桶(Bucket)是 TOS 的全局唯一的命名空间,相当于数据的容器,用来储存对象(Object)数据。TOS 中权限控制通过 IAM Policy、桶 Policy、桶和对象 ACL 实现。桶 Policy 和 ACL 都是基于 TOS 资源的权限控制策略,桶 Policy 相较于桶 ACL,具备更灵活的权限配置。本文介绍如何设置、获取和删除桶的授权策略(Policy)。
注意
tos:PutBucketPolicy 权限,具体操作请参见权限配置指南。tos:PutBucketPolicy 权限的用户可以任意更改桶策略,并可以通过此权限获取其他权限,建议您谨慎配置。以下代码用于设置存储桶策略。
// 导入 SDK, 当 TOS Node.JS SDK 版本小于 2.5.2 请把下方 TosClient 改成 TOS 导入 import { TosClient, TosClientError, TosServerError } from '@volcengine/tos-sdk'; // 创建客户端 const client = new TosClient({ accessKeyId: process.env['TOS_ACCESS_KEY'], accessKeySecret: process.env['TOS_SECRET_KEY'], region: "Provide your region", // 填写 Bucket 所在地域。以华北2(北京)为例,则 "Provide your region" 填写为 cn-beijing。 endpoint: "Provide your endpoint", // 填写域名地址 }); function handleError(error) { if (error instanceof TosClientError) { console.log('Client Err Msg:', error.message); console.log('Client Err Stack:', error.stack); } else if (error instanceof TosServerError) { console.log('Request ID:', error.requestId); console.log('Response Status Code:', error.statusCode); console.log('Response Header:', error.headers); console.log('Response Err Code:', error.code); console.log('Response Err Msg:', error.message); } else { console.log('unexpected exception, message: ', error); } } const bucketName = 'node-sdk-test-bucket'; async function main() { try { const { requestId: putPolicyRequestId } = await client.putBucketPolicy({ bucket: bucketName, policy: { Statement: [ { Sid: 'internal public', Effect: 'Allow', Action: ['*'], Principal: '*', Resource: [`trn:tos:::${bucketName}/*`, `trn:tos:::${bucketName}`], }, ], }, }); console.log('putBucketPolicy Request ID: ', putPolicyRequestId); } catch (error) { handleError(error); } } main();
注意
获取桶策略前,您必须具有 tos:GetBucketPolicy 权限,具体操作请参见权限配置指南。
以下代码用于获取存储桶策略。
// 导入 SDK, 当 TOS Node.JS SDK 版本小于 2.5.2 请把下方 TosClient 改成 TOS 导入 import { TosClient, TosClientError, TosServerError } from '@volcengine/tos-sdk'; // 创建客户端 const client = new TosClient({ accessKeyId: process.env['TOS_ACCESS_KEY'], accessKeySecret: process.env['TOS_SECRET_KEY'], region: "Provide your region", // 填写 Bucket 所在地域。以华北2(北京)为例,则 "Provide your region" 填写为 cn-beijing。 endpoint: "Provide your endpoint", // 填写域名地址 }); function handleError(error) { if (error instanceof TosClientError) { console.log('Client Err Msg:', error.message); console.log('Client Err Stack:', error.stack); } else if (error instanceof TosServerError) { console.log('Request ID:', error.requestId); console.log('Response Status Code:', error.statusCode); console.log('Response Header:', error.headers); console.log('Response Err Code:', error.code); console.log('Response Err Msg:', error.message); } else { console.log('unexpected exception, message: ', error); } } const bucketName = 'node-sdk-test-bucket'; async function main() { try { const { data, requestId: getPolicyRequestId } = await client.getBucketPolicy(bucketName); console.log('getBucketPolicy Request ID: ', getPolicyRequestId); console.log('Policy: %o', data); } catch (error) { handleError(error); } } main();
注意
删除桶策略前,您必须具有 tos:DeleteBucketPolicy 权限,具体操作请参见权限配置指南。
以下代码用于删除存储桶策略。
// 导入 SDK, 当 TOS Node.JS SDK 版本小于 2.5.2 请把下方 TosClient 改成 TOS 导入 import { TosClient, TosClientError, TosServerError } from '@volcengine/tos-sdk'; // 创建客户端 const client = new TosClient({ accessKeyId: process.env['TOS_ACCESS_KEY'], accessKeySecret: process.env['TOS_SECRET_KEY'], region: "Provide your region", // 填写 Bucket 所在地域。以华北2(北京)为例,则 "Provide your region" 填写为 cn-beijing。 endpoint: "Provide your endpoint", // 填写域名地址 }); function handleError(error) { if (error instanceof TosClientError) { console.log('Client Err Msg:', error.message); console.log('Client Err Stack:', error.stack); } else if (error instanceof TosServerError) { console.log('Request ID:', error.requestId); console.log('Response Status Code:', error.statusCode); console.log('Response Header:', error.headers); console.log('Response Err Code:', error.code); console.log('Response Err Msg:', error.message); } else { console.log('unexpected exception, message: ', error); } } const bucketName = 'node-sdk-test-bucket'; async function main() { try { const { requestId: deletePolicyRequestId } = await client.deleteBucketPolicy(bucketName); console.log('deleteBucketPolicy Request ID: ', deletePolicyRequestId); } catch (error) { handleError(error); } } main();
关于存储桶策略的更多信息,请参见存储桶授权策略管理。