Contact UsGet started
© 2024 Iron Hive LLC Belgrade

Data schema

Written by
Updated at October 9, 2024

Data schema in JSON format:

{
  "Version" : "string",
  "Id" : "string",
  "Statement" : [
    {
      "Sid" : "string",
      ("Principal" | "NotPrincipal") : ("*" | "CanonicalUser" : [
        "string",
        ...
      ]),
      "Effect" : ("Allow" | "Deny"),
      "Action" : ("*" | [
        "string",
        ...
      ]),
      "Resource" : ("*" | [
        "string",
        ...
      ]),
      "Condition" : {
        "condition_type_string" : {
          "condition_key_string" : [[("string" | "number" | "Boolean"),...]...]
        },
        ...
      }  
    },
    ...
  ]
}

A schema can include up to 10,240 characters.

Description of schema parameters:

Parameter Description
Version (Optional) String
Access policy description version.
Sample values: 2012-10-17.
Id (Optional) String
General policy information. Some Yandex Cloud services require this value to be unique.
The parameter is specified by the user.
Sample values: test-policy, Anonymous access policy, hrtk43sau2s8gqkaje06.
Statement[]. array
Access policy rules.
If a bucket policy with no rules is applied to the bucket, access is denied to all users. To disable request verification for a bucket policy, delete it.
Statement[].Sid string
(Optional) Rule ID.
The parameter is specified by the user.
Sample values: test-rule, Statement Allow, Statement Deny.
Statement[].Principal string
(Optional) Requested permission subject ID. The possible recipients are: user, service account, or user group.
Possible values: * and <subject_ID>.
You can specify a user group in the policy using the Yandex Cloud CLI, AWS CLI, Terraform, and the API.
Statement[].NotPrincipal string
(Optional) ID of the subject that will not get the requested permission. The possible subjects are: user, service account, or user group.
Possible values: <subject_ID>.
You can specify a user group in the policy using the Yandex Cloud CLI, AWS CLI, Terraform, and the API.
Statement[].Effect string
Denies or allows the requested action.
Possible values: Allow, Deny.
Statement[].Action string
Determines the action to perform when the policy is triggered.
Possible values: s3:GetObject, s3:PutObject.
Statement[].Resource string
Determines the resource the action will be performed on.
Possible values:
  • arn:aws:s3:::<bucket_name>: Bucket.
  • arn:aws:s3:::<bucket_name>/<object_key>: Bucket object.
  • arn:aws:s3:::<bucket_name>/<object_key_prefix>*: All objects in the bucket whose keys start with a prefix, e.g., arn:aws:s3:::samplebucket/some/path/*. A prefix can be empty, e.g., arn:aws:s3:::samplebucket/*, in which case the rule will apply to all bucket objects.
A bucket resource does not include resources of all its objects. To make sure a bucket policy rule refers to the bucket and all objects, specify them as separate resources, e.g., arn:aws:s3:::samplebucket and arn:aws:s3:::samplebucket/*.
Statement[].Condition{}. string
(Optional) Condition that will be checked.
If multiple conditions are set for one rule at the same time, they will apply with the AND logic, i.e., the rule must satisfy all specified conditions at the same time to be executed.
Statement[].Condition{}.
condition_type_string{}.		 string
Condition type.
Possible values: StringEquals, Bool. For a full list of values, see Comparison operators.
Statement[].Condition{}.
condition_type_string{}.
condition_key_string		 string
Condition key.

Determines the condition whose value will be checked.
Possible values: aws:PrincipalType, true.

If multiple keys are set for one condition at the same time, these keys will be checked using the AND logic, i.e., the rule must satisfy all specified attributes at the same time to be executed.

If multiple values are set for one condition key at the same time, these values will be checked using the OR logic, i.e., the condition key may satisfy any of the specified values for the rule to be executed.

See also

Previous
DeleteBucketPolicy
Next
Actions