tencent cloud

Cloud Object Storage

Release Notes and Announcements
Release Notes
Announcements
Product Introduction
Overview
Features
Use Cases
Strengths
Concepts
Regions and Access Endpoints
Specifications and Limits
Service Regions and Service Providers
Billing
Billing Overview
Billing Method
Billable Items
Free Tier
Billing Examples
Viewing and Downloading Bill
Payment Overdue
FAQs
Getting Started
Console
Getting Started with COSBrowser
User Guide
Creating Request
Bucket
Object
Data Management
Batch Operation
Global Acceleration
Monitoring and Alarms
Operations Center
Data Processing
Content Moderation
Smart Toolbox
Data Processing Workflow
Application Integration
User Tools
Tool Overview
Installation and Configuration of Environment
COSBrowser
COSCLI (Beta)
COSCMD
COS Migration
FTP Server
Hadoop
COSDistCp
HDFS TO COS
GooseFS-Lite
Online Tools
Diagnostic Tool
Use Cases
Overview
Access Control and Permission Management
Performance Optimization
Accessing COS with AWS S3 SDK
Data Disaster Recovery and Backup
Domain Name Management Practice
Image Processing
Audio/Video Practices
Workflow
Direct Data Upload
Content Moderation
Data Security
Data Verification
Big Data Practice
COS Cost Optimization Solutions
Using COS in the Third-party Applications
Migration Guide
Migrating Local Data to COS
Migrating Data from Third-Party Cloud Storage Service to COS
Migrating Data from URL to COS
Migrating Data Within COS
Migrating Data Between HDFS and COS
Data Lake Storage
Cloud Native Datalake Storage
Metadata Accelerator
GooseFS
Data Processing
Data Processing Overview
Image Processing
Media Processing
Content Moderation
File Processing Service
File Preview
Troubleshooting
Obtaining RequestId
Slow Upload over Public Network
403 Error for COS Access
Resource Access Error
POST Object Common Exceptions
API Documentation
Introduction
Common Request Headers
Common Response Headers
Error Codes
Request Signature
Action List
Service APIs
Bucket APIs
Object APIs
Batch Operation APIs
Data Processing APIs
Job and Workflow
Content Moderation APIs
Cloud Antivirus API
SDK Documentation
SDK Overview
Preparations
Android SDK
C SDK
C++ SDK
.NET(C#) SDK
Flutter SDK
Go SDK
iOS SDK
Java SDK
JavaScript SDK
Node.js SDK
PHP SDK
Python SDK
React Native SDK
Mini Program SDK
Error Codes
Harmony SDK
Endpoint SDK Quality Optimization
Security and Compliance
Data Disaster Recovery
Data Security
Cloud Access Management
FAQs
Popular Questions
General
Billing
Domain Name Compliance Issues
Bucket Configuration
Domain Names and CDN
Object Operations
Logging and Monitoring
Permission Management
Data Processing
Data Security
Pre-signed URL Issues
SDKs
Tools
APIs
Agreements
Service Level Agreement
Privacy Policy
Data Processing And Security Agreement
Contact Us
Glossary
DokumentasiCloud Object StorageUse CasesAccess Control and Permission ManagementWorking with COS API Authorization Policies

Working with COS API Authorization Policies

PDF
Mode fokus
Ukuran font
Terakhir diperbarui: 2025-11-19 11:50:28
Note:
When granting API access permissions to a sub-user or collaborator, be sure to follow the principle of least privilege and grant the minimum set of permissions necessary to satisfy business needs. There may be data security risks if you grant excessive access to all of your resources (resource:*) or all operations (action:*).

Overview

When using a temporary key to access COS, the operation permissions required vary by API or series of APIs that you specify.
A COS API authorization policy is a JSON string. For example, below is a policy that grants the permission to perform uploads (including simple upload, upload through an HTML form, and multipart upload) for objects prefixed with doc and downloads for objects prefixed with doc2 for the bucket examplebucket-1250000000 in the region "ap-beijing" under the APPID 1250000000:
{
    "version": "2.0",
    "statement": [{
            "action": [
                // Upload an object by using simple upload 
                "name/cos:PutObject",
                // Upload an object by using an HTML form 
                "name/cos:PostObject",
                // Initialize a multipart upload 
                "name/cos:InitiateMultipartUpload",
                // List all ongoing multipart uploads
                "name/cos:ListMultipartUploads",
                // List uploaded parts 
                "name/cos:ListParts",
                // Upload parts 
                "name/cos:UploadPart",
                // Complete a multipart upload 
                "name/cos:CompleteMultipartUpload",
                // Abort a multipart upload 
                "name/cos:AbortMultipartUpload"
            ],
            "effect": "allow",
            "resource": [
                "qcs::cos:ap-beijing:uid/1250000000:examplebucket-1250000000/doc/*"
            ]
        },
        {
            "action": [
                // Download 
                "name/cos:GetObject"
            ],
            "effect": "allow",
            "resource": [
                "qcs::cos:ap-beijing:uid/1250000000:examplebucket-1250000000/doc2/*"
            ]
        }
    ]
}


Authorization Policy Elements

Name
Description
version
Policy syntax version, which is 2.0 by default.
effect
Allow or deny.
resource
Specific data of the authorized operation, which can be any resources, resources with a specified path prefix, resource in a specified absolute path, or their combination.
action
COS API. You can specify one, several, or all (*) COS APIs as needed, such as name/cos:GetService. Note that this value is case-sensitive.
condition
Optional condition. For more information, see Element Reference.
Examples of authorization policy settings for each COS API are as listed below.

Service APIs

Querying bucket list

To grant access to the GET Service API, the action field in the policy should be set to name/cos:GetService, and the resource field to *.

Sample

The following policy grants the permission to query the bucket list:
{
  "version": "2.0",
  "statement": [
    {
      "action": [
        "name/cos:GetService"
      ],
      "effect": "allow",
      "resource": [
        "*"
      ]
    }
  ]
}

Bucket APIs

The resource field for bucket API policies is outlined in further detail below:
To allow access to buckets in all regions The resource field should be set to *. Use this option with caution as it may present data security risks due to excessive permissions.
To allow access only to buckets in a specified region For example, to grant access to examplebucket-1250000000 under the APPID 1250000000 in the region ap-beijing, the resource field should be set to qcs::cos:ap-beijing:uid/1250000000:*.
To allow access only to a bucket with a specified name in a specified region
For example, to grant access to the bucket named examplebucket-1250000000 under the APPID 1250000000 in the region ap-beijing, the resource field should be set to qcs::cos:ap-beijing:uid/1250000000:examplebucket-1250000000/*.
The action field in bucket API policies varies by operation. The following lists several bucket API policies for your reference.

Creating bucket

To grant access to the PUT Bucket API, the action field in the policy should be set to name/cos:PutBucket.

Sample

The following policy grants the user with the APPID 1250000000 permission to create a bucket named examplebucket-1250000000 in Beijing region:
{
  "version": "2.0",
  "statement": [
    {
      "action": [
        "name/cos:PutBucket"
      ],
      "effect": "allow",
      "resource": [
        "qcs::cos:ap-beijing:uid/1250000000:examplebucket-1250000000/"
      ]
    }
  ]
}
Note:
For bucket naming rules, see Bucket Overview.

Extracting bucket and its permissions

To grant the access to the HEAD Bucket API, the action field in the policy should be set to name/cos:HeadBucket.

Sample

The following policy grants the permission to extract only the bucket examplebucket-1250000000 in the region ap-beijing under the APPID 1250000000:
{
  "version": "2.0",
  "statement": [
    {
      "action": [
        "name/cos:HeadBucket"
      ],
      "effect": "allow",
      "resource": [
        "qcs::cos:ap-beijing:uid/1250000000:examplebucket-1250000000/"
      ]
    }
  ]
}

Querying object list

To grant access to the GET Bucket API, the action field in the policy should be set to name/cos:GetBucket.

Sample

The following policy grants the permission to query only the list of objects in the bucket examplebucket-1250000000 in the region ap-beijing under the APPID 1250000000:
{
  "version": "2.0",
  "statement": [
    {
      "action": [
        "name/cos:GetBucket"
      ],
      "effect": "allow",
      "resource": [
        "qcs::cos:ap-beijing:uid/1250000000:examplebucket-1250000000/"
      ]
    }
  ]
}

Deleting bucket

To grant access to the Delete Bucket API, the action field in the policy should be set to name/cos:DeleteBucket.

Sample

The following policy grants the permission to delete only the bucket examplebucket-1250000000 in the region ap-beijing under the APPID 1250000000:
{
  "version": "2.0",
  "statement": [
    {
      "action": [
        "name/cos:DeleteBucket"
      ],
      "effect": "allow",
      "resource": [
        "qcs::cos:ap-beijing:uid/1250000000:examplebucket-1250000000/"
      ]
    }
  ]
}

Setting bucket ACL

To grant access to the Put Bucket ACL API, the action field in the policy should be set to name/cos:PutBucketACL.

