Resource Access Management (RAM) policies are authorization policies configured based on users. You can configure RAM policies to manage the permissions of your users on your resources stored in Object Storage Service (OSS).

Background information

  • Syntax and structure of RAM policies

    A RAM policy contains a version number and a statement. Each statement contains the following elements: Permission Effect, Actions, Resources, and Conditions. The Conditions element is optional. For more information about the syntax and structure of RAM policies, see Policy structure and syntax.

    The usage of version numbers, statements, and the statement effect in RAM policies for OSS is the same as that in policies for RAM. For more information about the usage of Actions, Resources, and Conditions in RAM policies for OSS, see the following sections:

  • Common RAM policies for OSS
    • AliyunOSSFullAccess: grants a RAM user permissions to manage OSS resources.
    • AliyunOSSReadOnlyAccess: grants a RAM user the read-only permission on OSS resources.
  • Access control methods supported by OSS

    For more information about access control methods supported by OSS, see Overview.

The Action field in RAM policies for OSS

RAM policies for OSS support service-related actions, bucket-related actions, and object-related actions. For more information about actions that are implemented by calling API operations, see List of operations by function.

  • Service-related actions

    Service-related actions correspond to the GetService (ListBuckets) operation, which is called to list all buckets owned by the user.

    API Action
    GetService (ListBuckets) oss:ListBuckets
  • Bucket-related actions

    Bucket-related actions are performed on buckets. The following table describes the correspondence between the bucket-related actions and the API operations.

    API Action
    PutBucket oss:PutBucket
    GetBucket (ListObjects) oss:ListObjects
    GetBucketVersions (ListObjectVersions) oss:ListObjectVersions
    PutBucketVersioning oss:PutBucketVersioning
    GetBucketVersioning oss:GetBucketVersioning
    PutBucketAcl oss:PutBucketAcl
    GetBucketAcl oss:GetBucketAcl
    DeleteBucket oss:DeleteBucket
    GetBucketLocation oss:GetBucketLocation
    GetBucketInfo oss:GetBucketInfo
    GetBucketLogging oss:GetBucketLogging
    PutBucketLogging oss:PutBucketLogging
    DeleteBucketLogging oss:DeleteBucketLogging
    GetBucketWebsite oss:GetBucketWebsite
    PutBucketWebsite oss:PutBucketWebsite
    DeleteBucketWebsite oss:DeleteBucketWebsite
    GetBucketReferer oss:GetBucketReferer
    PutBucketReferer oss:PutBucketReferer
    GetBucketLifecycle oss:GetBucketLifecycle
    PutBucketLifecycle oss:PutBucketLifecycle
    DeleteBucketLifecycle oss:DeleteBucketLifecycle
    ListMultipartUploads oss:ListMultipartUploads
    PutBucketCors oss:PutBucketCors
    GetBucketCors oss:GetBucketCors
    DeleteBucketCors oss:DeleteBucketCors
    PutBucketPolicy oss:PutBucketPolicy
    GetBucketPolicy oss:GetBucketPolicy
    DeleteBucketPolicy oss:DeleteBucketPolicy
    PutBucketTags oss:PutBucketTagging
    GetBucketTags oss:GetBucketTagging
    DeleteBucketTags oss:DeleteBucketTagging
    PutBucketEncryption oss:PutBucketEncryption
    GetBucketEncryption oss:GetBucketEncryption
    DeleteBucketEncryption oss:DeleteBucketEncryption
    PutBucketRequestPayment oss:PutBucketRequestPayment
    GetBucketRequestPayment oss:GetBucketRequestPayment
    PutBucketReplication oss:PutBucketReplication
    GetBucketReplication oss:GetBucketReplication
    DeleteBucketReplication oss:DeleteBucketReplication
    GetBucketReplicationLocation oss:GetBucketReplicationLocation
    GetBucketReplicationProgress oss:GetBucketReplicationProgress
    PutBucketInventory oss:PutBucketInventory
    GetBucketInventory oss:GetBucketInventory
    ListBucketInventory oss:GetBucketInventory
    DeleteBucketInventory oss:DeleteBucketInventory
  • Object-related actions

    Object-related actions are performed on objects. The following table describes the correspondence between the object-related actions and the API operations.

