Details for Object Storage, Archive Storage, and Data Transfer

This topic covers details for writing policies to control access to Archive Storage, Object Storage, and Data Transfer.

Tip

The object lifecycle policies feature requires that you grant permissions to the Object Storage service to archive and delete objects on your behalf. See Using Object Lifecycle Policies for more information.

Resource-Types

Individual Resource-Types

objectstorage-namespaces

buckets

objects

Aggregate Resource-Type

object-family

A policy that uses <verb> object-family is equivalent to writing one with a separate <verb> <individual resource-type> statement for each of the individual resource-types.

See the table in Details for Verb + Resource-Type Combinations for details of the API operations covered by each verb, for each individual resource-type included in object-family.

Additional Individual Resource-Type for Data Transfer

data-transfer-jobs

Supported Variables

Object Storage supports all the general variables (see General Variables for All Requests), plus the ones listed here:

Operations for This Resource-Type... Can Use This Variable Variable Type Comments
buckets and objects target.bucket.name String Use this variable to control access to a specific bucket. For an example policy, see Let users write objects to Object Storage buckets. Important: Condition matching is case insensitive. If you have a bucket named "BucketA" and a bucket named "bucketA", the condition where target.bucket.name="BucketA" applies to both. To avoid potential issues with resource names in policy, give your resources distinct names.
buckets and objects request.vcn.id String If you're using a service gateway with your VCN, you can use this variable to allow access to a bucket only from a specific virtual cloud network (VCN). For an example policy, see Task 4: (Optional) Update IAM Policies to Restrict Object Storage Bucket Access.
Note

The request.ipv4.ipaddress variable is deprecated. Instead, you can use IAM IP-based filtering to restrict access to an IP address or ranges of addresses. For more information, see Managing Network Sources.

Details for Verb + Resource-Type Combinations

The following tables show the permissions and API operations covered by each verb. The level of access is cumulative as you go from inspect > read > use > manage. A plus sign (+) in a table cell indicates incremental access compared to the cell directly above it, whereas "no extra" indicates no incremental access.

For object-family Resource Types

objectstorage-namespaces
Verbs Permissions APIs Fully Covered APIs Partially Covered
read

None

GetNamespace

none

manage

OBJECTSTORAGE_NAMESPACE_READ

GetNamespace with optional compartmentId parameter

GetNamespaceMetadata

None

READ +

OBJECTSTORAGE_NAMESPACE_UPDATE

READ +

UpdateNamespaceMetadata

none

buckets
Verbs Permissions APIs Fully Covered APIs Partially Covered
inspect

BUCKET_INSPECT

HeadBucket

ListBuckets

none

read

INSPECT +

BUCKET_READ

INSPECT +

GetBucket

ListMultipartUploads

GetObjectLifecyclePolicy

GetRetentionRule

ListRetentionRules

GetReplicationPolicy

ListReplicationPolicies

ListReplicationSources

none

use

READ +

BUCKET_UPDATE

READ +

UpdateBucket

DeleteObjectLifecyclePolicy

ReencryptBucket

PutObjectLifecyclePolicy

USE +

BUCKET_CREATE

BUCKET_DELETE

PAR_MANAGE

RETENTION_RULE_MANAGE

RETENTION_RULE_LOCK (if using optional rule locking)

USE +

CreateBucket

DeleteBucket

CreatePar

GetPar

ListPar

DeletePar

CreateRetentionRule

UpdateRetentionRule

DeleteRetentionRule

CreateReplicationPolicy, DeleteReplicationPolicy, MakeBucketWritable (these operations also need manage objects)

objects
Verbs Permissions APIs Fully Covered APIs Partially Covered
inspect

OBJECT_INSPECT

HeadObject

ListObjects

ListMultipartUploadParts

none

read

INSPECT +

OBJECT_READ

INSPECT +

GetObject

none

use

READ +

OBJECT_OVERWRITE

READ +

ReencryptObject

READ +

PutObject (USE allows PutObject to overwrite existing objects, but creating a new object also requires OBJECT_CREATE)

CreateMultipartUpload, UploadPart, CommitMultipartUpload (these operations also need manage objects)

manage

USE +

OBJECT_CREATE

OBJECT_DELETE

OBJECT_VERSION_DELETE

OBJECT_RESTORE

USE +

CreateObject

RenameObject

RestoreObject

DeleteObject

DeleteObjectVersion

CreateMultipartUpload

UploadPart

CommitMultipartUpload

AbortMultipartUpload

PutObjectLifecyclePolicy (also needs manage objects)

CreateReplicationPolicy, DeleteReplicationPolicy, MakeBucketWritable (these operations also need manage buckets)

 
data-transfer-jobs

Policies for data transfer jobs also require either manage objects or manage objects and manage buckets. See Creating the Required IAM Users, Groups, and Policies for details.