Sample

The following policy grants the permission to set an ACL only for the bucket examplebucket-1250000000 in the region ap-beijing under the APPID 1250000000:
{
  "version": "2.0",
  "statement": [
    {
      "action": [
        "name/cos:PutBucketACL"
      ],
      "effect": "allow",
      "resource": [
        "qcs::cos:ap-beijing:uid/1250000000:examplebucket-1250000000/"
      ]
    }
  ]
}

Querying bucket ACL

To grant access to the GET Bucket acl API, the action field in the policy should be set to name/cos:GetBucketACL.

Sample

The following policy grants the permission to get the ACL only of the bucket examplebucket-1250000000 in the region ap-beijing under the APPID 1250000000:
{
  "version": "2.0",
  "statement": [
    {
      "action": [
        "name/cos:GetBucketACL"
      ],
      "effect": "allow",
      "resource": [
        "qcs::cos:ap-beijing:uid/1250000000:examplebucket-1250000000/"
      ]
    }
  ]
}

Setting CORS configuration

To grant access to the PUT Bucket cors API, the action field in the policy should be set to name/cos:PutBucketCORS.

Sample

The following policy grants the permission to set a CORS configuration only for the bucket examplebucket-1250000000 in the region ap-beijing under the APPID 1250000000:
{
  "version": "2.0",
  "statement": [
    {
      "action": [
        "name/cos:PutBucketCORS"
      ],
      "effect": "allow",
      "resource": [
        "qcs::cos:ap-beijing:uid/1250000000:examplebucket-1250000000/"
      ]
    }
  ]
}

Querying CORS configuration

To grant access to the GET Bucket cors API, the action field in the policy should be set to name/cos:GetBucketCORS.

Sample

The following policy grants the permission to query the CORS configuration only of the bucket examplebucket-1250000000 in the region ap-beijing under the APPID 1250000000:
{
  "version": "2.0",
  "statement": [
    {
      "action": [
        "name/cos:GetBucketCORS"
      ],
      "effect": "allow",
      "resource": [
        "qcs::cos:ap-beijing:uid/1250000000:examplebucket-1250000000/"
      ]
    }
  ]
}

Deleting CORS configuration

To grant access to the DELETE Bucket cors API, the action field in the policy should be set to name/cos:DeleteBucketCORS.

Sample

The following policy grants the permission to delete the CORS configuration only of the bucket examplebucket-1250000000 in the region ap-beijing under the APPID 1250000000:
{
  "version": "2.0",
  "statement": [
    {
      "action": [
        "name/cos:DeleteBucketCORS"
      ],
      "effect": "allow",
      "resource": [
        "qcs::cos:ap-beijing:uid/1250000000:examplebucket-1250000000/"
      ]
    }
  ]
}

Setting lifecycle configuration

To grant access to the PUT Bucket lifecycle API, the action field in the policy should be set to name/cos:PutBucketLifecycle.

Sample

The following policy grants the permission to set a lifecycle configuration only for the bucket examplebucket-1250000000 in the region ap-beijing under the APPID 1250000000:
{
  "version": "2.0",
  "statement": [
    {
      "action": [
        "name/cos:PutBucketLifecycle"
      ],
      "effect": "allow",
      "resource": [
        "qcs::cos:ap-beijing:uid/1250000000:examplebucket-1250000000/"
      ]
    }
  ]
}

Querying lifecycle configuration

To grant access to the GET Bucket lifecycle API, the action field in the policy should be set to name/cos:GetBucketLifecycle.

Sample

The following policy grants the permission to query the lifecycle configuration only of the bucket examplebucket-1250000000 in the region ap-beijing under the APPID 1250000000:
{
  "version": "2.0",
  "statement": [
    {
      "action": [
        "name/cos:GetBucketLifecycle"
      ],
      "effect": "allow",
      "resource": [
        "qcs::cos:ap-beijing:uid/1250000000:examplebucket-1250000000/"
      ]
    }
  ]
}

Deleting lifecycle configuration

To grant access to the DELETE Bucket lifecycle API, the action field in the policy should be set to name/cos:DeleteBucketLifecycle.

