Bucket Policy
Last updated: 2025-10-09 11:10:59
Overview
This document provides an API overview of bucket policies and SDK example code.
API | Operation Name | Operation Description |
PUT Bucket policy | Set the permission policy for the specified bucket. | |
GET Bucket policy | Query the permission policy for the specified bucket. | |
Deleting a Bucket Policy | Delete the permission policy for the specified bucket. |
PUT Bucket policy
Overview
The PUT Bucket policy API is used to write a permission policy for a bucket. If the bucket already has a permission policy, the policy passed in this request will overwrite the existing one.
Method Prototype
public void setBucketPolicy(String bucketName, String policyText)
Request sample
import com.qcloud.cos.COSClient;import com.qcloud.cos.ClientConfig;import com.qcloud.cos.auth.BasicCOSCredentials;import com.qcloud.cos.auth.COSCredentials;import com.qcloud.cos.region.Region;public class BucketPolicyDemo {public static void SetBucketPolicy() {// 1 Initialize user identity information (Recommended to use temporary key)String tmpSecretId = "SECRETID";String tmpSecretKey = "SECRETKEY";String sessionToken = "TOKEN";BasicSessionCredentials cred = new BasicSessionCredentials(tmpSecretId, tmpSecretKey, sessionToken);// 2 Set the region of the bucketRegion region = new Region("COS_REGION"); //COS_REGION parameter: Configure it to the real region of the bucket, for example ap-beijing. For more abbreviations of COS regions, please see https://www.tencentcloud.com/document/product/436/6224?from_cn_redirect=1ClientConfig clientConfig = new ClientConfig(region);// 3 Generating a COS clientCOSClient cosclient = new COSClient(cred, clientConfig);// The bucket name must contain appidString bucketName = "examplebucket-1250000000";String bucketPolicyStr = "{" +" \\"Statement\\": [" +" {" +" \\"Principal\\": {" +" \\"qcs\\": [" +" \\"qcs::cam::uin/100000000001:uin/100000000011\\"" + // Replace with the UIN of the account to be granted the permission" ]" +" }," +" \\"Effect\\": \\"allow\\"," +" \\"Action\\": [" +" \\"cos:PutObject\\"" +" ]," +" \\"Resource\\": [" + // Change to allowed path prefixes, can be determined based on the user login status of your website to judge the specific paths that allow uploads, for example: a.jpg or a/* or * (using wildcard * poses significant security risks, please evaluate usage cautiously)" \\"qcs::cos:ap-guangzhou:uid/1250000000:examplebucket-1250000000/exampleobject\\"" +" ]," +" \\"Condition\\": {" +" \\"string_equal\\": {" +" \\"cos:x-cos-mime-limit\\": \\"image/jpeg\\"" +" }" +" }" +" }" +" ]," +" \\"Version\\": \\"2.0\\"" +" }";cosclient.setBucketPolicy(bucketName, bucketPolicyStr);cosclient.shutdown();}public static void main(String[] args) {SetBucketPolicy();}}
Parameter Description
Parameter Name | Description | Required |
Statement | Describe the detailed information of one or more permissions | Yes |
Version | Syntax version of a policy, which is 2.0 by default. | Yes |
Principal | Yes | |
Action | Here refers to the COS API. Specify a single operation, a sequence of operations, or all operations ( *) as required. For example, the action is name/cos:GetService. Note that the case is sensitive. | Yes |
Effect | The options include allow (permission) and deny (explicit deny). | Yes |
Resource | Authorized data to be operated, which can be any resources, resources with a specified path prefix, resources with a specified absolute path, or resources with combinations of the above conditions. | Yes |
Condition | No |
GET Bucket policy
Overview
The GET Bucket policy API is used to read the permission policy of a bucket.
Method Prototype
public BucketPolicy getBucketPolicy(String bucketName)
Request sample:
import com.qcloud.cos.COSClient;import com.qcloud.cos.ClientConfig;import com.qcloud.cos.auth.BasicCOSCredentials;import com.qcloud.cos.auth.COSCredentials;import com.qcloud.cos.region.Region;import com.qcloud.cos.model.BucketPolicy;public class BucketPolicyDemo {public static void GetBucketPolicy() {// 1 Initialize user identity information (Recommended to use temporary key)String tmpSecretId = "SECRETID";String tmpSecretKey = "SECRETKEY";String sessionToken = "TOKEN";BasicSessionCredentials cred = new BasicSessionCredentials(tmpSecretId, tmpSecretKey, sessionToken);// 2 Set the region of the bucketRegion region = new Region("COS_REGION"); //COS_REGION parameter: Configure it to the real region of the bucket, for example ap-beijing. For more abbreviations of COS regions, please see https://www.tencentcloud.com/document/product/436/6224?from_cn_redirect=1ClientConfig clientConfig = new ClientConfig(region);// 3 Generating a COS clientCOSClient cosclient = new COSClient(cred, clientConfig);// The bucket name must contain appidString bucketName = "examplebucket-1250000000";BucketPolicy bucketPolicy = cosclient.getBucketPolicy(bucketName);System.out.println(bucketPolicy.getPolicyText());cosclient.shutdown();}public static void main(String[] args) {GetBucketPolicy();}}
Return Result Description
public class BucketPolicy implements Serializable {private static final long serialVersionUID = 1L;/** The raw, policy JSON text, as returned by COS */private String policyText;/*** Gets the raw policy JSON text as returned by COS. If no policy has been applied to the* specified bucket, the policy text will be null.** @return The raw policy JSON text as returned by COS. If no policy has been applied to the* specified bucket, this method returns null policy text.** @see BucketPolicy#setPolicyText(String)*/public String getPolicyText() {return policyText;}/*** Sets the raw policy JSON text. A bucket will have no policy text unless the policy text is* explicitly provided through this method.** @param policyText The raw policy JSON text.** @see BucketPolicy#getPolicyText()*/public void setPolicyText(String policyText) {this.policyText = policyText;}}
Deleting a Bucket Policy
Overview
The DELETE Bucket policy request can be used to delete the permission policy for a bucket.
Method Prototype
public void deleteBucketPolicy(String bucketName)
Request sample:
import com.qcloud.cos.COSClient;import com.qcloud.cos.ClientConfig;import com.qcloud.cos.auth.BasicCOSCredentials;import com.qcloud.cos.auth.COSCredentials;import com.qcloud.cos.region.Region;import com.qcloud.cos.model.BucketPolicy;public class BucketPolicyDemo {public static void DelBucketPolicy() {// 1 Initialize user identity information (Recommended to use temporary key)String tmpSecretId = "SECRETID";String tmpSecretKey = "SECRETKEY";String sessionToken = "TOKEN";BasicSessionCredentials cred = new BasicSessionCredentials(tmpSecretId, tmpSecretKey, sessionToken);// 2 Set the region of the bucketRegion region = new Region("COS_REGION"); //COS_REGION parameter: Configure it to the real region of the bucket, for example ap-beijing. For more abbreviations of COS regions, please see https://www.tencentcloud.com/document/product/436/6224?from_cn_redirect=1ClientConfig clientConfig = new ClientConfig(region);// 3 Generating a COS clientCOSClient cosclient = new COSClient(cred, clientConfig);// The bucket name must contain appidString bucketName = "examplebucket-1250000000";cosclient.deleteBucketPolicy(bucketName);cosclient.shutdown();}public static void main(String[] args) {DelBucketPolicy();}}
Related Example
Was this page helpful?
You can also Contact Sales or Submit a Ticket for help.
Yes
No
Feedback