This topic describes how to manage ACL for an object.

The following table describes the permissions included in the Access Control List (ACL) for an object.

ACL Description Value
Inherited from the bucket The ACL of an object is the same as that of the bucket to which the object belongs. default
Private Only the bucket owner and authorized users have the read and write permissions on the object. private
Public read Only the bucket owner and authorized users have the read and write permissions on the object. Other users have only read permissions on the object. Exercise caution when you grant this permission. public-read
Public read/write All users have read and write permissions on the object. Exercise caution when you grant this permission. public-read-write

The ACL of objects take precedence over that of buckets. For example, if the ACL of a bucket is private, while the object ACL is public read-write, all users can read and write the object. If an object is not configured with an ACL, its ACL is the same as that of its bucket by default.

Configure the ACL for an object

You can run the following code to configure an ACL for an object:

const oss = require('ali-oss');

const store = oss({
// Security risks may arise if you use the AccessKey pair of an Alibaba Cloud account to log on to OSS, because the account has permissions on all API operations. We recommend that you log on to the OSS console as a RAM user to call API operations or perform routine operations and maintenance. To create a RAM user, log on to https://ram.console.aliyun.com.
  accessKeyId: '<your access key>',
  accessKeySecret: '<your access secret>',
  bucket: '<your bucket name>',
  // Obtain the region where the current bucket is located.
  region: 'oss-cn-hangzhou'
});
  // Configure the ACL of the specified object to public read.
await store.putACL('<object name>', 'public-read');

Obtain the ACL of an object

You can run the following code to obtain the ACL for an object:

const oss = require('ali-oss');

const store = oss({
// Security risks may arise if you use the AccessKey pair of an Alibaba Cloud account to log on to OSS, because the account has permissions on all API operations. We recommend that you log on to the OSS console as a RAM user to call API operations or perform routine operations and maintenance. To create a RAM user, log on to https://ram.console.aliyun.com.
  accessKeyId: '<your access key>',
  accessKeySecret: '<your access secret>',
  bucket: '<your bucket name>',
  // Obtain the region where the current bucket is located.
  region: 'oss-cn-hangzhou'
});
  // Obtain the ACL of an object.
const result = await store.getACL('<object name>);
console.log(result.acl);