A RAM policy is a user-based authorization policy that controls access to resources in your account. This topic describes how to use RAM policies to manage user permissions.
Background information
RAM policy syntax and structure
A RAM policy consists of a version number (Version) and one or more statements (Statement). Each statement contains an effect (Effect), an action (Action), a resource (Resource), and an optional condition (Condition). For more information about the syntax and structure of access policies, see Syntax and structure of an access policy.
In OSS, the application rules for Version, Statement, and Effect are the same as they are in RAM. For information about Action, Resource, and Condition, see the following topics:
Common OSS access policies
AliyunOSSFullAccess: Grants a Resource Access Management (RAM) user full management permissions for OSS.
AliyunOSSReadOnlyAccess: Grants a RAM user read-only access permissions for OSS.
OSS access control methods
For more information about the access control methods that OSS provides, see Overview of access control.
OSS Action classification
Actions are classified into service-level, bucket-level, and object-level operations.
Service-level
API
Action
Description
oss:ListBuckets
Lists all buckets that the requester owns.
oss:ListUserDataRedundancyTransition
Lists all storage redundancy transition tasks of the requester.
None
oss:ActivateProduct
Activates OSS and Content Moderation.
None
oss:CreateOrder
Creates orders for OSS resource plans.
oss:PutPublicAccessBlock
Enables Block Public Access for OSS at the global level.
oss:GetPublicAccessBlock
Gets the configuration of Block Public Access for OSS at the global level.
oss:DeletePublicAccessBlock
Deletes the configuration of Block Public Access for OSS at the global level.
Bucket-level
API
Action
Description
oss:PutBucket
Creates a bucket.
oss:ListObjects
Lists information about all objects in a bucket.
oss:GetBucketInfo
Views information about a bucket.
oss:GetBucketLocation
Views the location of a bucket.
oss:GetBucketStat
Gets the storage capacity and number of objects in a bucket.
oss:PutBucketVersioning
Sets the versioning state of a bucket.
oss:GetBucketVersioning
Gets the versioning state of a bucket.
oss:ListObjectVersions
Lists all versions of objects in a bucket, including delete markers.
oss:PutBucketAcl
Sets or modifies the ACL of a bucket.
oss:GetBucketAcl
Gets the ACL of a bucket.
oss:DeleteBucket
Deletes a bucket.
oss:InitiateBucketWorm
Creates a retention policy.
oss:AbortBucketWorm
Deletes an unlocked retention policy.
oss:CompleteBucketWorm
Locks a retention policy.
oss:ExtendBucketWorm
Extends the retention period of objects in a bucket that has a locked retention policy.
oss:GetBucketWorm
Gets information about a retention policy.
oss:PutBucketLogging
Enables the log storage feature for a bucket.
oss:PutObject
Sets the destination bucket for logs when you enable log storage for the source bucket.
oss:GetBucketLogging
Views the log storage configuration of a bucket.
oss:DeleteBucketLogging
Disables the log storage feature for a bucket.
oss:PutBucketWebsite
Configures a bucket for static website hosting and sets its redirection rules (RoutingRule).
oss:GetBucketWebsite
Views the static website hosting status and redirection rules of a bucket.
oss:DeleteBucketWebsite
Disables static website hosting for a bucket and its redirection rules.
oss:PutBucketReferer
Configures hotlink protection for a bucket.
oss:GetBucketReferer
Views the hotlink protection (Referer) configuration of a bucket.
oss:PutBucketLifecycle
Sets the lifecycle rule for a bucket.
oss:GetBucketLifecycle
Views the lifecycle rule of a bucket.
oss:DeleteBucketLifecycle
Deletes the lifecycle rule of a bucket.
oss:PutBucketTransferAcceleration
Configures transfer acceleration for a bucket.
oss:GetBucketTransferAcceleration
Views the transfer acceleration configuration of a bucket.
oss:ListMultipartUploads
Lists all multipart upload events that are in progress. In-progress multipart upload events are events that have been initiated but not yet completed or aborted.
oss:PutBucketCors
Sets the cross-origin resource sharing (CORS) rule for a bucket.
oss:GetBucketCors
Gets the current CORS rule of a bucket.
oss:DeleteBucketCors
Disables the CORS feature for a bucket and clears all rules.
oss:PutBucketPolicy
Sets the authorization policy for a bucket.
oss:GetBucketPolicy
Gets the authorization policy of a bucket.
oss:DeleteBucketPolicy
Deletes the authorization policy of a bucket.
oss:PutBucketTagging
Adds or modifies the tags of a bucket.
oss:GetBucketTagging
Gets the tags of a bucket.
oss:DeleteBucketTagging
Deletes the tags of a bucket.
oss:PutBucketEncryption
Configures the encryption rule for a bucket.
oss:GetBucketEncryption
Gets the encryption rule of a bucket.
oss:DeleteBucketEncryption
Deletes the encryption rule of a bucket.
oss:PutBucketRequestPayment
Configures the pay-by-requester mode.
oss:GetBucketRequestPayment
Gets the configuration of the pay-by-requester mode.
oss:PutBucketReplication
Sets the data replication rule for a bucket.
oss:ReplicateGet
Sets a cross-account data replication rule for a bucket or specifies the RAM role replication method.
oss:PutBucketRTC
Enables or disables replication time control (RTC) for an existing cross-region replication rule.
oss:GetBucketReplication
Gets the data replication rule of a bucket.
oss:DeleteBucketReplication
Stops data replication for a bucket and deletes its replication configuration.
oss:GetBucketReplicationLocation
Gets the region of the destination bucket for replication.
oss:GetBucketReplicationProgress
Gets the data replication progress of a bucket.
oss:PutBucketInventory
Configures an inventory rule for a bucket.
oss:GetBucketInventory
Views a specified inventory task in a bucket.
oss:GetBucketInventory
Gets all inventory tasks in a bucket in batches.
oss:DeleteBucketInventory
Deletes a specified inventory task in a bucket.
oss:PutBucketAccessMonitor
Configures the access tracking status of a bucket.
oss:GetBucketAccessMonitor
Gets the access tracking status of a bucket.
oss:OpenMetaQuery
Enables the metadata management feature for a bucket.
oss:GetMetaQueryStatus
Gets the metadata index information of a bucket.
oss:DoMetaQuery
Queries for objects that meet specified conditions and lists object information based on the specified fields and sorting order.
oss:CloseMetaQuery
Disables the metadata management feature for a bucket.
oss:InitUserAntiDDosInfo
Creates an Anti-DDoS for OSS instance.
oss:UpdateUserAntiDDosInfo
Changes the status of an Anti-DDoS for OSS instance.
oss:GetUserAntiDDosInfo
Queries for information about Anti-DDoS for OSS instances under a specified account.
oss:InitBucketAntiDDosInfo
Initializes protection for a bucket.
oss:UpdateBucketAntiDDosInfo
Updates the protection status of a bucket.
oss:ListBucketAntiDDosInfo
Gets a list of bucket protection information.
oss:PutBucketResourceGroup
Sets the resource group to which a bucket belongs.
oss:GetBucketResourceGroup
Queries the ID of the resource group to which a bucket belongs.
oss:CreateCnameToken
Creates a CnameToken required for domain name ownership verification.
oss:GetCnameToken
Gets a created CnameToken.
oss:PutCname
Attaches a custom domain name to a bucket.
yundun-cert:DescribeSSLCertificatePrivateKey
yundun-cert:DescribeSSLCertificatePublicKeyDetail
yundun-cert:CreateSSLCertificate
Attaches a certificate when you attach a custom domain name to a bucket.
oss:ListCname
Gets a list of all custom domain names (Cnames) attached to a bucket.
oss:DeleteCname
Deletes a Cname that is attached to a bucket.
oss:PutStyle
Sets an image style.
oss:GetStyle
Gets an image style.
oss:ListStyle
Lists image styles.
oss:DeleteStyle
Deletes an image style.
oss:PutBucketArchiveDirectRead
Enables or disables real-time access of Archive objects for a bucket.
oss:GetBucketArchiveDirectRead
Checks whether real-time access of Archive objects is enabled for a bucket.
oss:CreateAccessPoint
Creates an access point.
oss:GetAccessPoint
Gets information about a single access point.
oss:DeleteAccessPoint
Deletes an access point.
oss:ListAccessPoints
Gets information about user-level and bucket-level access points.
oss:PutAccessPointPolicy
Configures an access point policy.
oss:GetAccessPointPolicy
Gets information about an access point policy.
oss:DeleteAccessPointPolicy
Deletes an access point policy.
oss:PutBucketHttpsConfig
Enables or disables TLS version settings for a bucket.
oss:GetBucketHttpsConfig
Views the TLS version settings of a bucket.
None
oss:ReplicateList
The list permission involved in the replication process. This allows OSS to list the historical data of the source bucket and then replicate it object by object.
oss:CreateAccessPointForObjectProcess
Creates an Object FC access point.
oss:GetAccessPointForObjectProcess
Gets basic information about an Object FC access point.
oss:DeleteAccessPointForObjectProcess
Deletes an Object FC access point.
oss:ListAccessPointsForObjectProcess
Gets information about user-level Object FC access points.
oss:PutAccessPointConfigForObjectProcess
Modifies the configuration of an Object FC access point.
oss:GetAccessPointConfigForObjectProcess
Gets the configuration information of an Object FC access point.
oss:PutAccessPointPolicyForObjectProcess
Configures an access policy for an Object FC access point.
oss:GetAccessPointPolicyForObjectProcess
Gets the access policy configuration of an Object FC access point.
oss:DeleteAccessPointPolicyForObjectProcess
Deletes the access policy of an Object FC access point.
oss:WriteGetObjectResponse
Customizes the returned data and response headers.
oss:CreateBucketDataRedundancyTransition
Creates a storage redundancy transition task.
oss:GetBucketDataRedundancyTransition
Gets a storage redundancy transition task.
oss:DeleteBucketDataRedundancyTransition
Deletes a storage redundancy transition task.
oss:ListBucketDataRedundancyTransition
Lists all storage redundancy transition tasks under a bucket.
oss:PutBucketPublicAccessBlock
Enables Block Public Access for a bucket.
oss:GetBucketPublicAccessBlock
Gets the Block Public Access configuration of a bucket.
oss:DeleteBucketPublicAccessBlock
Deletes the Block Public Access configuration of a bucket.
oss:PutAccessPointPublicAccessBlock
Enables Block Public Access for an access point.
oss:GetAccessPointPublicAccessBlock
Gets the Block Public Access configuration of an access point.
oss:DeleteAccessPointPublicAccessBlock
Deletes the Block Public Access configuration of an access point.
oss:GetBucketPolicyStatus
Checks whether the current bucket policy allows public access.
PutBucketOverwriteConfig
oss:PutBucketOverwriteConfig
Sets the prevent-overwrite configuration for a bucket.
GetBucketOverwriteConfig
oss:GetBucketOverwriteConfig
Gets the prevent-overwrite configuration of a bucket.
DeleteBucketOverwriteConfig
oss:DeleteBucketOverwriteConfig
Deletes the prevent-overwrite configuration of a bucket.
Object-level
API
Action
Description
oss:PutObject
Uploads an object.
oss:PutObjectTagging
Specifies the tags of an object using x-oss-tagging when uploading the object.
kms:GenerateDataKey
kms:Decrypt
Specifies that the metadata of an object contains X-Oss-Server-Side-Encryption: KMS when uploading the object.
oss:PutObject
Uploads an object to a specified bucket using an HTML form.
oss:PutObject
Uploads an object using an append upload.
oss:PutObjectTagging
Specifies the tags of an object using x-oss-tagging when uploading the object using an append upload.
oss:PutObject
Initializes a multipart upload task.
oss:PutObjectTagging
Specifies the tags of an object using x-oss-tagging when initializing a multipart upload task.
kms:GenerateDataKey
kms:Decrypt
Specifies that the metadata of an object contains X-Oss-Server-Side-Encryption: KMS when initializing a multipart upload task.
oss:PutObject
Uploads data in parts based on the specified object name and uploadId.
oss:PutObject
After all data parts are uploaded, call this API to complete the multipart upload of the entire object.
oss:PutObjectTagging
After all data parts are uploaded, call this API to complete the multipart upload of the entire object and specify the object tags.
oss:AbortMultipartUpload
Cancels a multipart upload event and deletes the corresponding part data.
oss:PutObject
Creates a symbolic link for a target object in OSS.
oss:PutObjectTagging
Creates a symbolic link with specified object tags for a target object in OSS.
oss:GetObject
Gets an object.
kms:Decrypt
Downloads an object encrypted with a specified KMS key.
oss:GetObjectVersion
Downloads a specified version of an object.
oss:GetObject
Gets the metadata of an object.
oss:GetObject
Gets the metadata of an object, including its ETag, Size, and LastModified information.
oss:GetObject
Executes an SQL statement on a target file and returns the result.
oss:GetObject
Gets the symbolic link of a target file.
oss:DeleteObject
Deletes an object.
oss:DeleteObjectVersion
Deletes a specified version of an object.
oss:DeleteObject
Deletes multiple objects from the same bucket.
oss:GetObject
oss:PutObject
Copies an object between buckets in the same region. The buckets can be the same or different.
oss:GetObjectVersion
Copies a specified version of an object between buckets in the same region. The buckets can be the same or different.
oss:GetObjectTagging
oss:PutObjectTagging
Copies an object with specified tags between buckets in the same region. The buckets can be the same or different.
kms:GenerateDataKey
kms:Decrypt
Specifies that the metadata of the destination object contains X-Oss-Server-Side-Encryption: KMS when copying an object.
oss:GetObjectVersionTagging
Copies a specified version of an object with specified tags between buckets in the same region. The buckets can be the same or different.
oss:GetObject
oss:PutObject
Calls the UploadPartCopy API by adding the x-oss-copy-source request header to an UploadPart request. This copies data from an existing object to upload a part.
oss:GetObjectVersion
Calls the UploadPartCopy API by adding the x-oss-copy-source request header to an UploadPart request. This copies data from a specified version of an existing object to upload a part.
oss:ListParts
Lists all successfully uploaded parts that belong to a specified Upload ID.
oss:PutObjectAcl
Modifies the ACL of an object in a bucket.
oss:PutObjectVersionAcl
Modifies the ACL of a specified version of an object in a bucket.
oss:GetObjectAcl
Gets the ACL of an object in a bucket.
oss:GetObjectVersionAcl
Gets the ACL of a specified version of an object in a bucket.
oss:RestoreObject
Restores an object of the Archive Storage, Cold Archive, or Deep Cold Archive storage class.
oss:RestoreObjectVersion
Restores a specified version of an object of the Archive Storage, Cold Archive, or Deep Cold Archive storage class.
oss:PutObjectTagging
Sets or updates the tags of an object.
oss:PutObjectVersionTagging
Sets or updates the tags of a specified version of an object.
oss:GetObjectTagging
Gets the tags of an object.
oss:GetObjectVersionTagging
Gets the tags of a specified version of an object.
oss:DeleteObjectTagging
Deletes the tags of a specified object.
oss:DeleteObjectVersionTagging
Deletes the tags of a specified version of an object.
oss:PutLiveChannel
Before you upload audio and video data using RTMP, you must call this API to create a LiveChannel.
oss:ListLiveChannel
Lists specified LiveChannels.
oss:DeleteLiveChannel
Deletes a specified LiveChannel.
oss:PutLiveChannelStatus
Switches between the enabled and disabled states.
oss:GetLiveChannel
Gets the configuration information of a specified LiveChannel.
oss:GetLiveChannelStat
Gets the stream ingest status of a specified LiveChannel.
oss:GetLiveChannelHistory
Gets the stream ingest records of a specified LiveChannel.
oss:PostVodPlaylist
Generates a video-on-demand playlist for a specified LiveChannel.
oss:GetVodPlaylist
Views the playlist generated from stream ingest to a specified LiveChannel within a specified time range.
None
oss:PublishRtmpStream
Pushes audio and video data streams to RTMP.
None
oss:ProcessImm
The permission to use IMM for data processing through OSS.
oss:GetObject
The permission to use IMM for data processing through a POST request.
oss:PutObject
The permission to use IMM for Saveas data processing.
oss:PostProcessTask
Saves the processed image to a specified bucket.
imm:CreateOfficeConversionTask
The permission to use IMM for document conversion or snapshots.
imm: GenerateWebofficeToken
Used to obtain Weboffice credentials.
imm:RefreshWebofficeToken
Used to refresh Weboffice credentials.
None
oss:ReplicateGet
The read permission involved in the replication process. This allows OSS to read data and metadata from the source and destination buckets, including objects, parts, and multipart uploads.
None
oss:ReplicatePut
The write permission involved in the replication process. This allows OSS to perform replication-related write operations on the destination bucket, including writing objects, multipart uploads, parts, and symbolic links, and modifying metadata.
None
oss:ReplicateDelete
The delete permission involved in the replication process. This allows OSS to perform replication-related delete operations on the destination bucket, including DeleteObject, AbortMultipartUpload, and DeleteMarker.
ImportantThis action must be granted to the RAM role only when the data replication method is set to Sync Create/Delete/Update.
Resource pool QoS
API
Action
Description
oss:PutBucketQoSInfo
Sets throttling for a bucket in a resource pool.
oss:GetBucketQoSInfo
Gets the throttling configuration of a bucket in a resource pool.
oss:DeleteBucketQoSInfo
Deletes the throttling configuration of a specified bucket in a resource pool.
oss:PutBucketRequesterQoSInfo
Sets bucket-level throttling for a requester.
oss:GetBucketRequesterQoSInfo
Gets the bucket-level throttling configuration for a specified requester.
oss:ListBucketRequesterQoSInfo
Gets the bucket-level throttling configurations for all requesters.
oss:DeleteBucketRequesterQoSInfo
Deletes the throttling configuration of a requester for a bucket.
oss:ListResourcePools
Gets information about all resource pools under the current account.
oss:GetResourcePoolInfo
Gets the throttling configuration of a specified resource pool.
oss:ListResourcePoolBuckets
Gets a list of buckets contained in a specified resource pool.
oss:PutResourcePoolRequesterQoSInfo
Configures throttling for a requester of a resource pool.
oss:GetResourcePoolRequesterQoSInfo
Gets the throttling configuration of a specified requester in a resource pool.
oss:ListResourcePoolRequesterQoSInfos
Gets the throttling configurations of all requesters in a resource pool.
oss:DeleteResourcePoolRequesterQoSInfo
Deletes the throttling configuration of a specified requester in a resource pool.
Vector buckets
API
Action
Description
oss:PutVectorBucket
Creates a vector bucket.
oss:GetVectorBucket
Gets the details of a vector bucket.
oss:ListVectorBuckets
Lists all vector buckets owned by the requester.
oss:DeleteVectorBucket
Deletes a vector bucket.
oss:PutBucketLogging
Enables the log storage feature for a vector bucket.
oss:PutObject
Sets the destination bucket for logs when you enable log storage for the source vector bucket.
oss:GetBucketLogging
Views the log storage configuration of a vector bucket.
oss:DeleteBucketLogging
Disables the log storage feature for a vector bucket.
oss:PutBucketPolicy
Sets the authorization policy for a specified vector bucket.
oss:GetBucketPolicy
Gets the authorization policy of a specified vector bucket.
oss:DeleteBucketPolicy
Deletes the authorization policy of a specified vector bucket.
oss:PutVectorIndex
Creates a vector index.
oss:GetVectorIndex
Gets the details of a vector index.
oss:ListVectorIndexes
Lists all vector indexes in a vector bucket.
oss:DeleteVectorIndex
Deletes a vector index.
oss:PutVectors
Writes vector data.
oss:GetVectors
Gets specified vector data.
oss:ListVectors
Lists all vector data in a vector index.
oss:QueryVectors
Performs a vector similarity search.
oss:DeleteVectors
Deletes specified vector data from a vector index.
OSS Resource specification
In OSS, a Resource specifies one or more resources and supports the asterisk (*) wildcard character. A single RAM policy can contain multiple resources.
Buckets
Classification | Format | Example |
Bucket-level |
|
|
Object-level |
|
|
Resource pool-level |
|
|
Vector buckets
Resource level | Format | Example |
All vector resources |
|
|
Vector bucket |
|
|
Vector index |
|
|
Vector data |
|
|
The region field currently supports only the asterisk (*) wildcard character.
OSS Condition specification
An OSS Condition specifies the conditions that must be met for an authorization to take effect. It consists of a condition operator type, a condition key, and a condition value.
The condition operator types and condition keys for an OSS Condition are as follows:
Condition operator types
Condition operator type
Supported types
String
StringEquals
StringNotEquals
StringEqualsIgnoreCase
StringNotEqualsIgnoreCase
StringLike
StringNotLike
Numeric
NumericEquals
NumericNotEquals
NumericLessThan
NumericLessThanEquals
NumericGreaterThan
NumericGreaterThanEquals
Date and time
DateEquals
DateNotEquals
DateLessThan
DateLessThanEquals
DateGreaterThan
DateGreaterThanEquals
Boolean
Bool
IP address
IpAddress
NotIpAddress
IpAddressIncludeBorder
Condition keys
Condition key
Description
acs:SourceIp
Specifies a normal IP CIDR block. The asterisk (*) wildcard character is supported.
acs:SourceVpc
Specifies a VPC. You can set this to a specific VPC ID or vpc-*.
ImportantWhen you use
acs:SourceVpcto restrict access based on the source VPC, make sure that the region of the selected VPC matches a region where OSS gateway endpoints are supported. Otherwise, the authentication request cannot be associated with the corresponding VPC, which causes the authentication to fail. For information about the regions where OSS gateway endpoints are supported, see Regions that support OSS gateway endpoints.acs:UserAgent
Specifies the HTTP User-Agent header.
Type: string.
acs:CurrentTime
The time when the request arrives at the OSS server.
Format: ISO 8601.
acs:SecureTransport
The protocol type of the request. Valid values:
true: Allows only HTTPS requests.
false: Allows only HTTP requests.
If
acs:SecureTransportis not set, both HTTP and HTTPS requests are allowed.oss:x-oss-acl
Restricts the type of bucket ACL. Valid values:
private: private.
public-read: public-read.
public-read-write: Allows public read and write access.
For more information, see Bucket ACL.
oss:x-oss-object-acl
Restricts the type of object ACL. Valid values:
private: The resource is private.
public-read: public-read.
public-read-write: All users have read and write permissions.
default: Inherits the bucket ACL.
For more information, see Object ACL.
oss:Prefix
Used in a ListObjects request to list objects with a specified prefix.
oss:Delimiter
The character used to group object names in a ListObjects request.
acs:AccessId
The AccessId included in the request.
oss:BucketTag
Bucket tag.
A single bucket tag can be used as a condition. If you specify multiple bucket tags, you must add the
oss:BucketTag/prefix to each tag to form multiple conditions.acs:MFAPresent
Specifies whether multi-factor authentication (MFA) is enabled.
Valid values:
true: MFA is enabled.
false: MFA is not enabled.
oss:ExistingObjectTag
The existing tags of the requested object.
A single object tag can be used as a condition. If you specify multiple object tags, you must add the
oss:ExistingObjectTag/prefix to each tag.This applies mainly to APIs for reading files, such as GetObject and HeadObject, and to object tagging APIs, such as PutObjectTagging and GetObjectTagging.
oss:RequestObjectTag
The object tags included in the request.
A single object tag can be used as a condition. If you specify multiple object tags, you must add the
oss:RequestObjectTag/prefix to each tag.This applies mainly to APIs for writing files, such as PutObject and PostObject, and to object tagging APIs, such as PutObjectTagging and GetObjectTagging.