This topic uses two example policies to demonstrate how to authorize a RAM user to list and read resources in a bucket.

  • The following policy indicates that the authorized RAM user can list and read resources contained in the myphotos bucket by using Object Storage Service (OSS) SDKs or OSS CLI.
    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": "oss:ListObjects",
                "Resource": "acs:oss:*:*:myphotos"
            },
            {
                "Effect": "Allow",
                "Action": "oss:GetObject",
                "Resource": "acs:oss:*:*:myphotos/*"
            }
        ]
    }
  • The following policy indicates that the authorized RAM user can list and read resources contained in the myphotos bucket by using the OSS console.
    Note When you log on to the OSS console, the ListBuckets, GetBucketAcl, and GetObjectAcl API operations are automatically called to determine whether the bucket is public or private.
    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                          "oss:ListBuckets",
                          "oss:GetBucketStat",
                          "oss:GetBucketInfo",
                          "oss:GetBucketTagging",
                          "oss:GetBucketAcl" 
                          ],    
                "Resource": "acs:oss:*:*:*"
            },
            {
                "Effect": "Allow",
                "Action": [
                    "oss:ListObjects",
                    "oss:GetBucketAcl"
                ],
                "Resource": "acs:oss:*:*:myphotos"
            },
            {
                "Effect": "Allow",
                "Action": [
                    "oss:GetObject",
                    "oss:GetObjectAcl"
                ],
                "Resource": "acs:oss:*:*:myphotos/*"
            }
        ]
    }