Details for Object Storage, Archive Storage, and Data Transfer
This topic covers details for writing policies to control access to Archive Storage, Object Storage, and Data Transfer.
The object lifecycle policies feature requires that you grant permissions to the Object Storage service to archive and delete objects on your behalf. See Using Object Lifecycle Policies for more information.
Resource-Types
Individual Resource-Types
objectstorage-namespaces
buckets
objects
Aggregate Resource-Type
object-family
A policy that uses <verb> object-family is equivalent to writing one with a separate <verb> <individual resource-type> statement for each of the individual resource-types.
See the table in Details for Verb + Resource-Type Combinations for details of the API operations covered by each verb, for each individual resource-type included in object-family.
Additional Individual Resource-Type for Data Transfer
data-transfer-jobs
Supported Variables
Object Storage supports all the general variables (see General Variables for All Requests), plus the ones listed here:
| Operations for This Resource-Type... | Can Use This Variable | Variable Type | Comments |
|---|---|---|---|
buckets and objects |
target.bucket.name
|
String and Patterns | Use this variable to control access to a specific bucket.
Important: Condition matching is case insensitive. If you have a bucket named "BucketA" and a bucket named "bucketA", the condition where target.bucket.name="BucketA" applies to both. To avoid potential issues with resource names in policy, give your resources distinct names. |
buckets and objects |
target.bucket.tag.<TagNamespace>.<TagKeyDefinition> |
String | Use this variable to control access to the buckets that have the specific tag. See Let users write objects to Object Storage buckets. Important: You cannot use this variable for CreateBucket operations and operations that involve multiple buckets such as ListBucket. |
objects |
target.object.name |
String and Patterns | Use this variable to control access to a specific object or object patterns. |
The
request.ipv4.ipaddress and the
request.vcn.id variables are deprecated. Instead of using these
variables, create a network source to specify either an IP address range or a specific
VCN ID. You can then use the network source in your policy to restrict access to only
requests coming from the allowed networks. For more information, see Overview of Network Sources.Details for Verb + Resource-Type Combinations
The following tables show the permissions and API operations covered by each verb. The level of access is cumulative as you go from inspect > read > use > manage. For example, a group that can use a resource can also inspect and read that resource. A plus sign (+) in a table cell indicates incremental access compared to the cell directly above it, whereas "no extra" indicates no incremental access.
For object-family Resource Types
| Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
|---|---|---|---|
| read | None |
GetNamespace
|
none |
| manage | OBJECTSTORAGE_NAMESPACE_READ OBJECTSTORAGE_NAMESPACE_UPDATE |
|
none |
| Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
|---|---|---|---|
| inspect | BUCKET_INSPECT |
|
none |
| read | INSPECT + BUCKET_READ |
INSPECT +
|
none |
| use | READ + BUCKET_UPDATE |
READ +
|
PutObjectLifecyclePolicy
|
| manage | USE + BUCKET_CREATE BUCKET_DELETE PAR_MANAGE RETENTION_RULE_MANAGE RETENTION_RULE_LOCK (if using optional rule locking) |
USE +
|
|
| Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
|---|---|---|---|
| inspect | OBJECT_INSPECT |
|
none |
| read | INSPECT + OBJECT_READ |
INSPECT +
|
none |
| use | READ + OBJECT_OVERWRITE |
READ +
|
READ +
|
| manage | USE + OBJECT_CREATE OBJECT_DELETE OBJECT_VERSION_DELETE OBJECT_RESTORE OBJECT_UPDATE_TIER |
USE +
|
|
Policies for data transfer jobs also require either manage objects or manage objects and manage buckets. See Creating the Required IAM Users, Groups, and Policies for details.
| Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
|---|---|---|---|
| inspect | TRANSFER_JOB_INSPECT |
no customer-facing API |
no customer-facing API |
| read | INSPECT + TRANSFER_JOB_READ |
INSPECT + no customer-facing API |
no customer-facing API |
| use | READ + TRANSFER_JOB_UPDATE |
READ + no customer-facing API |
READ + no customer-facing API |
| manage | USE + TRANSFER_JOB_CREATE TRANSFER_JOB_DELETE |
USE + no customer-facing API |
USE + no customer-facing API |
Permissions Required for Each API Operation
The following table lists the API operations in a logical order, grouped by resource type.
