Contact UsGet started
© 2025 Direct Cursus Technology L.L.C.

Data schema

Written by
Updated at November 11, 2025

Data schema in JSON format:

{
  "Version" : "string",
  "Id" : "string",
  "Statement" : [
    {
      "Sid" : "string",
      ("Principal" | "NotPrincipal") : ("*" | "CanonicalUser" : [
        "string",
        ...
      ]),
      "Effect" : ("Allow" | "Deny"),
      "Action" : ("*" | [
        "string",
        ...
      ]),
      "Resource" : ("*" | [
        "string",
        ...
      ]),
      "Condition" : {
        "condition_type_string" : {
          "condition_key_string" : [[("string" | "number" | "Boolean"),...]...]
        },
        ...
      }  
    },
    ...
  ]
}

A schema may include up to 10,240 characters.

Description of schema parameters:

Parameter Description
Version string (optional)
Access policy description version.
Examples: 2012-10-17.
Id string (optional)
General info on the policy. Some Yandex Cloud services require a unique value.
This is a user-defined parameter.
Examples: test-policy, Anonymous access policy, hrtk43sau2s8gqkaje06.
Statement[]. array
Access policy rules.
If a no-rule bucket policy is applied to the bucket, access will be denied to all users. To disable request verification for a bucket policy, delete it.
Statement[].Sid string
Rule ID (optional).
This is a user-defined parameter.
Examples: test-rule, Statement Allow, Statement Deny.
Statement[].Principal string
ID of the subject of the requested permission (optional). The recipient can be a user or service account.
The possible values are: *, <subject_ID>.
Statement[].NotPrincipal string
ID of the subject that will not get the requested permission (optional). The subject can be a user or service account.
The possible values are: <subject_ID>.
Statement[].Effect string
Denies or allows the requested action.
The possible values are Allow and Deny.
Statement[].Action string
Action if the policy triggers.
The possible values are s3:GetObject and s3:PutObject.
Statement[].Resource string
Resource the action will be performed on.
The possible values are:
  • arn:aws:s3:::<bucket_name>: Bucket.
  • arn:aws:s3:::<bucket_name>/<object_key>: Bucket object.
  • arn:aws:s3:::<bucket_name>/<object_key_prefix>*: All objects in the bucket whose keys start with a prefix, e.g., arn:aws:s3:::samplebucket/some/path/*. A prefix can be empty, e.g., arn:aws:s3:::samplebucket/*, in which case the rule will apply to all bucket objects.
A bucket resource does not include resources of all its objects. To make sure a bucket policy rule refers to the bucket and all the objects, specify them as separate resources, e.g., arn:aws:s3:::samplebucket and arn:aws:s3:::samplebucket/*.
Statement[].Condition{}. string
Condition to check (optional).
If several conditions are set for the rule at the same time, they will apply using the AND logic, i.e., to be executed, the rule must satisfy all the specified conditions at the same time.

For the aws:sourceip condition, a special procedure for checking IP addresses of reverse proxy servers is supported.
Statement[].Condition{}.
condition_type_string{}.		 string
Condition type.
The possible values are StringEquals and Bool. For a full list of values, see Comparison operators.
Statement[].Condition{}.
condition_type_string{}.
condition_key_string		 string
Condition key.

Defines the condition to check.
The possible values are: aws:PrincipalType, true.

If several keys are specified for one condition at the same time, these will be checked with using the AND logic, i.e., to be executed, the rule must satisfy all the specified properties at the same time.

If several values are specified for one condition key at the same time, these will be checked with the logical OR, i.e., for the rule to be executed, the condition key may satisfy any of the specified values.

See also

Previous
DeleteBucketPolicy
Next
Actions