Resource Access Management (RAM) is a resource access control service provided by Alibaba Cloud. You can configure the RAM policies based on the responsibilities of users. You can manage users by configuring RAM policies. For users such as employees, systems, or applications, you can control which resources are accessible. For example, you can create a RAM policy to grant users read permissions on a bucket.

Notice
  • Operations related to RAM policies are complex. We recommend that you configure a Bucket policy to control access by using the graphical interface of the console.
  • If you use RAM policies, we recommend that you use RAM Policy Editor to generate required RAM policies. For more information, see RAM Policy Editor.

Policy examples

  • Policy to grant full permissions

    A policy that grants full permissions allows applications to perform all operations on OSS.

    Warning For security reasons, we recommend that you do not use a policy that grants full permissions to mobile apps.
    {
      "Statement": [
        {
          "Action": [
            "oss:*"
          ],
          "Effect": "Allow",
          "Resource": ["acs:oss:*:*:*"]
        }
      ],
      "Version": "1"
    }
    Operation on OSS Result
    List all created buckets Successful
    Upload an object whose name does not contain a prefix. Example: test.txt Successful
    Download an object whose name does not contain a prefix. Example: test.txt Successful
    Upload an object whose name contains a specified prefix. Example: user1/test.txt Successful
    Download an object whose name contains a specified prefix. Example: user1/test.txt Successful
    List objects whose names do not contain prefixes. Example: test.txt Successful
    List objects whose names contain a specified prefix. Example: user1/test.txt Successful
  • Read-only policy for all objects

    This policy is used to list and download all objects in a bucket such as app-base-oss.

    {
        "Statement": [
          {
            "Action": [
              "oss:GetObject",
              "oss:ListObjects"
            ],
            "Effect": "Allow",
            "Resource": ["acs:oss:*:*:app-base-oss/*", "acs:oss:*:*:app-base-oss"]
          }
        ],
        "Version": "1"
      }
    Operation on OSS Result
    List all created buckets Failed
    Upload an object whose name does not contain a prefix. Example: test.txt Failed
    Download an object whose name does not contain a prefix. Example: test.txt Successful
    Upload an object whose name contains a specified prefix. Example: user1/test.txt Failed
    Download an object whose name contains a specified prefix. Example: user1/test.txt Successful
    List objects whose names do not contain prefixes. Example: test.txt Successful
    List objects whose names contain a specified prefix. Example: user1/test.txt Successful
  • Read-only policy for objects whose names contain a specified prefix

    This policy is used to list and download objects whose names contain the user1/ prefix from a bucket such as app-base-oss. You can use this policy to configure object prefixes for different applications. This method allows access to the resources in a bucket to be isolated.

    {
        "Statement": [
          {
            "Action": [
              "oss:GetObject",
              "oss:ListObjects"
            ],
            "Effect": "Allow",
            "Resource": ["acs:oss:*:*:app-base-oss/user1/*", "acs:oss:*:*:app-base-oss"]
          }
        ],
        "Version": "1"
      }
    Operation on OSS Result
    List all created buckets Failed
    Upload an object whose name does not contain a prefix. Example: test.txt Failed
    Download an object whose name does not contain a prefix. Example: test.txt Failed
    Upload an object whose name contains a specified prefix. Example: user1/test.txt Failed
    Download an object whose name contains a specified prefix. Example: user1/test.txt Successful
    List objects whose names do not contain prefixes. Example: test.txt Successful
    List objects whose names contain a specified prefix. Example: user1/test.txt Successful
  • Write-only policy for all objects

    This policy is used to upload objects to a bucket such as app-base-oss.

    {
        "Statement": [
          {
            "Action": [
              "oss:PutObject"
            ],
            "Effect": "Allow",
            "Resource": ["acs:oss:*:*:app-base-oss/*", "acs:oss:*:*:app-base-oss"]
          }
        ],
        "Version": "1"
      }
    Operation on OSS Result
    List all buckets Failed
    Upload an object whose name does not contain a prefix. Example: test.txt Successful
    Download an object whose name does not contain a prefix. Example: test.txt Failed
    Upload an object whose name contains a specified prefix. Example: user1/test.txt Successful
    Download an object whose name contains a specified prefix. Example: user1/test.txt Successful
    List objects whose names do not contain prefixes. Example: test.txt Successful
    List objects whose names contain a specified prefix. Example: user1/test.txt Successful
  • Write-only policy for objects whose names contain a specified prefix

    This policy is used to upload objects whose names contain the user1/ prefix to a bucket such as app-base-oss. However, you cannot upload objects whose names contain other prefixes. You can use this policy to configure object prefixes for different applications. This method allows access to the resources in a bucket to be isolated.

    {
        "Statement": [
          {
            "Action": [
              "oss:PutObject"
            ],
            "Effect": "Allow",
            "Resource": ["acs:oss:*:*:app-base-oss/user1/*", "acs:oss:*:*:app-base-oss"]
          }
        ],
        "Version": "1"
      }
    Operation on OSS Result
    List all created buckets Failed
    Upload an object whose name does not contain a prefix. Example: test.txt Failed
    Download an object whose name does not contain a prefix. Example: test.txt Failed
    Upload an object whose name contains a specified prefix. Example: user1/test.txt Successful
    Download an object whose name contains a specified prefix. Example: user1/test.txt Failed
    List objects whose names do not contain prefixes. Example: test.txt Failed
    List objects whose names contain a specified prefix. Example: user1/test.txt Failed
  • Read/write policy for all objects

    This policy is used to list, download, upload, and delete objects for a bucket such as app-base-oss.

    {
        "Statement": [
          {
            "Action": [
              "oss:GetObject",
              "oss:PutObject",
              "oss:DeleteObject",
              "oss:ListParts",
              "oss:AbortMultipartUpload",
              "oss:ListObjects"
            ],
            "Effect": "Allow",
            "Resource": ["acs:oss:*:*:app-base-oss/*", "acs:oss:*:*:app-base-oss"]
          }
        ],
        "Version": "1"
      }
    Operation on OSS Result
    List all created buckets Failed
    Upload an object whose name does not contain a prefix. Example: test.txt Successful
    Download an object whose name does not contain a prefix. Example: test.txt Successful
    Upload an object whose name contains a specified prefix. Example: user1/test.txt Successful
    Download an object whose name contains a specified prefix. Example: user1/test.txt Successful
    List objects whose names do not contain prefixes. Example: test.txt Successful
    List objects whose names contain a specified prefix. Example: user1/test.txt Successful
  • Read/write policy for objects whose names contain a specified prefix

    This policy is used to list, download, upload, and delete objects whose names contain the user1/ prefix for a bucket such as app-base-oss. You can use this policy to configure object prefixes for different applications. This method allows access to the resources in a bucket to be isolated.

    {
        "Statement": [
          {
            "Action": [
              "oss:GetObject",
              "oss:PutObject",
              "oss:DeleteObject",
              "oss:ListParts",
              "oss:AbortMultipartUpload",
              "oss:ListObjects"
            ],
            "Effect": "Allow",
            "Resource": ["acs:oss:*:*:app-base-oss/user1/*", "acs:oss:*:*:app-base-oss"]
          }
        ],
        "Version": "1"
      }
    Operation on OSS Result
    List all created buckets Failed
    Upload an object whose name does not contain a prefix. Example: test.txt Failed
    Download an object whose name does not contain a prefix. Example: test.txt Failed
    Upload an object whose name contains a specified prefix. Example: user1/test.txt Successful
    Download an object whose name contains a specified prefix. Example: user1/test.txt Successful
    List objects whose names do not contain prefixes. Example: test.txt Successful
    List objects whose names contain a specified prefix. Example: user1/test.txt Successful

Complex policy examples

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "oss:GetBucketAcl",
                "oss:ListObjects"
            ],
            "Resource": [
                "acs:oss:*:1775305056529849:mybucket"
            ],
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "acs:UserAgent": "java-sdk",
                    "oss:Prefix": "foo"
                },
                "IpAddress": {
                    "acs:SourceIp": "192.168.0.1"
                }
            }
        },
        {
            "Action": [
                "oss:PutObject",
                "oss:GetObject",
                "oss:DeleteObject"
            ],
            "Resource": [
                "acs:oss:*:1775305056529849:mybucket/file*"
            ],
            "Effect": "Allow",
            "Condition": {
                "IpAddress": {
                    "acs:SourceIp": "192.168.0.1"
                }
            }
        }
    ]
}

The preceding example describes a complex authorization policy. You can use this policy to grant permissions to other users through RAM or STS. The policy has a Statement. Action, Resource, Effect, and Condition are specified in Statement.

