Oracle Cloud Infrastructure Documentation

Details for Object Storage, Archive Storage, and Data Transfer

This topic covers details for writing policies to control access to Archive Storage, Object Storage, and Data Transfer.

Tip

The object lifecycle policies feature requires that you grant permissions to the Object Storage service to archive and delete objects on your behalf. See Using Object Lifecycle Policies for more information.

Resource-Types

Individual Resource-Types

objectstorage-namespaces

buckets

objects

Aggregate Resource-Type

object-family

A policy that uses <verb> object-family is equivalent to writing one with a separate <verb> <individual resource-type> statement for each of the individual resource-types.

See the table in Details for Verb + Resource-Type Combinations for a detailed breakout of the API operations covered by each verb, for each individual resource-type included in object-family.

Additional Individual Resource-Type for Data Transfer

data-transfer-jobs

Supported Variables

Object Storage supports all the general variables (see General Variables for All Requests), plus the ones listed here:

Operations for This Resource-Type... Can Use This Variable Variable Type Comments
buckets and objects target.bucket.name String Use this variable to control access to a specific bucket. For an example policy, see Let users write objects to Object Storage buckets.
buckets and objects request.vcn.id String If you're using a service gateway with your VCN, you can use this variable to allow access to a bucket only from a specific virtual cloud network (VCN). For an example policy, see Task 4: (Optional) Update IAM Policies.
buckets and objects request.ipv4.ipaddress String If you're using a service gateway with your VCN, you can use this variable to allow access to a bucket only from a specific CIDR range. For an example policy, see Task 4: (Optional) Update IAM Policies.

Details for Verb + Resource-Type Combinations

The following tables show the permissions and API operations covered by each verb. The level of access is cumulative as you go from inspect > read > use > manage. A plus sign (+) in a table cell indicates incremental access compared to the cell directly above it, whereas "no extra" indicates no incremental access.

For object-family Resource Types

objectstorage-namespaces
buckets
objects
data-transfer-jobs

Permissions Required for Each API Operation

The following table lists the API operations in a logical order, grouped by resource type.

For information about permissions, see Permissions.

API Operation Permissions Required to Use the Operation
GetNamespace API requires no permissions and returns the caller's namespace. Use the API to validate your credentials.
GetNamespaceMetadata OBJECTSTORAGE_NAMESPACE_READ
UpdateNamespaceMetadata OBJECTSTORAGE_NAMESPACE_UPDATE
CreateBucket BUCKET_CREATE
UpdateBucket BUCKET_UPDATE
GetBucket BUCKET_READ
HeadBucket BUCKET_INSPECT
ListBuckets BUCKET_INSPECT
DeleteBucket BUCKET_DELETE
PutObject

The permission required depends on whether or not the object already exists in the bucket:

  • OBJECT_CREATE is required when an object with that name does not already exist in the bucket.
  • OBJECT_OVERWRITE is required when an object with that name already exists in the bucket.
RenameObject OBJECT_CREATE and OBJECT_OVERWRITE
GetObject OBJECT_READ
HeadObject OBJECT_READ or OBJECT_INSPECT
DeleteObject OBJECT_DELETE
ListObjects OBJECT_INSPECT
RestoreObjects OBJECT_RESTORE
CreateMultipartUpload OBJECT_CREATE and OBJECT_OVERWRITE
UploadPart OBJECT_CREATE and OBJECT_OVERWRITE
CommitMultipartUpload OBJECT_CREATE and OBJECT_OVERWRITE
ListMultipartUploadParts OBJECT_INSPECT
ListMultipartUploads BUCKET_READ
AbortMultipartUpload OBJECT_DELETE
CreatePar PAR_MANAGE
GetPar PAR_MANAGE
ListPars PAR_MANAGE
DeletePar PAR_MANAGE
PutObjectLifecyclePolicy BUCKET_UPDATE, OBJECT_CREATE, and OBJECT_DELETE
GetObjectLifecyclePolicy BUCKET_READ
DeleteObjectLifecyclePolicy BUCKET_UPDATE
CreateCopyRequest OBJECT_READ, OBJECT_CREATE, OBJECT_OVERWRITE, and OBJECT_INSPECT
GetWorkRequest OBJECT_READ
ListWorkRequests OBJECT_INSPECT
CancelWorkRequest OBJECT_DELETE