Sample

The following policy grants the permission to delete the lifecycle configuration only of the bucket examplebucket-1250000000 in the region ap-beijing under the APPID 1250000000:
{
  "version": "2.0",
  "statement": [
    {
      "action": [
        "name/cos:DeleteBucketLifecycle"
      ],
      "effect": "allow",
      "resource": [
        "qcs::cos:ap-beijing:uid/1250000000:examplebucket-1250000000/"
      ]
    }
  ]
}

Object APIs

The resource field for object API policies is outlined in further detail below:
To grant access to all objects, the resource field should be set to *.
To grant access only to objects in a specified bucket, such as objects in the bucket examplebucket-1250000000 in the region ap-beijing under the APPID 1250000000, the resource field should be set to qcs::cos:ap-beijing:uid/1250000000:examplebucket-1250000000/*.
To grant access only to objects with a specified path prefix in a specified bucket, such as objects with the path prefix doc in the bucket examplebucket-1250000000 in the region ap-beijing under the APPID 1250000000, the resource field should be set to qcs::cos:ap-beijing:uid/1250000000:examplebucket-1250000000/doc/*.
To grant access only to an object in a specified absolute path, such as the object in the absolute path doc/audio.mp3 in the bucket examplebucket-1250000000 in the region ap-beijing under the APPID 1250000000, the resource field should be set to qcs::cos:ap-beijing:uid/1250000000:examplebucket-1250000000/doc/audio.mp3.
The action field in object API policies varies by operation. All object API policies are as listed below.

Uploading object by using simple upload

To grant access to the PUT Object API, the action field in the policy should be set to name/cos:PutObject.

Sample

The following policy grants the permission to use simple upload to upload only objects with the path prefix doc in the bucket examplebucket-1250000000 in the region ap-beijing under the APPID 1250000000:
 {
  "version": "2.0",
  "statement": [
    {
      "action": [
        "name/cos:PutObject"
      ],
      "effect": "allow",
      "resource": [
        "qcs::cos:ap-beijing:uid/1250000000:examplebucket-1250000000/doc/*"
      ]
    }
  ]
}

Multipart upload

Multipart upload APIs include Initiate Multipart Upload, List Multipart Uploads, List Parts, Upload Part, Complete Multipart Upload, and Abort Multipart Upload. To grant access to these APIs, the action field in the policy should be a collection of "name/cos:InitiateMultipartUpload","name/cos:ListMultipartUploads","name/cos:ListParts","name/cos:UploadPart","name/cos:CompleteMultipartUpload","name/cos:AbortMultipartUpload".

Sample

The following policy grants the permission to use multipart upload to upload only objects with the path prefix doc in the bucket examplebucket-1250000000 in the region ap-beijing under the APPID 1250000000:
{
  "version": "2.0",
  "statement": [
    {
      "action": [
        "name/cos:InitiateMultipartUpload",
        "name/cos:ListMultipartUploads",
        "name/cos:ListParts",
        "name/cos:UploadPart",
        "name/cos:CompleteMultipartUpload",
        "name/cos:AbortMultipartUpload"
      ],
      "effect": "allow",
      "resource": [
        "qcs::cos:ap-beijing:uid/1250000000:examplebucket-1250000000/doc/*"
      ]
    }
  ]
}

Querying multipart upload

To grant access to this API, the action field in the policy should be set to name/cos:ListMultipartUploads.

Sample

The following policy grants the permission to query ongoing multipart uploads only in the bucket examplebucket-1250000000 in the region ap-beijing under the APPID 1250000000:
{
  "version": "2.0",
  "statement": [
    {
      "action": [
        "name/cos:ListMultipartUploads"
      ],
      "effect": "allow",
      "resource": [
        "qcs::cos:ap-beijing:uid/1250000000:examplebucket-1250000000/"
      ]
    }
  ]
}

Uploading object by using HTML form

To grant access to the POST Object API, the action field in the policy should be set to name/cos:PostObject.

Sample

The following policy grants the permission to use the POST method to upload only objects with the path prefix doc in the bucket examplebucket-1250000000 in the region ap-beijing under the APPID 1250000000:
{
  "version": "2.0",
  "statement": [
    {
      "action": [
        "name/cos:PostObject"
      ],
      "effect": "allow",
      "resource": [
        "qcs::cos:ap-beijing:uid/1250000000:examplebucket-1250000000/doc/*"
      ]
    }
  ]
}

Appending parts

To grant access to the Append Object API, the action field in the policy should be set to name/cos:AppendObject.

