You need to enable JavaScript to run this app.
导航
典型 IAM 策略示例
最近更新时间:2023.12.07 20:39:36首次发布时间:2022.03.17 10:33:29

本文介绍常见的 IAM 策略内容,方便您直接选择使用。

授权策略

授予 IAM 用户某个存储桶 test 的所有权限

{ 
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "tos:*"
            ],
            "Resource": [
                "trn:tos:::test",
                "trn:tos:::test/*"
            ]
        }
    ]
 }

授予 IAM 用户某个存储桶 test 的只读权限

{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "tos:Get*"
      ],
      "Resource": [
        "trn:tos:::test",
        "trn:tos:::test/*"
      ]
    }
  ]
}

授予 IAM 用户创建桶的权限

{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "tos:CreateBucket"
      ],
      "Resource": [
        "trn:tos:::*"
      ]
    }
  ]
}

授予 IAM 用户列举桶的权限

{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "tos:ListBuckets"
      ],
      "Resource": [
        "trn:tos:::*"
      ]
    }
  ]
}

授予 IAM 用户列举存储桶 testabc 目录及其子目录下对象的权限

{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "tos:ListBucket"
      ],
      "Resource": [
        "trn:tos:::test"
      ],
      "Condition": {
          "StringLike": {
              "tos:prefix": [
                "abc/*"
              ]
          }
      }
    }
  ]
}

拒绝策略

注意

用户被授予的策略中,一个授权项的作用如果同时存在 Allow 和 Deny,则遵循 Deny 优先原则。

拒绝 IAM 用户在存储桶 test 中上传对象的权限

{
  "Statement": [
    {
      "Effect": "Deny",
      "Action": [
        "tos:PutObject"
      ],
      "Resource": [
        "trn:tos:::test/*"
      ]
    }
  ]
}

拒绝 IAM 用户删除存储桶 test 的权限

{
  "Statement": [
    {
      "Effect": "Deny",
      "Action": [
        "tos:DeleteBucket"
      ],
      "Resource": [
        "trn:tos:::test"
      ]
    }
  ]
}

拒绝IAM用户删除存储桶test内,前缀为abc对象的权限

{
  "Statement": [
    {
      "Effect": "Deny",
      "Action": [
        "tos:DeleteObject"
      ],
      "Resource": [
        "trn:tos:::test/abc*"
      ]
    }
  ]
}