All Products
Search
Document Center

Object Storage Service:Tutorial: Authorize a RAM user in another Alibaba Cloud account by adding a bucket policy

Last Updated:Mar 08, 2024

By default, access to Object Storage Service (OSS) resources is restricted to the owner. To allow your partners to access your OSS resources, you can grant them the permissions to access your bucket by adding a bucket policy.

Background information

For example, Company A wants to authorize Company B to access the OSS resources of Company A. However, Company A does not want to provide Company B with the credentials of a RAM user. In this case, Company A can authorize Company B to access the OSS resources of Company A by adding a bucket policy. After Company A adds a bucket policy that authorizes Company B to access their bucket, Company B can access the OSS bucket of Company A by adding the path of the bucket in the OSS console.

Add a bucket policy

Company A can perform the following steps to authorize Company B to access the bucket by adding a bucket policy:

  1. Obtain the UID of the RAM user of the Alibaba Cloud account of Company B.

    1. Log on to the RAM console.

    2. In the left-side navigation pane, choose Identities > Users.

    3. On the Users page, click Create User.

    4. On the Create User page, configure the Logon Name and Display Name parameters in the User Account Information section, select Console Access for Access Mode, keep the default settings for other parameters, and then click OK.

    5. On the Users page, click the username of the RAM user to view and record the UID of the RAM user in the Basic Information section.

  2. Grant the RAM user of the Alibaba Cloud account of Company B the permissions to access authorized resources.

    1. Log on to the OSS console.

    2. In the left-side navigation pane, click Buckets. On the Buckets page, find and click the desired bucket.

    3. In the left-side navigation pane, choose Permission Control > Bucket Policy.

    4. On the Add in GUI tab of the Bucket Policy page, click Authorize.

    5. In the Authorize panel, configure the parameters. Set Authorized User to Other Accounts, and enter the UID of the RAM user of Company B. For more information about how to configure other parameters, see Configure bucket policies to authorize other users to access OSS resources.

    6. Click OK.

Log on to the OSS console as the RAM user of Company B and add the access path

After the bucket policy is added, you must log on to the OSS console as the RAM user of Company B and add the access path of the bucket of Company A. To add the access path, perform the following steps:

  1. Log on to the Alibaba Cloud Management Console as the RAM user of Company B by using the RAM User logon link.

  2. Log on to the OSS console.

  3. In the left-side navigation pane, click the plus sign (+) on the right of Favorite Paths.
  4. In the Add Favorite Paths dialog box, configure the parameters described in the following table.

    Parameter

    Description

    Adding Method

    Select Add from other authorized buckets and add an authorized bucket that belongs to the current Alibaba Cloud account to the favorite path.

    Region

    Select the region of the bucket of Company A from the drop-down list.

    File Path

    Specify the path of the objects in the bucket of Company A that you are authorized to access. For example, if you are authorized to access only objects or subdirectories in the examplefolder directory of a bucket named examplebucket that belongs to Company A, enter oss://examplebucket/examplefolder/.

    Pay-by-requester

    If pay-by-requester is enabled for the bucket that you are authorized to access, and you are not the owner of the bucket, select I understand and agree. Otherwise, the AccessDenied error is returned when you access the resources specified by File Path. If you select Pay-by-requester, you are charged for the traffic and requests that are generated when you access the resources specified by File Path.

    For more information, see Enable pay-by-requester.

  5. Click OK.

You can also Obtain an AccessKey pair for the RAM user, and log on to ossutil or ossbrowser by using the AccessKey pair to access the authorized bucket.