Create IAM Policy

最終更新日:2022-05-20 15:51:01

Permission Policy Example

{
    "version": "1",
    "statement": [
        {
            "action": [
                "wos:GetBucket"
            ],
            "resource": [
                "wsc:wos:*:*:testbucket"
            ],
            "effect": "allow"
        },
        {
            "action": [
                "wos:PutObject",
                "wos:GetObject",
                "wos:DeleteObject"
            ],
            "resource": [
                "wsc:wos:*:*:testbucket/*"
            ],
            "effect": "allow"
        }
    ]
}

This is an authorization policy. The parent account can use such a policy to authorize the sub-account through IAM. There is one statement in the policy (there can be multiple statements in one policy). The corresponding action, resource, and effect are specified in the statement.

The permissions of this policy configuration: list the information of all files in the space testbucket; upload files to the space testbucket; download the files in the space testbucket; delete the files in the space testbucket.

Configuration Rules

Version

version defines the version of the permission policy, and the currently supported version is “1”.

Statement

Authorization semantics are described through statements, which can contain multiple semantics according to business scenarios, each containing a description of action, effect, and resource. Each time a request is made, the system will match and check one by one. All successfully matched statements will be divided into allow and deny according to the effect setting, among which deny takes precedence. If all matches are passed, the request is authenticated. If the match is successful, there is a prohibition, or if no entry is matched successfully, the request is forbidden to access.

Action

Action refers to the operation of the S3 API or console provided by wos. The action rule is wos:{action_name}, which supports * wildcard, and can use * to represent 0 or more arbitrary English letters. For example, wos:List* means all S3 API or console operations provided by wos whose action_name starts with List. .
Action is a list, you can choose one or more of the actions, all action_name must be prefixed with “wos:”. There can be multiple actions.

Actions are divided into three categories: • Service-level operations, corresponding to operations similar to wos:GetService.
• Bucket level operations, corresponding to operations similar to wos:PutBucketLifecycle, wos:GetBucket, etc. The object of the operation is Bucket.
• Object level operation, corresponding to similar to wos:GetObject, wos:PutObject, wos:DeleteObject and wos:AbortMultipartUpload, the operation object is Object.

The corresponding relationship between specific action and S3 API is as follows:

  • Service level
S3 API action
GetService wos:GetService

Note: If the GetService permission is assigned to the sub-account, the sub-account can obtain all the space owned by its parent account. (For the space created by the sub-account, the owner of the space is its parent account)

• Bucket level

S3 API action
GetBucket(ListObjects) wos: GetBucket
GetBucketLifecycle wos: GetBucketLifecycle
PutBucketLifecycle wax: PutBucketLifecycle
DeleteBucketLifecycle wos:DeleteBucketLifecycle
ListMultipartUploads wos: ListMultipartUploads

• Object level

S3 API action
GetObject wos:GetObject
HeadObject wax: HeadObject
PutObject wax: PutObject
PostObject wax: PutObject
InitiateMultipartUpload wax: PutObject
UploadPart wax: PutObject
CompleteMultipartUpload wax: PutObject
DeleteObject wos:DeleteObject
MultiDelete wos:DeleteObject
AbortMultipartUpload wos: AbortMultipartUpload
ListParts wos: ListParts
CopyObject wos:GetObject,wos:PutObject
RestoreObject wos:RestoreObject

The corresponding relationship between specific actions and console operations is as follows:

• Service level

Console operation action
storage
View wos:GetService
Storage space-space management-basic data / appraisal statistics / overview statistics
View wos: GetBucketAnalysis

Note:

  1. If the GetService permission is assigned to the sub-account, the sub-account can obtain all the space owned by its parent account. (For the space created by the sub-account, the owner of the space is its parent account)
  2. All sub-accounts using the console must have GetService permission, otherwise other operations on the console may not be able to be used normally.
  3. If the GetBucketAnalysis permission is assigned to the sub-account, the sub-account can view all the menu items under statistical analysis.

• Bucket level

Console operation action
storage
New space wax: PutBucket
Storage space-space management-file management
Query (view) wos: GetBucket
Storage space-space management-basic settings
View-mirror storage wos: GetBucketMirror
Edit-mirror storage wax: PutBucketMirror
Delete-mirror storage wos:DeleteBucketMirror
View-life cycle settings wos: GetBucketLifecycle
Create rule-life cycle settings wax: PutBucketLifecycle
Edit-life cycle settings wax: PutBucketLifecycle
Clear all rules-life cycle settings wos:DeleteBucketLifecycle
Delete-life cycle settings wos:DeleteBucketLifecycle
Create rules-cross-domain settings wax: PutBucketCors
Edit-cross-domain settings wax: PutBucketCors
View-cross-domain settings wos: GetBucketCors
Delete-cross-domain settings wos:DeleteBucketCors
Clear all rules-cross-domain settings wos:DeleteBucketCors
Delete space wos:DeleteBucket
Storage space-space management-domain name settings
View-domain name wos: GetBucketDomain
Bind a custom domain name wax: PutBucketDomain
Modify the agreement wax: PutBucketDomain
Delete-domain wos:DeleteBucketDomain

Object level

Console operation action
Storage space-space management-file management
new folder wos: PutFolder
upload files wax: PutObject
delete wos:DeleteObject
Rename wax: PutObject
thaw wos:RestoreObject
Set expiration time wos:DeleteObject

resource
Resource refers to the resource stored on wos. The rule of resource is wsc:wos:{region}:{bucket_owner}:{bucket_name}/{object_name}, which supports * wildcard. You can use * to represent 0 or more arbitrary English letters. The region field is temporarily not supported and is set to “*”.
resource is also a list, which can contain one or more resources. There can be multiple resources.

For all service-level operations, it is not supported to assign specific resources, ie wsc:wos::😗.
For all bucket-level operations, only specific spaces are supported, ie wsc:wos:{region}:{bucket_owner}:{bucket_name}.
For all Object-level operations. Support assigning to specific files, ie wsc:wos:{region}:{bucket_owner}:{bucket_name}/{object_name}.

effect
Effect represents the result of authorization of the statement in this article, which is divided into allow and deny, which refer to passing and prohibiting respectively. When multiple statements are matched successfully at the same time, deny has a higher priority .
For example, it is expected that users are forbidden to delete a certain directory, but have full permissions for other files:

{
  "version": "1",
  "statement": [
    {
      "effect": "allow",
      "action": [
        "wos:*"
      ],
      "resource": [
        "wsc:wos:*:*:bucketname/*"
      ]
    },
    {
      "effect": "deny",
      "action": [
        "wos:DeleteObject"
      ],
      "resource": [
        "wsc:wos:*:*:bucketname/test/*"
      ]
    }
  ]
}