For information about permissions, see Permissions.
| API Operation | Permissions Required to Use the Operation |
|---|---|
GetNamespace
|
API requires no permissions and returns the caller's namespace. Use the API to validate your credentials. OBJECTSTORAGE_NAMESPACE_READ permission is required if you include the optional |
GetNamespaceMetadata
|
OBJECTSTORAGE_NAMESPACE_READ |
UpdateNamespaceMetadata
|
OBJECTSTORAGE_NAMESPACE_UPDATE |
CreateBucket
|
BUCKET_CREATE |
UpdateBucket
|
BUCKET_UPDATE |
GetBucket
|
BUCKET_READ |
HeadBucket
|
BUCKET_INSPECT |
ListBuckets
|
BUCKET_INSPECT |
DeleteBucket
|
BUCKET_DELETE |
ReencryptBucket
|
BUCKET_UPDATE |
PutObject
|
The permission required depends on whether or not the object already exists in the bucket:
|
RenameObject
|
OBJECT_CREATE and OBJECT_OVERWRITE |
GetObject
|
OBJECT_READ |
HeadObject
|
OBJECT_READ or OBJECT_INSPECT |
DeleteObject
|
OBJECT_DELETE |
DeleteObjectVersion
|
OBJECT_VERSION_DELETE |
ListObjects
|
OBJECT_INSPECT |
ReencryptObject
|
OBJECT_READ & OBJECT_OVERWRITE |
RestoreObjects
|
OBJECT_RESTORE |
UpdateObjectStorageTier |
OBJECT_UPDATE_TIER |
CreateMultipartUpload
|
OBJECT_CREATE and OBJECT_OVERWRITE |
UploadPart
|
OBJECT_CREATE and OBJECT_OVERWRITE |
CommitMultipartUpload
|
OBJECT_CREATE and OBJECT_OVERWRITE |
ListMultipartUploadParts
|
OBJECT_INSPECT |
ListMultipartUploads
|
BUCKET_READ |
AbortMultipartUpload
|
OBJECT_DELETE |
CreatePreauthenticatedRequest
|
PAR_MANAGE |
GetPreauthenticatedRequest
|
PAR_MANAGE or BUCKET_READ |
ListPreauthenticatedRequests
|
PAR_MANAGE or BUCKET_READ |
DeletePreauthenticatedRequest
|
PAR_MANAGE |
PutObjectLifecyclePolicy
|
BUCKET_UPDATE, OBJECT_CREATE, and OBJECT_DELETE |
GetObjectLifecyclePolicy
|
BUCKET_READ |
DeleteObjectLifecyclePolicy
|
BUCKET_UPDATE |
CreateRetentionRule
|
BUCKET_UPDATE & RETENTION_RULE_MANAGE (& RETENTION_RULE_LOCK) |
GetRetentionRule
|
BUCKET_READ |
ListRetentionRule
|
BUCKET_READ |
UpdateRetentionRule
|
BUCKET_UPDATE & RETENTION_RULE_MANAGE (& RETENTION_RULE_LOCK) |
DeleteRetentionRule
|
BUCKET_UPDATE & RETENTION_RULE_MANAGE |
CreateCopyRequest
|
OBJECT_READ, OBJECT_CREATE, OBJECT_OVERWRITE, and OBJECT_INSPECT |
GetWorkRequest
|
OBJECT_READ |
ListWorkRequests
|
OBJECT_INSPECT |
CancelWorkRequest
|
OBJECT_DELETE |
CreateReplicationPolicy
|
OBJECT_READ, OBJECT_CREATE, OBJECT_OVERWRITE, OBJECT_INSPECT, OBJECT_DELETE, OBJECT_RESTORE, BUCKET_READ, and BUCKET_UPDATE |
GetReplicationPolicy
|
BUCKET_READ |
DeleteReplicationPolicy
|
OBJECT_READ, OBJECT_CREATE, OBJECT_OVERWRITE, OBJECT_INSPECT, OBJECT_DELETE, OBJECT_RESTORE, BUCKET_READ, and BUCKET_UPDATE |
ListReplicationPolicies
|
BUCKET_READ |
ListReplicationSources
|
BUCKET_READ |
MakeBucketWritable
|
OBJECT_READ, OBJECT_CREATE, OBJECT_OVERWRITE, OBJECT_INSPECT, OBJECT_DELETE, BUCKET_READ, and BUCKET_UPDATE |