Sample

The following policy grants permission to append parts to objects with the path prefix doc in the bucket examplebucket-1250000000 in the region ap-beijing under the APPID 1250000000:
 {
  "version": "2.0",
  "statement": [
    {
      "action": [
        "name/cos:AppendObject"
      ],
      "effect": "allow",
      "resource": [
        "qcs::cos:ap-beijing:uid/1250000000:examplebucket-1250000000/doc/*"
      ]
    }
  ]
}

Querying object metadata

To grant access to the HEAD Object API, the action field in the policy should be set to name/cos:HeadObject.

Sample

The following policy grants the permission to query objects only with the path prefix doc in the bucket examplebucket-1250000000 in the region ap-beijing under the APPID 1250000000:
{
  "version": "2.0",
  "statement": [
    {
      "action": [
        "name/cos:HeadObject"
      ],
      "effect": "allow",
      "resource": [
        "qcs::cos:ap-beijing:uid/1250000000:examplebucket-1250000000/doc/*"
      ]
    }
  ]
}

Downloading object

To grant access to the GET Object API, the action field in the policy should be set to name/cos:GetObject.

Sample

The following policy grants the permission to download only objects with the path prefix doc in the bucket examplebucket-1250000000 in the region ap-beijing under the APPID 1250000000:
{
  "version": "2.0",
  "statement": [
    {
      "action": [
        "name/cos:GetObject"
      ],
      "effect": "allow",
      "resource": [
        "qcs::cos:ap-beijing:uid/1250000000:examplebucket-1250000000/doc/*"
      ]
    }
  ]
}

Copying object

To grant access to the Put Object Copy API, the action field for the destination object should be set to name/cos:PutObject, and the action field for the source object should be set to name/cos:GetObject.

Sample

The following policy grants the permission to use multipart copy to copy objects from the path prefixed with doc to the path prefixed with doc2 in the bucket examplebucket-1250000000 in the region ap-beijing under the APPID 1250000000:
{
  "version": "2.0",
  "statement": [
    {
      "action": [
        "name/cos:PutObject"
      ],
      "effect": "allow",
      "resource": [
        "qcs::cos:ap-beijing:uid/1250000000:examplebucket-1250000000/doc/*"
      ]
    },
    {
      "action": [
        "name/cos:GetObject"
      ],
      "effect": "allow",
      "resource": [
        "qcs::cos:ap-beijing:uid/1250000000:examplebucket-1250000000/doc2/*"
      ]
    }
  ]
}
Here, "qcs::cos:ap-beijing:uid/1250000000:examplebucket-1250000000/doc2/*" is the source object.

Copying part

To grant access to the Upload Part - Copy API, the action field for the destination object should be a collection of "name/cos:InitiateMultipartUpload","name/cos:ListMultipartUploads","name/cos:ListParts","name/cos:PutObject","name/cos:CompleteMultipartUpload","name/cos:AbortMultipartUpload", and the action field for the source object should be set to name/cos:GetObject.

Sample

The following policy grants the permission to use multipart copy to copy objects from the path prefixed with doc to the path prefixed with doc2 in the bucket examplebucket-1250000000 in the region ap-beijing under the APPID 1250000000:
{
  "version": "2.0",
  "statement": [
    {
      "action": [
        "name/cos:InitiateMultipartUpload",
        "name/cos:ListMultipartUploads",
        "name/cos:ListParts",
        "name/cos:PutObject",
        "name/cos:CompleteMultipartUpload",
        "name/cos:AbortMultipartUpload"
      ],
      "effect": "allow",
      "resource": [
        "qcs::cos:ap-beijing:uid/1250000000:examplebucket-1250000000/doc/*"
      ]
    },
    {
      "action": [
        "name/cos:GetObject"
      ],
      "effect": "allow",
      "resource": [
        "qcs::cos:ap-beijing:uid/1250000000:examplebucket-1250000000/doc2/*" 
      ]
    }
  ]
}
Here, "qcs::cos:ap-beijing:uid/1250000000:examplebucket-1250000000/doc2/*" is the source object.

Setting object ACL

To grant access to the Put Object ACL API, the action field in the policy should be set to name/cos:PutObjectACL.

Sample

The following policy grants the permission to set an ACL only for objects with the path prefix doc in the bucket examplebucket-1250000000 in the region ap-beijing under the APPID 1250000000:
{
  "version": "2.0",
  "statement": [
    {
      "action": [
        "name/cos:PutObjectACL"
      ],
      "effect": "allow",
      "resource": [
        "qcs::cos:ap-beijing:uid/1250000000:examplebucket-1250000000/doc/*"
      ]
    }
  ]
}

Querying object ACL

To grant access to the Get Object ACL API, the action field in the policy should be set to name/cos:GetObjectACL.