In this policy, specified users are authorized to perform the GetBucketAcl, GetBucket, PutObject, GetObject, and DeleteObject operations on mybucket and mybucket/file*. In Condition, the user agent is set to java-sdk. The source IP address is set to 192.168.0.1. Only users who meet these conditions can access specified resources. Prefix applies to the GetBucket (ListObjects) operation in Condition. For more information about Prefix, see GetBucket (ListObjects).

Version

Version defines the version of the policy. In the preceding example, Version is set to 1.

Statement

One policy can contain multiple Statements. The Statement describes Action, Effect, Resource, and Condition. The system checks each request. Matched Statements can have Effect configurations of Allow and Deny. Matched Statements where Effect is set to Deny take precedence. If all matched Statements have Effect configurations of Allow, this request passes the authentication. If one Effect field is set to Deny or no other entries match the policy, this request is denied.

Action

Action supports the following operations:

  • Service operations: correspond to the GetService operation, which is used to list all buckets owned by the user.
  • Bucket operations: correspond to operations such as oss:PutBucketAcl and oss:GetBucketLocation on buckets. The names of operations correspond to those of the actions.
  • Object operations: correspond to operations such as oss:GetObject, oss:PutObject, oss:DeleteObject, and oss:AbortMultipartUpload on objects.

You can select one or more of the actions to perform operations on specified objects. Note that all actions must be prefixed with oss:, which is shown in the preceding example. Action can specify multiple actions. The following table describes the mapping between actions and API operations.

  • Service
    API Action
    GetService (ListBuckets) oss:ListBuckets
  • Bucket
    API Action
    PutBucket oss:PutBucket
    GetBucket (ListObjects) oss:ListObjects
    GetBucketVersions (ListObjectVersions) oss:ListObjectVersions
    PutBucketVersioning oss:PutBucketVersioning
    GetBucketVersioning oss:GetBucketVersioning
    PutBucketAcl oss:PutBucketAcl
    GetBucketAcl oss:GetBucketAcl
    DeleteBucket oss:DeleteBucket
    GetBucketLocation oss:GetBucketLocation
    GetBucketInfo oss:GetBucketInfo
    GetBucketLogging oss:GetBucketLogging
    PutBucketLogging oss:PutBucketLogging
    DeleteBucketLogging oss:DeleteBucketLogging
    GetBucketWebsite oss:GetBucketWebsite
    PutBucketWebsite oss:PutBucketWebsite
    DeleteBucketWebsite oss:DeleteBucketWebsite
    GetBucketReferer oss:GetBucketReferer
    PutBucketReferer oss:PutBucketReferer
    GetBucketLifecycle oss:GetBucketLifecycle
    PutBucketLifecycle oss:PutBucketLifecycle
    DeleteBucketLifecycle oss:DeleteBucketLifecycle
    ListMultipartUploads oss:ListMultipartUploads
    ListParts oss:ListParts
    PutBucketCors oss:PutBucketCors
    GetBucketCors oss:GetBucketCors
    DeleteBucketCors oss:DeleteBucketCors
    PutBucketVersioning oss:PutBucketVersioning
    GetBucketVersions(ListObjectVersions) oss::ListObjectVersions
    PutBucketPolicy oss:PutBucketPolicy
    GetBucketPolicy oss:GetBucketPolicy
    DeleteBucketPolicy oss:DeleteBucketPolicy
    PutBucketTags oss:PutBucketTagging
    GetBucketTags oss:GetBucketTagging
    DeleteBucketTags oss:DeleteBucketTagging
    PutBucketEncryption oss:PutBucketEncryption
    GetBucketEncryption oss:GetBucketEncryption
    DeleteBucketEncryption oss:DeleteBucketEncryption
    PutBucketRequestPayment oss:PutBucketRequestPayment
    GetBucketRequestPayment oss:GetBucketRequestPayment
    PutBucketReplication oss:PutBucketReplication
    GetBucketReplication oss:GetBucketReplication
    DeleteBucketReplication oss:DeleteBucketReplication
    GetBucketReplicationLocation oss:GetBucketReplicationLocation
    GetBucketReplicationProgress oss:GetBucketReplicationProgress
  • Object
    API Action
    PutObject oss:PutObject
    PostObject
    InitiateMultipartUpload
    UploadPart
    CompleteMultipart
    AppendObject
    CompleteMultipartUpload
    PutSymlink
    GetObject oss:GetObject
    HeadObject
    GetObjectMeta
    SelectObject
    GetSymlink
    DeleteObject oss:DeleteObject
    DeleteMultipleObjects
    CopyObject oss:GetObject,oss:PutObject
    UploadPartCopy
    GetObjectAcl oss:GetObjectAcl
    PutObjectAcl oss:PutObjectAcl
    RestoreObject oss:RestoreObject
    PutObjectTagging oss:PutObjectTagging
    GetObjectTagging oss:GetObjectTagging
    DeleteObjectTagging oss:DeleteObjectTagging
    GetObject (with versionId specified in the request) oss:GetObjectVersion
    PutObjectACL (with versionId specified in the request) oss:PutObjectVersionAcl
    GetObjectAcl (with versionId specified in the request) oss:GetObjectVersionAcl
    RestoreObject (with versionId specified in the request) oss:RestoreObjectVersion
    DeleteObject (with versionId specified in the request) oss:DeleteObjectVersion
    PutObjectTagging (with versionId specified in the request) oss:PutObjectVersionTagging
    GetObjectTagging (with versionId specified in the request) oss:GetObjectVersionTagging
    DeleteObjectTagging (with versionId specified in the request) oss:DeleteObjectVersionTagging
    PutLiveChannel oss:PutLiveChannel
    ListLiveChannel oss:ListLiveChannel
    DeleteLiveChannel oss:DeleteLiveChannel
    PutLiveChannelStatus oss:PutLiveChannelStatus
    GetLiveChannelInfo oss:GetLiveChannel
    GetLiveChannelStat oss:GetLiveChannelStat
    GetLiveChannelHistory oss:GetLiveChannelHistory
    PostVodPlaylist oss:PostVodPlaylist
    GetVodPlaylist oss:GetVodPlaylist
    ImgSaveAs oss:PostProcessTask
    AbortMultipartUpload oss:AbortMultipartUpload

Resource

Resource specifies specific OSS resources users can access. Wildcards of asterisks (*) can be used to specify resources. The format to specify the resources is acs:oss:{region}:{bucket_owner}:{bucket_name}/{object_name}. Forward slashes (/) and {object_name} are not required for operations on buckets. Example: acs:oss:{region}:{bucket_owner}:{bucket_name}. Resource can specify multiple resources. Set the region field to asterisk (*) instead of a specific region.

Effect

Effect specifies the authorization result of the Statement. Valid values: Allow and Deny. Matched Statements where Effect is set to Deny take precedence.

The following code provides an example on how to prevent users from deleting a specified directory but still grant full permissions on other objects:
{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "oss:*"
      ],
      "Resource": [
        "acs:oss:*:*:bucketname"
      ]
    },
    {
      "Effect": "Deny",
      "Action": [
        "oss:DeleteObject"
      ],
      "Resource": [
        "acs:oss:*:*:bucketname/index/*",
      ]
    }
  ]
}

Condition

Condition specifies authorization conditions for the policy. The preceding example specifies the acs:UserAgent, acs:SourceIp, and oss:Prefix fields for the system to check the request.

The following table describes the conditions supported by OSS.

Condition Description Valid value
acs:SourceIp Specifies the IP address or CIDR block. Regular IP addresses. If you set this field to the wildcard of an asterisk (*), all access is allowed.
acs:UserAgent Specifies the User-Agent HTTP header. The value is of the String type.
acs:CurrentTime Specifies the valid time when the request is received. The time follows the ISO 8601 standard.
acs:SecureTransport Specifies whether HTTPS is used to access the specified resource. true and false.
oss:Prefix Specifies the prefix that returned object names must contain when you list objects. The valid object name.
Note To deny access over HTTP, add the following policy where Effect is set to Deny. To configure specific actions or resources, you can configure the Action and Resource fields.
{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": [
                "oss:*"
            ],
            "Resource": [
                "*"
            ],
            "Condition": {
                "StringNotEquals": {
                    "acs:SecureTransport": [
                        "true"
                    ]
                }
            }
        }
    ]
}

Best practices

OSS provides RAM Policy Editor to generate required RAM policies. For more information, see RAM Policy Editor. You can also use the graphical management tool ossbrowser to grant RAM users permissions on specific buckets or directories with a single click. For more information, see the "Grant permissions with a simple policy" section in Permission management.

For more information about scenario-specific authorization policy configuration examples, see Tutorial: Use RAM Policy to control access to buckets and folders.