Details for Object Storage, Archive Storage, and Data Transfer
This topic covers details for writing policies to control access to Archive Storage, Object Storage, and Data Transfer.
Tip
The object lifecycle policies feature requires that you grant permissions to the Object Storage service to archive and delete objects on your behalf. See Using Object Lifecycle Policies for more information.
Resource-Types
Individual Resource-Types
objectstorage-namespaces
buckets
objects
Aggregate Resource-Type
object-family
A policy that uses <verb> object-family is equivalent to writing one with a separate <verb> <individual resource-type> statement for each of the individual resource-types.
Use this variable to control access to a specific bucket.
Important: Condition matching is case insensitive. If you have a bucket named "BucketA" and a bucket named "bucketA", the condition where target.bucket.name="BucketA" applies to both. To avoid potential issues with resource names in policy, give your resources distinct names.
Use this variable to control access to the buckets that have the specific tag. See Let users write objects to Object Storage buckets. Important: You cannot use this variable for CreateBucket operations and operations that involve multiple buckets such as ListBucket.
objects
target.object.name
String and Patterns
Use this variable to control access to a specific object or object patterns.
Note
The request.ipv4.ipaddress and the
request.vcn.id variables are deprecated. Instead of using these
variables, create a network source to specify either an IP address range or a specific
VCN ID. You can then use the network source in your policy to restrict access to only
requests coming from the allowed networks. For more information, see Overview of Network Sources.
Details for Verb + Resource-Type Combinations 🔗
The following tables show the permissions and API operations covered by each verb. The level of access is cumulative as you go from inspect > read > use > manage. For example, a group that can use a resource can also inspect and read that resource. A plus sign (+) in a table cell indicates incremental access compared to the cell directly above it, whereas "no extra" indicates no incremental access.
The following table lists the API operations in a logical order, grouped by resource type.
For information about permissions, see Permissions.
API Operation
Permissions Required to Use the Operation
GetNamespace
API requires no permissions and returns the caller's namespace. Use the API to validate your credentials.
OBJECTSTORAGE_NAMESPACE_READ permission is required if you include the optional compartmentId parameter. Use the compartmentId parameter to determine the namespace for a third-party tenancy.
GetNamespaceMetadata
OBJECTSTORAGE_NAMESPACE_READ
UpdateNamespaceMetadata
OBJECTSTORAGE_NAMESPACE_UPDATE
CreateBucket
BUCKET_CREATE
UpdateBucket
BUCKET_UPDATE
GetBucket
BUCKET_READ
HeadBucket
BUCKET_INSPECT
ListBuckets
BUCKET_INSPECT
DeleteBucket
BUCKET_DELETE
ReencryptBucket
BUCKET_UPDATE
PutObject
The permission required depends on whether or not the object already exists in the bucket:
OBJECT_CREATE is required when an object with that name does not already exist in the bucket.
OBJECT_OVERWRITE is required when an object with that name already exists in the bucket.