This topic uses an example policy to demonstrate how to read data from a specified object in OSS.

In this example, the bucket that stores photos is named myphotos. The bucket contains directories that indicate the places where the photos were taken. Each directory contains subdirectories that indicate the years when the photos were taken.

myphotos[Bucket]
  ├── beijing
  │   ├── 2014
  │   └── 2015
  ├── hangzhou
  │   ├── 2013
  │   ├── 2014
  │   └── 2015
  └── qingdao
      ├── 2014
      └── 2015

The following policy indicates that the authorized RAM user can read data from the myphotos/hangzhou/2015/ directory, but cannot list objects.

Note The RAM user knows the path of the object and can read data from the object. We recommend that you attach this policy to your applications.
{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "oss:GetObject"
            ],
            "Resource": [
                "acs:oss:*:*:myphotos/hangzhou/2015/*"
            ]
        }
    ]
}