The ACL for an OSS resource is private by default. To allow another user to access your OSS resources, you can grant permissions for the user to access your bucket by adding a bucket policy.

For example: Company A wants its partner, company B, to access its OSS resources, but company A does not want to create a RAM user under its Alibaba Cloud account for this requirement. In this case, company A can grant permissions for company B to access the bucket of company A by adding a bucket policy. After being authorized, company B can access an OSS resource owned by company A by adding the path of the resource in the OSS console.

Add a bucket policy for the RAM user of company B

  • Follow these steps by using the Alibaba Cloud account of company B:
    1. Log on to the RAM console and create a RAM user. For more information, see Create a RAM user.
    2. In the RAM console, click Users.
    3. Click the created RAM user and record its UID.
  • Follow these steps using the Alibaba Cloud account of company A:
    1. Log on to the OSS console.
    2. In the left-side bucket list, click the name of the bucket that you want to grant permissions for company B.
    3. Click Filles > Authorize > Authorize.
    4. In the Authorize dialog box, enter the policy information. Select Other Account for Accounts, and enter the UID of the RAM user created by company B. For more information about other parameters, see Use bucket policies to authorize other users to access OSS resources.
    5. Click OK.

Log on to OSS with the RAM user of company B and add the resource path

After a bucket policy is added, you must log on to the OSS console with the RAM user of company B and add the access path of the OSS resource of company A. To add the access path, follow these steps:
  1. Log on to Alibaba Cloud console with the RAM user of company B through the RAM user logon link.
  2. Open the OSS console.
  3. In the left-side menu, click "+" on the right of My OSS Paths. In the displayed Add Authorized OSS Path dialog box, add the following information:
    • Region: Select the region of the bucket that company A allows company B to access.
    • OSS path: Add the resource path that company A allows company B to access. The format of an OSS path is as follows: bucket/object-prefix. For example, if company A allows company B to access only the abc folder in the aliyun bucket, the OSS path is aliyun/abc.

You can also Create an AccessKey for the RAM user, and use ossutil or ossbrowser with the AccessKey to access the authorized bucket.

References

You can also grant permissions for other users to access your OSS resources in the following methods: