All Products
Search

This Product

    Object Storage Service:Manage object ACLs (PHP SDK V2)

    Document Center

    Object Storage Service:Manage object ACLs (PHP SDK V2)

    Last Updated:Aug 05, 2025

    This topic describes how to use PHP SDK V2 to set and query the access control lists (ACLs) of objects.

    Usage notes

    • The sample code in this topic uses the public endpoint of the China (Hangzhou) region (cn-hangzhou). If you access OSS from other Alibaba Cloud products in the same region, use an internal endpoint. For more information about the mappings between OSS-supported regions and endpoints, see Regions and endpoints.

    • To set the ACL of an object, you must have the oss:PutObjectAcl permission. To query the ACL of an object, you must have the oss:GetObjectAcl permission. For more information, see Attach a custom policy to a RAM user.

    Types of ACLs

    The access control list (ACL) of an object can be one of the following four types:

    ACL

    Description

    Access permission value

    Inherit from bucket

    Files inherit access permissions from the bucket.

    oss.ObjectACLDefault

    Private

    Only the object owner and authorized users have read and write permissions on the object. Other users cannot access the object.

    oss.ObjectACLPrivate

    Public-read

    Only the object owner and authorized users have read and write permissions on the object. Other users have only read permissions on the object. Exercise caution when you grant this permission.

    ObjectACLPublicRead

    Public-read-write

    All users have read and write permissions on the object. Exercise caution when you grant this permission.

    oss.ObjectACLPublicReadWrite

    The ACL of an object takes precedence over the ACL of the bucket in which the object is stored. For example, if the ACL of a bucket is private but the ACL of an object in the bucket is public-read-write, all users have read and write permissions on the object. If no ACL is configured for an object, the object inherits the ACL of the bucket.

    Sample code

    1. Set the ACL of an object

    <?php

require_once __DIR__ . '/../vendor/autoload.php';

use AlibabaCloud\Oss\V2 as Oss;

$optsdesc = [
    "region" => ['help' => 'The region in which the bucket is located.', 'required' => True],
    "endpoint" => ['help' => 'The domain names that other services can use to access OSS.', 'required' => False],
    "bucket" => ['help' => 'The name of the bucket', 'required' => True],
    "key" => ['help' => 'The name of the object', 'required' => True],
];

// Create an array of long options, such as --region:, for getopt to parse.
$longopts = array_map(function ($key) {
    return "$key:";
}, array_keys($optsdesc));

// Parse the command line arguments.
$options = getopt("", $longopts);

// Check whether required parameters are missing.
foreach ($optsdesc as $key => $value) {
    if ($value['required'] === True && empty($options[$key])) {
        // If a required parameter is missing, print the help information and exit.
        $help = $value['help'];
        echo "Error: the following arguments are required: --$key, $help\n";
        exit(1);
    }
}

// Extract the parameter values.
$region = $options["region"];
$bucket = $options["bucket"];
$key = $options["key"];

// Load credentials (AccessKey ID and AccessKey secret) from environment variables.
$credentialsProvider = new Oss\Credentials\EnvironmentVariableCredentialsProvider();

// Load the default configurations and set the credential provider and region.
$cfg = Oss\Config::loadDefault();
$cfg->setCredentialsProvider($credentialsProvider);
$cfg->setRegion($region);

// If an endpoint is specified, set the custom endpoint.
if (isset($options["endpoint"])) {
    $cfg->setEndpoint($options["endpoint"]);
}

// Initialize the OSS client.
$client = new Oss\Client($cfg);

// Create a PutObjectAclRequest object, and set the bucket name, object key, and ACL type.
$request = new Oss\Models\PutObjectAclRequest($bucket, $key, Oss\Models\ObjectACLType::PUBLIC_READ);

// Send the request to set the ACL of the object to public-read.
$result = $client->putObjectAcl($request);

// Print the status code and request ID in the response.
printf(
    'status code:' . $result->statusCode . PHP_EOL .
    'request id:' . $result->requestId
);

    2. Query the ACL of an object

    <?php

// Import the autoloader file to load dependency libraries.
require_once __DIR__ . '/../vendor/autoload.php';

use AlibabaCloud\Oss\V2 as Oss;

// Define the descriptions for command line parameters.
$optsdesc = [
    "region" => ['help' => 'The region in which the bucket is located', 'required' => True], // The region is a required parameter. It specifies the region where the bucket is located.
    "endpoint" => ['help' => 'The domain names that other services can use to access OSS', 'required' => False], // The endpoint is an optional parameter. It specifies the domain name that other services can use to access OSS.
    "bucket" => ['help' => 'The name of the bucket', 'required' => True], // The bucket name is a required parameter.
    "key" => ['help' => 'The name of the object', 'required' => True], // The object name is a required parameter.
];

// Generate a list of long options to parse command line arguments.
$longopts = \array_map(function ($key) {
    return "$key:"; // Add a colon (:) after each parameter to indicate that a value is required.
}, array_keys($optsdesc));

// Parse the command line arguments.
$options = getopt("", $longopts); 

// Check whether required parameters are missing.
foreach ($optsdesc as $key => $value) {
    if ($value['required'] === True && empty($options[$key])) {
        $help = $value['help'];
        echo "Error: the following arguments are required: --$key, $help"; // Prompt the user that a required parameter is missing.
        exit(1); 
    }
}

// Obtain the values of the command line parameters.
$region = $options["region"]; // The region where the bucket is located.
$bucket = $options["bucket"]; // The name of the bucket.
$key = $options["key"]; // The name of the object.

// Load credentials, including the AccessKey ID and AccessKey secret, from environment variables.
$credentialsProvider = new Oss\Credentials\EnvironmentVariableCredentialsProvider();

// Use the default configurations of the SDK.
$cfg = Oss\Config::loadDefault();

// Set the credential provider.
$cfg->setCredentialsProvider($credentialsProvider);

// Set the region.
$cfg->setRegion($region);

// If an endpoint is provided, set the endpoint.
if (isset($options["endpoint"])) {
    $cfg->setEndpoint($options["endpoint"]);
}

// Create an OSS client instance.
$client = new Oss\Client($cfg);

// Create a request object to query the ACL of the object.
$request = new Oss\Models\GetObjectAclRequest(bucket: $bucket, key: $key);

// Call the getObjectAcl method to query the ACL of the object.
$result = $client->getObjectAcl($request);

// Print the result.
printf(
    'status code:' . $result->statusCode . PHP_EOL . // The HTTP response status code.
    'request id:' . $result->requestId . PHP_EOL . // The unique ID of the request.
    'acl:' . $result->accessControlList->grant // The ACL of the object.
);

    References

    • For the complete sample code to set the ACL of an object, see the GitHub example.

    • For more information about the API operation to set the ACL of an object, see PutObjectACL.

    • For the complete sample code to query the ACL of an object, see the GitHub example.

    • For more information about the API operation to query the ACL of an object, see GetObjectACL.