Bucket policies are resource-based authorization policies. Bucket owners can use bucket policies to authorize other users to access the specified resource in Object Storage Service (OSS). This topic describes how to run the bucket-policy command to add, modify, query, or delete bucket policy configurations for a bucket.

Note

Add or modify bucket policies

Before you add or modify bucket policies for a bucket, you must create a JSON file on your local device, and configure bucket policies in the JSON file. You can configure multiple bucket policies in a single JSON file. However, the total size of the bucket policies cannot exceed 16 KB.

When you add or modify bucket policies, ossutil reads bucket policies from the JSON file and adds the policies to the specified bucket. When you add bucket policies, existing bucket policies are overwritten.

  • Command syntax
    ./ossutil64 bucket-policy --method put oss://bucketname local_json_file

    The following table describes the parameters that you can configure when you run this command to add or modify bucket policies.

    Parameter Description
    bucketname The name of the bucket for which you want to add or modify bucket policies.
    local_json_file The name of the local JSON file in which you configure bucket policies.
  • Examples
    1. Create a file named local_json_file on your local device and write different bucket policies based on different scenarios.

      The following examples show how to configure common bucket policies:

      • Specify that only anonymous requests from the specified IP address are allowed to access all resources in a bucket named examplebucket.
        {
            "Statement": [
                {
                    "Action": [
                        "oss:GetObject",
                        "oss:GetObjectAcl",
                        "oss:ListObjects",
                        "oss:RestoreObject",
                        "oss:GetVodPlaylist",
                        "oss:ListObjectVersions",
                        "oss:GetObjectVersion",
                        "oss:GetObjectVersionAcl",
                        "oss:RestoreObjectVersion"
                    ],
                    "Condition": {
                        "IpAddress": {
                            "acs:SourceIp": [
                                "10.10.10.10"
                            ]
                        }
                    },
                    "Effect": "Allow",
                    "Principal": [
                        "*"
                    ],
                    "Resource": [
                        "acs:oss:*:1746495857602745:examplebucket/*"
                    ]
                },
                {
                    "Action": [
                        "oss:ListObjects",
                        "oss:GetObject"
                    ],
                    "Condition": {
                        "StringLike": {
                            "oss:Prefix": [
                                "*"
                            ]
                        },
                        "IpAddress": {
                            "acs:SourceIp": [
                                "10.10.10.10"
                            ]
                        }
                    },
                    "Effect": "Allow",
                    "Principal": [
                        "*"
                    ],
                    "Resource": [
                        "acs:oss:*:1746495857602745:examplebucket"
                    ]
                }
            ],
            "Version": "1"
        }
      • Grant the specified Resource Access Management (RAM) user read-only permissions on the hanghzou/2020 and hanghzou/2015 directories in a bucket named examplebucket.
        {
            "Statement": [
                {
                    "Action": [
                        "oss:GetObject",
                        "oss:GetObjectAcl",
                        "oss:ListObjects",
                        "oss:RestoreObject",
                        "oss:GetVodPlaylist",
                        "oss:ListObjectVersions",
                        "oss:GetObjectVersion",
                        "oss:GetObjectVersionAcl",
                        "oss:RestoreObjectVersion"
                    ],
                    "Effect": "Allow",
                    "Principal": [
                        "202147604049359142"
                    ],
                    "Resource": [
                        "acs:oss:*:174649585760****:examplebucket/hanghzou/2020/*",
                        "acs:oss:*:174649585760****:examplebucket/hangzhou/2015/*"
                    ]
                },
                {
                    "Action": [
                        "oss:ListObjects",
                        "oss:GetObject"
                    ],
                    "Condition": {
                        "StringLike": {
                            "oss:Prefix": [
                                "hanghzou/2020/*",
                                "hangzhou/2015/*"
                            ]
                        }
                    },
                    "Effect": "Allow",
                    "Principal": [
                        "202147604049359142"
                    ],
                    "Resource": [
                        "acs:oss:*:174649585760****:examplebucket"
                    ]
                }
            ],
            "Version": "1"
        }
      • Reject anonymous requests to all the objects in the hangzhou/2021/ directory of a bucket named examplebucket.
        {
            "Statement": [
                {
                    "Action": [
                        "oss:RestoreObject",
                        "oss:ListObjects",
                        "oss:AbortMultipartUpload",
                        "oss:PutObjectAcl",
                        "oss:GetObjectAcl",
                        "oss:ListParts",
                        "oss:DeleteObject",
                        "oss:PutObject",
                        "oss:GetObject",
                        "oss:GetVodPlaylist",
                        "oss:PostVodPlaylist",
                        "oss:PublishRtmpStream",
                        "oss:ListObjectVersions",
                        "oss:GetObjectVersion",
                        "oss:GetObjectVersionAcl",
                        "oss:RestoreObjectVersion"
                    ],
                    "Effect": "Deny",
                    "Principal": [
                        "*"
                    ],
                    "Resource": [
                        "acs:oss:*:174649585760****:examplebucket/hangzhou/2021/*"
                    ]
                },
                {
                    "Action": [
                        "oss:ListObjects",
                        "oss:GetObject"
                    ],
                    "Condition": {
                        "StringLike": {
                            "oss:Prefix": [
                                "hangzhou/2021/*"
                            ]
                        }
                    },
                    "Effect": "Deny",
                    "Principal": [
                        "*"
                    ],
                    "Resource": [
                        "acs:oss:*:174649585760****:examplebucket"
                    ]
                }
            ],
            "Version": "1"
        }
    2. Add a bucket policy to examplebucket.
      ./ossutil64 bucket-policy --method put oss://examplebucket local_json_file