Sample

The following policy grants the permission to query the ACL only of objects with the path prefix doc in the bucket examplebucket-1250000000 in the region ap-beijing under the APPID 1250000000:
{
  "version": "2.0",
  "statement": [
    {
      "action": [
        "name/cos:GetObjectACL"
      ],
      "effect": "allow",
      "resource": [
        "qcs::cos:ap-beijing:uid/1250000000:examplebucket-1250000000/doc/*"
      ]
    }
  ]
}

Checking CORS configuration

To grant access to the OPTIONS Object API, the action field in the policy should be set to name/cos:OptionsObject.

Sample

The following policy grants the permission to send an OPTIONS request only for objects with the path prefix doc in the bucket examplebucket-1250000000 in the region ap-beijing under the APPID 1250000000:
{
  "version": "2.0",
  "statement": [
    {
      "action": [
        "name/cos:OptionsObject"
      ],
      "effect": "allow",
      "resource": [
        "qcs::cos:ap-beijing:uid/1250000000:examplebucket-1250000000/doc/*"
      ]
    }
  ]
}

Restoring archived object

To grant access to the Post Object Restore API, the action field in the policy should be set to name/cos:PostObjectRestore.

Sample

The following policy grants the permission to restore archived objects only with the path prefix doc in the bucket examplebucket-1250000000 in the region ap-beijing under the APPID 1250000000:
{
  "version": "2.0",
  "statement": [
    {
      "action": [
        "name/cos:PostObjectRestore"
      ],
      "effect": "allow",
      "resource": [
        "qcs::cos:ap-beijing:uid/1250000000:examplebucket-1250000000/doc/*"
      ]
    }
  ]
}

Deleting object

To grant access to the DELETE Object API, the action field in the policy should be set to name/cos:DeleteObject.

Sample

The following policy grants the permission to delete only the object audio.mp3 in the bucket examplebucket-1250000000 in the region ap-beijing under the APPID 1250000000:
{
  "version": "2.0",
  "statement": [
    {
      "action": [
        "name/cos:DeleteObject"
      ],
      "effect": "allow",
      "resource": [
        "qcs::cos:ap-beijing:uid/1250000000:examplebucket-1250000000/audio.mp3"
      ]
    }
  ]
}

Deleting multiple objects

To grant access to the DELETE Multiple Objects API, the action field in the policy should be set to name/cos:DeleteObject.

Sample

The following policy grants the permission to batch delete only the objects audio.mp3 and video.mp4 in the bucket examplebucket-1250000000 in the region ap-beijing under the APPID 1250000000:
{
  "version": "2.0",
  "statement": [
    {
      "action": [
        "name/cos:DeleteObject"
      ],
      "effect": "allow",
      "resource": [
        "qcs::cos:ap-beijing:uid/1250000000:examplebucket-1250000000/audio.mp3",
        "qcs::cos:ap-beijing:uid/1250000000:examplebucket-1250000000/video.mp4"
      ]
    }
  ]
}

Authorization Policies for Common Scenarios

Granting full access to all resources

The following policy grants full access to all resources:
{
  "version": "2.0",
  "statement": [
    {
      "action": [
        "*"
      ],
      "effect": "allow",
      "resource": [
        "*"
      ]
    }
  ]
}

Granting read-only access to all resources

The following policy grants read-only access to all resources:
{
  "version": "2.0",
  "statement": [
    {
      "action": [
        "name/cos:HeadObject",
        "name/cos:GetObject",
        "name/cos:GetBucket",
        "name/cos:OptionsObject"
      ],
      "effect": "allow",
      "resource": [
        "*"
      ]
    }
  ]
}

Granting read-write access to resources with specified path prefix

The following policy grants the permission to access only files with the path prefix doc in the bucket examplebucket-1250000000 and does not allow any operations on files in other paths:
{
  "version": "2.0",
  "statement": [
    {
      "action": [
        "*"
      ],
      "effect": "allow",
      "resource": [
        "qcs::cos:ap-shanghai:uid/1250000000:examplebucket-1250000000/doc/*"
      ]
    }
  ]
}

Topik sebelumnya: Authorization CasesTopik selanjutnya: Security Guidelines for Using Temporary Credentials for Direct Upload from Frontend to COS

Bantuan dan Dukungan

Apakah halaman ini membantu?

masukan