    API Action
    PutObject oss:PutObject
    PostObject
    InitiateMultipartUpload
    UploadPart
    CompleteMultipart
    AppendObject
    CompleteMultipartUpload
    PutSymlink
    GetObject oss:GetObject
    HeadObject
    GetObjectMeta
    SelectObject
    GetSymlink
    DeleteObject oss:DeleteObject
    DeleteMultipleObjects
    CopyObject oss:GetObject,oss:PutObject
    UploadPartCopy
    ListParts oss:ListParts
    GetObjectAcl oss:GetObjectAcl
    PutObjectAcl oss:PutObjectAcl
    RestoreObject oss:RestoreObject
    PutObjectTagging oss:PutObjectTagging
    GetObjectTagging oss:GetObjectTagging
    DeleteObjectTagging oss:DeleteObjectTagging
    GetObject (with versionId specified in the request) oss:GetObjectVersion
    PutObjectACL (with versionId specified in the request) oss:PutObjectVersionAcl
    GetObjectAcl (with versionId specified in the request) oss:GetObjectVersionAcl
    RestoreObject (with versionId specified in the request) oss:RestoreObjectVersion
    DeleteObject (with versionId specified in the request) oss:DeleteObjectVersion
    PutObjectTagging (with versionId specified in the request) oss:PutObjectVersionTagging
    GetObjectTagging (with versionId specified in the request) oss:GetObjectVersionTagging
    DeleteObjectTagging (with versionId specified in the request) oss:DeleteObjectVersionTagging
    PutLiveChannel oss:PutLiveChannel
    ListLiveChannel oss:ListLiveChannel
    DeleteLiveChannel oss:DeleteLiveChannel
    PutLiveChannelStatus oss:PutLiveChannelStatus
    GetLiveChannelInfo oss:GetLiveChannel
    GetLiveChannelStat oss:GetLiveChannelStat
    GetLiveChannelHistory oss:GetLiveChannelHistory
    PostVodPlaylist oss:PostVodPlaylist
    GetVodPlaylist oss:GetVodPlaylist
    ProcessImm oss:ProcessImm
    ImgSaveAs oss:PostProcessTask
    AbortMultipartUpload oss:AbortMultipartUpload

The Resource field in RAM policies for OSS

In RAM policies for OSS, the Resource field indicates a specific resource or specific resources. This field supports asterisks (*) as wildcards. A RAM policy can contain multiple Resource fields.

The Resource field is specified in the following format: acs:oss:{region}:{bucket_owner}:{bucket_name}/{object_name}.

When you specify the Resource field in a RAM policy for a bucket, you do not need to add a forward slash (/) or {object_name} after {bucket_name}. In this case, you can specify the Resource field in the following format: acs:oss:{region}:{bucket_owner}:{bucket_name}. The region field can be set only to an asterisk (*) as a wildcard.

The Condition field in RAM policies for OSS

In RAM policies for OSS, the Condition field indicates the conditions for the RAM policies. The following table describes the conditions supported by OSS.

Condition Description
acs:SourceIp The CIDR block from which the request is sent. Asterisks (*) are supported as wildcards.
acs:UserAgent The User-Agent header in the HTTP request.

Type: string

acs:CurrentTime The time when the request arrives at the OSS server.

Standard: ISO 8601

acs:SecureTransport The protocol of the request. If the protocol of the request is HTTP, set the value to HTTP. If the protocol of the request is HTTPS, set the value to HTTPS.
oss:Prefix The prefix that is contained in the objects listed by calling the ListObjects operation.
oss:Delimiter The character that is used to group the names of objects listed by calling the ListObjects operation.
acs:AccessId The AccessKey ID included in the request.
oss:BucketTag The tag of a bucket.

A single bucket tag can be used as a condition. To configure multiple bucket tags as multiple conditions, you must add oss:BucketTag/ before each bucket tag.

acs:MFAPresent Indicates whether multi-factor authentication (MFA) is enabled.
Default value: false. Valid values:
  • true: MFA is enabled.
  • false: MFA is disabled.
oss:ExistingObjectTag Indicates that the requested object has tags.

A single object tag can be used as a condition. To configure multiple object tags as multiple conditions, you must add oss:ExistingObjectTag/ before each object tag.

This condition applies to operations called to read objects, such as GetObject and HeadObject, and operations related to object tags, such as PutObjectTagging and GetObjectTagging.

oss:RequestObjectTag The object tags included in the request.

A single object tag can be used as a condition. To configure multiple object tags as multiple conditions, you must add oss:RequestObjectTag/ before each object tag.

This condition applies to operations called to write objects, such as PutObject and PostObject, and operations related to object tags, such as PutObjectTagging and GetObjectTagging.

Examples

You can use RAM policies to grant permissions to users in different scenarios. For more information, see Common examples of RAM policies.