      If a similar output is displayed, the bucket policy is added to examplebucket:

      1.125101(s) elapsed

Query bucket policies

  • Command syntax
    ./ossutil64 bucket-policy --method get oss://bucketname local_json_file
    Parameter Description
    bucketname The name of the bucket whose policies you want to query.
    local_json_file The local JSON file that is used to store the obtained bucket policies. If this parameter is not specified, obtained bucket policies are displayed without being stored in the JSON file.
  • Examples

    You can run the following commands to query the bucket policies configured for a bucket named examplebucket:

    ./ossutil64 bucket-policy --method get oss://examplebucket

    If a similar output is displayed, the bucket policies of examplebucket are obtained and written to the local JSON file:

    0.212407(s) elapsed

Delete bucket policies

If you no longer need to use bucket policies to authorize other users to access your OSS resources, delete the configured bucket policies.

  • Command syntax
    ./ossuitl64 bucket-policy --method delete oss://bucketname
  • Examples

    You can run the following command to delete all bucket policies configured for a bucket named examplebucket:

    ./ossutil64 bucket-policy --method delete oss://examplebucket
    If a similar output is displayed, all bucket policies configured for examplebucket are deleted:
    0.530750(s) elapsed

Common options

When you use ossutil to manage buckets that are located in different regions, you can add the -e option to use the endpoint of the region in which the specified bucket is located. When you use ossutil to manage buckets that are owned by multiple Alibaba Cloud accounts, you can add the -i option to commands to use the AccessKey ID of the specified Alibaba Cloud account and add the -k option to use the AccessKey secret of the specified Alibaba Cloud account.

For example, you can run the following command to configure a bucket policy for a bucket named examplebucket, which is located in the China (Hangzhou) region and is owned by another Alibaba Cloud account:
./ossutil64 bucket-policy --method put oss://examplebucket local_json_file -e oss-cn-hangzhou.aliyuncs.com -i LTAI4Fw2NbDUCV8zYUzA****  -k 67DLVBkH7EamOjy2W5RVAHUY9H****

For more information about other common options that you can use for the bucket-policy command, see Common options.