Contact UsGet started

Data schema

Written by
Updated at December 27, 2024

Data schema in JSON format:

{
  "Version" : "string",
  "Id" : "string",
  "Statement" : [
    {
      "Sid" : "string",
      ("Principal" | "NotPrincipal") : ("*" | "CanonicalUser" : [
        "string",
        ...
      ]),
      "Effect" : ("Allow" | "Deny"),
      "Action" : ("*" | [
        "string",
        ...
      ]),
      "Resource" : ("*" | [
        "string",
        ...
      ]),
      "Condition" : {
        "condition_type_string" : {
          "condition_key_string" : [[("string" | "number" | "Boolean"),...]...]
        },
        ...
      }  
    },
    ...
  ]
}

A schema can include up to 10,240 characters.

Description of schema parameters:

Parameter Description
Version (Optional) string
Bucket policy description version.
Examples of values: 2012-10-17.
Id (Optional) string
General policy information. Some Yandex Cloud services require this value to be unique.
The parameter is specified by the user.
Examples of values: test-policy, Anonymous access policy, hrtk43sau2s8gqkaje06.
Statement[]. array
Bucket policy rules.
If a bucket policy with no rules is applied to the bucket, access is denied to all users. To disable request verification for a bucket policy, delete it.
Statement[].Sid string
(Optional) Rule ID.
The parameter is specified by the user.
Examples of values: test-rule, Statement Allow, Statement Deny.
Statement[].Principal string
(Optional) Requested permission subject ID. You can request permissions for a user, or service account.
Possible values: * and <subject_ID>.
Statement[].NotPrincipal string
(Optional) ID of the subject that will not get the requested permission. The possible subjects are: user, or service account.
Possible values: <subject_ID>.
Statement[].Effect string
Denies or allows the requested action.
Possible values: Allow, Deny.
Statement[].Action string
Action to perform when the policy is triggered.
Possible values: s3:GetObject, s3:PutObject.
Statement[].Resource string
Resource to perform the action on.
The possible values are:
  • arn:aws:s3:::<bucket_name>: Bucket.
  • arn:aws:s3:::<bucket_name>/<object_key>: Bucket object.
  • arn:aws:s3:::<bucket_name>/<object_key_prefix>*: All objects in the bucket whose keys start with a prefix, e.g., arn:aws:s3:::samplebucket/some/path/*. A prefix can be empty, e.g., arn:aws:s3:::samplebucket/*, in which case the rule will apply to all bucket objects.
A bucket resource does not include resources of all its objects. To make sure a bucket policy rule refers to the bucket and all objects, specify them as separate resources, e.g., arn:aws:s3:::samplebucket and arn:aws:s3:::samplebucket/*.
Statement[].Condition{}. string
(Optional) Condition to check.
If multiple conditions are set for one rule at the same time, they will apply with the AND logic, i.e., the rule must satisfy all specified conditions at the same time to be executed.

The aws:sourceip condition supports a special procedure for verifying reverse proxy server IP addresses.
Statement[].Condition{}.
condition_type_string{}.		 string
Condition type.
Possible values: StringEquals, Bool. For a full list of values, see Comparison operators.
Statement[].Condition{}.
condition_type_string{}.
condition_key_string		 string
Condition key.

The condition whose value will be checked.
Possible values: aws:PrincipalType, true.

If multiple keys are set for one condition at the same time, these keys will be checked using the AND logic, i.e., the rule must satisfy all specified attributes at the same time to be executed.

If multiple values are set for one condition key at the same time, these values will be checked using the OR logic, i.e., the condition key may satisfy any of the specified values for the rule to be executed.

See also

Previous
DeleteBucketPolicy
Next
Actions