适用于 Restic 腾讯云 COS 最小权限策略.
本策略只允许备份, 不允许删除备份 (但要注意恶意攻击者仍可把所有的备份文件替换为空文件).
变量:
$UID: 腾讯云 uid, 形如uid/1250000000$BUCKET: 存储桶名称, 形如examplebucket-1250000000$RESTIC_REPO_PREFIX: Restic 存储库前缀, 例如laptop-backup
Created
October 21, 2023 13:39
-
-
Save QuantumGhost/0a3bc3d1961b46d1c9cde7b078b9642b to your computer and use it in GitHub Desktop.
COS policy for restic with minimal permission.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "version": "2.0", | |
| "statement": [ | |
| { | |
| "effect": "allow", | |
| "action": [ | |
| "cos:HeadObject", | |
| "cos:GetBucket", | |
| "cos:GetObject", | |
| "cos:PutObject" | |
| ], | |
| "resource": [ | |
| "qcs::cos::$UID:$BUCKET/$RESTIC_REPO_PREFIX", | |
| "qcs::cos::$UID:$BUCKET/$RESTIC_REPO_PREFIX/*" | |
| ] | |
| }, | |
| { | |
| "effect": "allow", | |
| "action": [ | |
| "cos:DeleteObject" | |
| ], | |
| "resource": [ | |
| "qcs::cos::$UID:$BUCKET/$RESTIC_REPO_PREFIX/locks/*" | |
| ] | |
| }, | |
| { | |
| "effect": "allow", | |
| "action": [ | |
| "cos:HeadBucket", | |
| "cos:GetBucket", | |
| "cos:GetBucketLocation" | |
| ], | |
| "resource": [ | |
| "qcs::cos::$UID:$BUCKET" | |
| ] | |
| } | |
| ] | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment