Resource Access Management (RAM) is a resource access control service provided by Alibaba Cloud. You can configure the RAM policies based on the responsibilities of users. You can manage users by configuring RAM policies. For users such as employees, systems, or applications, you can control which resources are accessible. For example, you can create a RAM policy to grant users read-only permissions on a bucket.

Notice
  • Operations related to RAM policy are complex. We recommend that you configure Bucket policy to control access by using the graphical interface of the console.
  • If you use RAM policies, we recommend that you use RAM Policy Editor to generate required RAM policies. For more information, see RAM Policy Editor.

Policy examples

  • Policy to grant full permissions

    A policy that grants full permissions allows applications to perform all operations on OSS.

    Warning For security reasons, we recommend that you do not use a policy that grants full permissions for mobile apps.
    {
      "Statement": [
        {
          "Action": [
            "oss:*"
          ],
          "Effect": "Allow",
          "Resource": ["acs:oss:*:*:*"]
        }
      ],
      "Version": "1"
    }
    Operations on OSS Result
    List all created buckets Successful
    Upload an object whose name does not contain a prefix. Example: test.txt Successful
    Download an object whose name does not contain a prefix. Example: test.txt Successful
    Upload an object whose name contains a specified prefix. Example: user1/test.txt Successful
    Download an object whose name contains a specified prefix. Example: user1/test.txt Successful
    List objects whose names do not contain prefixes. Example: test.txt Successful
    List objects whose names contain a specified prefix. Example: user1/test.txt Successful
  • Read-only policy for all objects

    This policy is used to list and download all objects in a bucket such as app-base-oss.

    {
        "Statement": [
          {
            "Action": [
              "oss:GetObject",
              "oss:ListObjects"
            ],
            "Effect": "Allow",
            "Resource": ["acs:oss:*:*:app-base-oss/*", "acs:oss:*:*:app-base-oss"]
          }
        ],
        "Version": "1"
      }
    Operations on OSS Result
    List all created buckets Failed
    Upload an object whose name does not contain a prefix. Example: test.txt Failed
    Download an object whose name does not contain a prefix. Example: test.txt Successful
    Upload an object whose name contains a specified prefix. Example: user1/test.txt Failed
    Download an object whose name contains a specified prefix. Example: user1/test.txt Successful
    List objects whose names do not contain prefixes. Example: test.txt Successful
    List objects whose names contain a specified prefix. Example: user1/test.txt Successful
  • Read-only policy for objects whose names contain a specified prefix

    This policy is used to list and download objects whose names contain the user1/ prefix from a bucket such as app-base-oss. You can use this policy to configure object prefixes for different applications. This method allows access to the resources in a bucket to be isolated.

    {
        "Statement": [
          {
            "Action": [
              "oss:GetObject",
              "oss:ListObjects"
            ],
            "Effect": "Allow",
            "Resource": ["acs:oss:*:*:app-base-oss/user1/*", "acs:oss:*:*:app-base-oss"]
          }
        ],
        "Version": "1"
      }
    Operations on OSS Result
    List all created buckets Failed
    Upload an object whose name does not contain a prefix. Example: test.txt Failed
    Download an object whose name does not contain a prefix. Example: test.txt Failed
    Upload an object whose name contains a specified prefix. Example: user1/test.txt Failed
    Download an object whose name contains a specified prefix. Example: user1/test.txt Successful
    List objects whose names do not contain prefixes. Example: test.txt Successful
    List objects whose names contain a specified prefix. Example: user1/test.txt Successful
  • Write-only policy for all objects

    This policy is used to upload objects to a bucket such as app-base-oss.

    {
        "Statement": [
          {
            "Action": [
              "oss:PutObject"
            ],
            "Effect": "Allow",
            "Resource": ["acs:oss:*:*:app-base-oss/*", "acs:oss:*:*:app-base-oss"]
          }
        ],
        "Version": "1"
      }
    Operations on OSS Result
    List all created buckets Failed
    Upload an object whose name does not contain a prefix. Example: test.txt Successful
    Download an object whose name does not contain a prefix. Example: test.txt Failed
    Upload an object whose name contains a specified prefix. Example: user1/test.txt Successful
    Download an object whose name contains a specified prefix. Example: user1/test.txt Successful
    List objects whose names do not contain prefixes. Example: test.txt Successful
    List objects whose names contain a specified prefix. Example: user1/test.txt Successful
  • Write-only policy for objects whose names contain a specified prefix

    This policy is used to upload objects whose names contain the user1/ prefix to a bucket such as app-base-oss. However, you cannot upload objects that contain other prefixes. You can use this policy to configure object prefixes for different applications. This method allows access to the resources in a bucket to be isolated.

    {
        "Statement": [
          {
            "Action": [
              "oss:PutObject"
            ],
            "Effect": "Allow",
            "Resource": ["acs:oss:*:*:app-base-oss/user1/*", "acs:oss:*:*:app-base-oss"]
          }
        ],
        "Version": "1"
      }
    Operations on OSS Result
    List all created buckets Failed
    Upload an object whose name does not contain a prefix. Example: test.txt Failed
    Download an object whose name does not contain a prefix. Example: test.txt Failed
    Upload an object whose name contains a specified prefix. Example: user1/test.txt Successful
    Download an object whose name contains a specified prefix. Example: user1/test.txt Failed
    List objects whose names do not contain prefixes. Example: test.txt Failed
    List objects whose names contain a specified prefix. Example: user1/test.txt Failed
  • Read/write policy for all objects

    This policy is used to list, download, upload, and delete objects for a bucket such as app-base-oss.

    {
        "Statement": [
          {
            "Action": [
              "oss:GetObject",
              "oss:PutObject",
              "oss:DeleteObject",
              "oss:ListParts",
              "oss:AbortMultipartUpload",
              "oss:ListObjects"
            ],
            "Effect": "Allow",
            "Resource": ["acs:oss:*:*:app-base-oss/*", "acs:oss:*:*:app-base-oss"]
          }
        ],
        "Version": "1"
      }
    Operations on OSS Result
    List all created buckets Failed
    Upload an object whose name does not contain a prefix. Example: test.txt Successful
    Download an object whose name does not contain a prefix. Example: test.txt Successful
    Upload an object whose name contains a specified prefix. Example: user1/test.txt Successful
    Download an object whose name contains a specified prefix. Example: user1/test.txt Successful
    List objects whose names do not contain prefixes. Example: test.txt Successful
    List objects whose names contain a specified prefix. Example: user1/test.txt Successful
  • Read/write policy for objects whose names contain a specified prefix

    This policy is used to list, download, upload, and delete objects whose names contain the app-base-oss prefix for a bucket such as user1/. You can use this policy to configure object prefixes for different applications. This method allows access to the resources in a bucket to be isolated.

    {
        "Statement": [
          {
            "Action": [
              "oss:GetObject",
              "oss:PutObject",
              "oss:DeleteObject",
              "oss:ListParts",
              "oss:AbortMultipartUpload",
              "oss:ListObjects"
            ],
            "Effect": "Allow",
            "Resource": ["acs:oss:*:*:app-base-oss/user1/*", "acs:oss:*:*:app-base-oss"]
          }
        ],
        "Version": "1"
      }
    Operations on OSS Result
    List all created buckets Failed
    Upload an object whose name does not contain a prefix. Example: test.txt Failed
    Download an object whose name does not contain a prefix. Example: test.txt Failed
    Upload an object whose name contains a specified prefix. Example: user1/test.txt Successful
    Download an object whose name contains a specified prefix. Example: user1/test.txt Successful
    List objects whose names do not contain prefixes. Example: test.txt Successful
    List objects whose names contain a specified prefix. Example: user1/test.txt Successful

Complex policy examples

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "oss:GetBucketAcl",
                "oss:ListObjects"
            ],
            "Resource": [
                "acs:oss:*:1775305056529849:mybucket"
            ],
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "acs:UserAgent": "java-sdk",
                    "oss:Prefix": "foo"
                },
                "IpAddress": {
                    "acs:SourceIp": "192.168.0.1"
                }
            }
        },
        {
            "Action": [
                "oss:PutObject",
                "oss:GetObject",
                "oss:DeleteObject"
            ],
            "Resource": [
                "acs:oss:*:1775305056529849:mybucket/file*"
            ],
            "Effect": "Allow",
            "Condition": {
                "IpAddress": {
                    "acs:SourceIp": "192.168.0.1"
                }
            }
        }
    ]
}

The preceding example describes a complex authorization policy. You can use this policy to grant permissions to other users through RAM or STS. The policy has a Statement. Action, Resource, Effect, and Condition are specified in Statement.

In this policy, specified users are authorized to perform the GetBucketAcl, GetBucket, PutObject, GetObject, and DeleteObject operations on mybucket and mybucket/file*. In Condition, the user agent is set to java-sdk. The source IP address is set to 192.168.0.1. Only authorized users can access specified resources. Prefix applies to the GetBucket (ListObjects) operation in Condition. For more information about Prefix, see GetBucket (ListObjects).

Version

Version defines the version of the policy. In the preceding example, Version is set to 1.

Statement

One Policy can have multiple Statements. Statement describes Action, Effect, Resource, and Condition. The system checks each request. Matched Statements can have Effect configurations of Allow and Deny. Matched Statements where Effect is set to Deny take precedence. If all matched Statements have Effect configurations of Allow, this request passes the authentication. If one Effect field is set to Deny or no other entries match the policy, this request is denied.

Action

Actions support following operations:

  • Service operations: includes the GetService operation, which is used to list all buckets owned by the user.
  • Bucket operations: corresponds to actions such as oss:PutBucketAcl and oss:GetBucketLocation on buckets. The names of operations correspond to those of the actions.
  • Object operations: corresponds to actions such as oss:GetObject, oss:PutObject, oss:DeleteObject, and oss:AbortMultipartUpload on objects.

