桶(Bucket)是 TOS 的全局唯一的命名空间,相当于数据的容器,用来储存对象(Object)数据。TOS 中权限控制通过 IAM Policy、桶 Policy、桶和对象 ACL 实现。桶 Policy 和 ACL 都是基于 TOS 资源的权限控制策略,桶 Policy 相较于桶 ACL,具备更灵活的权限配置。本文介绍如何设置、获取和删除桶的授权策略(Policy)。
注意
tos:PutBucketPolicy
权限,具体操作请参见权限配置指南。tos:PutBucketPolicy
权限的用户可以任意更改桶策略,并可以通过此权限获取其他权限,建议您谨慎配置。以下代码用于设置存储桶策略。
package main import ( "context" "encoding/json" "fmt" "github.com/volcengine/ve-tos-golang-sdk/v2/tos" ) func checkErr(err error) { if err != nil { if serverErr, ok := err.(*tos.TosServerError); ok { fmt.Println("Error:", serverErr.Error()) fmt.Println("Request ID:", serverErr.RequestID) fmt.Println("Response Status Code:", serverErr.StatusCode) fmt.Println("Response Header:", serverErr.Header) fmt.Println("Response Err Code:", serverErr.Code) fmt.Println("Response Err Msg:", serverErr.Message) } else if clientErr, ok := err.(*tos.TosClientError); ok { fmt.Println("Error:", clientErr.Error()) fmt.Println("Client Cause Err:", clientErr.Cause.Error()) } else { fmt.Println("Error:", err) } panic(err) } } func main() { var ( accessKey = os.Getenv("TOS_ACCESS_KEY") secretKey = os.Getenv("TOS_SECRET_KEY") // Bucket 对应的 Endpoint,以华北2(北京)为例:https://tos-cn-beijing.volces.com endpoint = "https://tos-cn-beijing.volces.com" region = "cn-beijing" // 填写 BucketName bucketName = "*** Provide your bucket name ***" ctx = context.Background() ) // 初始化客户端 client, err := tos.NewClientV2(endpoint, tos.WithRegion(region), tos.WithCredentials(tos.NewStaticCredentials(accessKey, secretKey))) checkErr(err) // policy 权限 policy := map[string]interface{}{ "Statement": []map[string]interface{}{ { "Sid": "internal public", "Effect": "Allow", "Action": []string{"*"}, "Principal": "*", "Resource": []string{ fmt.Sprintf("trn:tos:::%s/*", bucketName), fmt.Sprintf("trn:tos:::%s", bucketName), }, }, }} data, err := json.Marshal(policy) checkErr(err) // 设置存储桶 Policy putOutput, err := client.PutBucketPolicyV2(ctx, &tos.PutBucketPolicyV2Input{ Bucket: bucketName, Policy: string(data), }) checkErr(err) fmt.Println("PutBucketPolicyV2 Request ID:", putOutput.RequestID) }
注意
获取桶策略前,您必须具有 tos:GetBucketPolicy
权限,具体操作请参见权限配置指南。
以下代码用于获取存储桶策略。
package main import ( "context" "encoding/json" "fmt" "github.com/volcengine/ve-tos-golang-sdk/v2/tos" ) func checkErr(err error) { if err != nil { if serverErr, ok := err.(*tos.TosServerError); ok { fmt.Println("Error:", serverErr.Error()) fmt.Println("Request ID:", serverErr.RequestID) fmt.Println("Response Status Code:", serverErr.StatusCode) fmt.Println("Response Header:", serverErr.Header) fmt.Println("Response Err Code:", serverErr.Code) fmt.Println("Response Err Msg:", serverErr.Message) } else if clientErr, ok := err.(*tos.TosClientError); ok { fmt.Println("Error:", clientErr.Error()) fmt.Println("Client Cause Err:", clientErr.Cause.Error()) } else { fmt.Println("Error:", err) } panic(err) } } func main() { var ( accessKey = os.Getenv("TOS_ACCESS_KEY") secretKey = os.Getenv("TOS_SECRET_KEY") // Bucket 对应的 Endpoint,以华北2(北京)为例:https://tos-cn-beijing.volces.com endpoint = "https://tos-cn-beijing.volces.com" region = "cn-beijing" // 填写 BucketName bucketName = "*** Provide your bucket name ***" ctx = context.Background() ) // 初始化客户端 client, err := tos.NewClientV2(endpoint, tos.WithRegion(region), tos.WithCredentials(tos.NewStaticCredentials(accessKey, secretKey))) checkErr(err) // 获取存储桶 Policy getOutput, err := client.GetBucketPolicyV2(ctx, &tos.GetBucketPolicyV2Input{Bucket: bucketName}) checkErr(err) fmt.Println("GetBucketPolicyV2 Request ID:", getOutput.RequestID) fmt.Println("Policy:", getOutput.Policy) }
注意
删除桶策略前,您必须具有 tos:DeleteBucketPolicy
权限,具体操作请参见权限配置指南。
以下代码用于删除存储桶策略。
package main import ( "context" "encoding/json" "fmt" "github.com/volcengine/ve-tos-golang-sdk/v2/tos" ) func checkErr(err error) { if err != nil { if serverErr, ok := err.(*tos.TosServerError); ok { fmt.Println("Error:", serverErr.Error()) fmt.Println("Request ID:", serverErr.RequestID) fmt.Println("Response Status Code:", serverErr.StatusCode) fmt.Println("Response Header:", serverErr.Header) fmt.Println("Response Err Code:", serverErr.Code) fmt.Println("Response Err Msg:", serverErr.Message) } else if clientErr, ok := err.(*tos.TosClientError); ok { fmt.Println("Error:", clientErr.Error()) fmt.Println("Client Cause Err:", clientErr.Cause.Error()) } else { fmt.Println("Error:", err) } panic(err) } } func main() { var ( accessKey = os.Getenv("TOS_ACCESS_KEY") secretKey = os.Getenv("TOS_SECRET_KEY") // Bucket 对应的 Endpoint,以华北2(北京)为例:https://tos-cn-beijing.volces.com endpoint = "https://tos-cn-beijing.volces.com" region = "cn-beijing" // 填写 BucketName bucketName = "*** Provide your bucket name ***" ctx = context.Background() ) // 初始化客户端 client, err := tos.NewClientV2(endpoint, tos.WithRegion(region), tos.WithCredentials(tos.NewStaticCredentials(accessKey, secretKey))) checkErr(err) // 删除存储桶 Policy deleteOutput, err := client.DeleteBucketPolicyV2(ctx, &tos.DeleteBucketPolicyV2Input{Bucket: bucketName}) checkErr(err) fmt.Println("DeleteBucketPolicyV2 Request ID:", deleteOutput.RequestID) }
关于存储桶策略的更多信息,请参见存储桶授权策略管理。