Object-level operations. Support assigning to specific files, ie wsc:wos:{region}:{bucket_owner}:{bucket_name}/{object_name}.
effect
Effect represents the result of authorization of the statement in this article, which is divided into allow and deny, which refer to passing and prohibiting respectively. When multiple statements are matched successfully at the same time, deny has a higher priority .
For example, it is expected that users are forbidden to delete a certain directory, but have full permissions for other files:
{
"version": "1",
"statement": [
{
"effect": "allow",
"action": [
"wos:*"
],
"resource": [
"wsc:wos:*:*:bucketname/*"
]
},
{
"effect": "deny",
"action": [
"wos:DeleteObject"
],
"resource": [
"wsc:wos:*:*:bucketname/test/*"
]
}
]
}