Verbs Permissions APIs Fully Covered APIs Partially Covered
inspect

TRANSFER_JOB_INSPECT

no customer-facing API

no customer-facing API

read

INSPECT +

TRANSFER_JOB_READ

INSPECT +

no customer-facing API

no customer-facing API

use

READ +

TRANSFER_JOB_UPDATE

READ +

no customer-facing API

READ +

no customer-facing API

manage

USE +

TRANSFER_JOB_CREATE

TRANSFER_JOB_DELETE

USE +

no customer-facing API

USE +

no customer-facing API

Permissions Required for Each API Operation

The following table lists the API operations in a logical order, grouped by resource type.

For information about permissions, see Permissions.

API Operation Permissions Required to Use the Operation
GetNamespace

API requires no permissions and returns the caller's namespace. Use the API to validate your credentials.

OBJECTSTORAGE_NAMESPACE_READ permission is required if you include the optional compartmentId parameter. Use the compartmentId parameter to determine the namespace for a third-party tenancy.

GetNamespaceMetadata OBJECTSTORAGE_NAMESPACE_READ
UpdateNamespaceMetadata OBJECTSTORAGE_NAMESPACE_UPDATE
CreateBucket BUCKET_CREATE
UpdateBucket BUCKET_UPDATE
GetBucket BUCKET_READ
HeadBucket BUCKET_INSPECT
ListBuckets BUCKET_INSPECT
DeleteBucket BUCKET_DELETE
ReencryptBucket BUCKET_UPDATE
PutObject

The permission required depends on whether or not the object already exists in the bucket:

  • OBJECT_CREATE is required when an object with that name does not already exist in the bucket.
  • OBJECT_OVERWRITE is required when an object with that name already exists in the bucket.
RenameObject OBJECT_CREATE and OBJECT_OVERWRITE
GetObject OBJECT_READ
HeadObject OBJECT_READ or OBJECT_INSPECT
DeleteObject OBJECT_DELETE
DeleteObjectVersion OBJECT_VERSION_DELETE
ListObjects OBJECT_INSPECT
ReencryptObject OBJECT_READ & OBJECT_OVERWRITE
RestoreObjects OBJECT_RESTORE
CreateMultipartUpload OBJECT_CREATE and OBJECT_OVERWRITE
UploadPart OBJECT_CREATE and OBJECT_OVERWRITE
CommitMultipartUpload OBJECT_CREATE and OBJECT_OVERWRITE
ListMultipartUploadParts OBJECT_INSPECT
ListMultipartUploads BUCKET_READ
AbortMultipartUpload OBJECT_DELETE
CreatePar PAR_MANAGE
GetPar PAR_MANAGE
ListPars PAR_MANAGE
DeletePar PAR_MANAGE
PutObjectLifecyclePolicy BUCKET_UPDATE, OBJECT_CREATE, and OBJECT_DELETE
GetObjectLifecyclePolicy BUCKET_READ
DeleteObjectLifecyclePolicy BUCKET_UPDATE
CreateRetentionRule BUCKET_UPDATE & RETENTION_RULE_MANAGE (& RETENTION_RULE_LOCK)
GetRetentionRule BUCKET_READ
ListRetentionRule BUCKET_READ
UpdateRetentionRule BUCKET_UPDATE & RETENTION_RULE_MANAGE (& RETENTION_RULE_LOCK)
DeleteRetentionRule BUCKET_UPDATE & RETENTION_RULE_MANAGE
CreateCopyRequest OBJECT_READ, OBJECT_CREATE, OBJECT_OVERWRITE, and OBJECT_INSPECT
GetWorkRequest OBJECT_READ
ListWorkRequests OBJECT_INSPECT
CancelWorkRequest OBJECT_DELETE
CreateReplicationPolicy OBJECT_READ, OBJECT_CREATE, OBJECT_OVERWRITE, OBJECT_INSPECT, OBJECT_DELETE, OBJECT_RESTORE, BUCKET_READ, and BUCKET_UPDATE
GetReplicationPolicy BUCKET_READ
DeleteReplicationPolicy OBJECT_READ, OBJECT_CREATE, OBJECT_OVERWRITE, OBJECT_INSPECT, OBJECT_DELETE, OBJECT_RESTORE, BUCKET_READ, and BUCKET_UPDATE
ListReplicationPolicies BUCKET_READ
ListReplicationSources BUCKET_READ
MakeBucketWritable OBJECT_READ, OBJECT_CREATE, OBJECT_OVERWRITE, OBJECT_INSPECT, OBJECT_DELETE, BUCKET_READ, and BUCKET_UPDATE