Data schema
Written by
Updated at December 4, 2024
Data schema in JSON format:
{
"Version" : "string",
"Id" : "string",
"Statement" : [
{
"Sid" : "string",
("Principal" | "NotPrincipal") : ("*" | "CanonicalUser" : [
"string",
...
]),
"Effect" : ("Allow" | "Deny"),
"Action" : ("*" | [
"string",
...
]),
"Resource" : ("*" | [
"string",
...
]),
"Condition" : {
"condition_type_string" : {
"condition_key_string" : [[("string" | "number" | "Boolean"),...]...]
},
...
}
},
...
]
}
A schema can include up to 10,240 characters.
Description of schema parameters:
Parameter | Description |
---|---|
Version |
(Optional) String Access policy description version. Sample values: 2012-10-17 . |
Id |
(Optional) String General policy information. Some Yandex Cloud services require this value to be unique. The parameter is specified by the user. Sample values: test-policy , Anonymous access policy , hrtk43sau2s8gqkaje06 . |
Statement[]. |
array Access policy rules. If a bucket policy with no rules is applied to the bucket, access is denied to all users. To disable request verification for a bucket policy, delete it. |
Statement[].Sid |
string (Optional) Rule ID. The parameter is specified by the user. Sample values: test-rule , Statement Allow , Statement Deny . |
Statement[].Principal |
string (Optional) Requested permission subject ID. The possible recipients are: user, service account, or user group. Possible values: * and <subject_ID> .You can specify a user group in the policy using the Yandex Cloud CLI, AWS CLI, Terraform, and the API. |
Statement[].NotPrincipal |
string (Optional) ID of the subject that will not get the requested permission. The possible subjects are: user, service account, or user group. Possible values: <subject_ID> .You can specify a user group in the policy using the Yandex Cloud CLI, AWS CLI, Terraform, and the API. |
Statement[].Effect |
string Denies or allows the requested action. Possible values: Allow , Deny . |
Statement[].Action |
string Action to perform when the policy is triggered. Possible values: s3:GetObject , s3:PutObject . |
Statement[].Resource |
string Resource to perform the action on. The possible values are:
arn:aws:s3:::samplebucket and arn:aws:s3:::samplebucket/* . |
Statement[].Condition{}. |
string (Optional) Condition to check. If multiple conditions are set for one rule at the same time, they will apply with the AND logic, i.e., the rule must satisfy all specified conditions at the same time to be executed.The aws:sourceip condition supports a special procedure for verifying reverse proxy server IP addresses. |
Statement[].Condition{}. condition_type_string{}. |
string Condition type. Possible values: StringEquals , Bool . For a full list of values, see Comparison operators. |
Statement[].Condition{}. condition_type_string{}. condition_key_string |
string Condition key. The condition whose value will be checked. Possible values: aws:PrincipalType , true .If multiple keys are set for one condition at the same time, these keys will be checked using the AND logic, i.e., the rule must satisfy all specified attributes at the same time to be executed.If multiple values are set for one condition key at the same time, these values will be checked using the OR logic, i.e., the condition key may satisfy any of the specified values for the rule to be executed. |