You can select one or more of the actions to perform operations on specified objects. Note that all actions must be prefixed with oss:, as shown in the preceding example. Action can specify multiple actions. The following table describes the mapping relationship between actions and API operations.

  • Service
    API operation Action
    GetService (ListBuckets) "oss:ListBuckets"
  • Bucket
    API operation Action
    PutBucket oss:PutBucket
    GetBucket (ListObjects) oss:ListObjects
    PutBucketAcl oss:PutBucketAcl
    DeleteBucket oss:DeleteBucket
    GetBucketLocation oss:GetBucketLocation
    GetBucketAcl oss:GetBucketAcl
    GetBucketLogging oss:GetBucketLogging
    PutBucketLogging oss:PutBucketLogging
    DeleteBucketLogging oss:DeleteBucketLogging
    GetBucketWebsite oss:GetBucketWebsite
    PutBucketWebsite oss:PutBucketWebsite
    DeleteBucketWebsite oss:DeleteBucketWebsite
    GetBucketReferer oss:GetBucketReferer
    PutBucketReferer oss:PutBucketReferer
    GetBucketLifecycle oss:GetBucketLifecycle
    PutBucketLifecycle oss:PutBucketLifecycle
    DeleteBucketLifecycle oss:DeleteBucketLifecycle
    ListMultipartUploads oss:ListMultipartUploads
    PutBucketCors oss:PutBucketCors
    GetBucketCors oss:GetBucketCors
    DeleteBucketCors oss:DeleteBucketCors
    PutBucketReplication oss:PutBucketReplication
    GetBucketReplication oss:GetBucketReplication
    DeleteBucketReplication oss:DeleteBucketReplication
    GetBucketReplicationLocation oss:GetBucketReplicationLocation
    GetBucketReplicationProgress oss:GetBucketReplicationProgress
  • Object
    API operation Action
    GetObject oss:GetObject
    HeadObject oss:GetObject
    PutObject oss:PutObject
    PostObject oss:PutObject
    InitiateMultipartUpload oss:PutObject
    UploadPart oss:PutObject
    CompleteMultipart oss:PutObject
    DeleteObject oss:DeleteObject
    DeleteMultipleObjects oss:DeleteObject
    AbortMultipartUpload oss:AbortMultipartUpload
    ListParts oss:ListParts
    CopyObject oss:GetObject,oss:PutObject
    UploadPartCopy oss:GetObject,oss:PutObject
    AppendObject oss:PutObject
    GetObjectAcl oss:GetObjectAcl
    PutObjectAcl oss:PutObjectAcl
    RestoreObject oss:RestoreObject

Resource

Resource specifies specific OSS resources users can access. Wildcards of asterisks (*) can be used to specify resources. The format to specify the resources is acs:oss:{region}:{bucket_owner}:{bucket_name}/{object_name}. Forward slashes (/) and {object_name} are not required for operations on buckets. Example: acs:oss:{region}:{bucket_owner}:{bucket_name}. Resource can specify multiple resources. Set the region field to asterisk (*) instead of a specific region.

Effect

Effect specifies the authorization result of the Statement. Valid values: Allow and Deny. Matched Statements where Effect is set to Deny take precedence.

The following code provides an example on how to prevent users from deleting a specified directory but still granting full permissions on other objects:
{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "oss:*"
      ],
      "Resource": [
        "acs:oss:*:*:bucketname"
      ]
    },
    {
      "Effect": "Deny",
      "Action": [
        "oss:DeleteObject"
      ],
      "Resource": [
        "acs:oss:*:*:bucketname/index/*",
      ]
    }
  ]
}

Condition

Condition specifies authorization conditions for the policy. The preceding example specifies the acs:UserAgent, acs:SourceIp, and oss:Prefix fields for the system to check the request.

The following table describes the conditions supported by OSS.

Condition Description Valid value
acs:SourceIp Specifies the IP address or CIDR block. Regular IP addresses. If you set this field to the wildcard of an asterisk (*), all access is allowed.
acs:UserAgent Specifies the User-Agent HTTP header. The value is of the String type.
acs:CurrentTime Specifies the valid time when the request is received. The time follows the ISO 8601 standard.
acs:SecureTransport Specifies whether HTTPS is used to access the specified resource. true or false.
oss:Prefix Specifies the prefix that returned object names must contain when you list objects. The valid object name.
Note To deny access over HTTP, add the following policy where Effect is set to Deny. To configure specific actions or resources, you can configure the Action and Resource fields.
{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": [
                "oss:*"
            ],
            "Resource": [
                "*"
            ],
            "Condition": {
                "StringNotEquals": {
                    "acs:SecureTransport": "true"
                        "true"
                    ]
                }
            }
        }
    ]
}

Best practices

OSS provides RAM Policy Editor to generate required RAM policies. For more information, see RAM Policy Editor. You can also use graphical management tool ossbrowser to grant RAM users permissions on specific buckets or directories with a single click. For more information, see the "Grant permissions with a simple policy" section in Permission management.

For more information about scenario-specific authorization policy configuration examples, see Tutorial: Use RAM Policy to control access to buckets and folders.