You can set ACLs for buckets and objects to control access to your resources.

For more information about ACLs, see Overview.

Bucket ACLs

You can set one of the following three ACLs for a bucket:

  • Public Read/Write: All users, including anonymous users, can read and write objects in the bucket.
  • Public Read: Only the bucket owner can perform write operations on objects in the bucket. Other users, including anonymous users, can perform only read operations on objects in the bucket.
  • Private: Only the owner or authorized users of this bucket can read and write objects in the bucket. Other users, including anonymous users cannot access the objects in the bucket without authorization.
By default, the ACL of a bucket is set to private when the bucket is created. After you create a bucket, you can use putBucketACL to set an ACL for the bucket, or use getBucketACL to query the ACL of the bucket.
let OSS = require('ali-oss')
let client = new OSS({
  region: '<Your region>'
  accessKeyId: '<Your AccessKeyId>',
  accessKeySecret: '<Your AccessKeySecret>',
  bucket: '<Your bucket name>'
});
async function bucketACL () {
  try {
     let result = await client.getBucketACL('bucket-name');
     console.log(result);
     let result = await client.putBucketACL('bucket-name', 'acl');
     console.log(result);
  } catch (e) {
    console.log(e);
  }
}

bucketACL();

Object ACLs

You can set one of the following four ACLs for an object:

  • Default: The object inherits the ACL of the bucket, that is, the ACL of the object is the same as that of the bucket where the object is stored.
  • Public Read/Write: All users, including anonymous users, can read and write the object.
  • Public Read: Only the object owner can perform write operations on the object. Other users, including anonymous users, can perform only read operations on the object.
  • Private: Only the owner or authorized users of this object can read and write the object. Other users, including anonymous users cannot access the object without authorization.
By default, the ACL of an object is the same as that of the bucket where the object is stored when the object is uploaded. After you upload an object, you call use putACL to set an ACL for the object.
let OSS = require('ali-oss')
let client = new OSS({
  region: '<Your region>'
  accessKeyId: '<Your AccessKeyId>',
  accessKeySecret: '<Your AccessKeySecret>',
  bucket: '<Your bucket name>'
});
async function bucketACL () {
  try {
     let result = await client.getACL('my-object');
     console.log(result.acl); // default
     await client.putACL('my-object', 'public-read');
     result = await client.getACL('my-object');
     console.log(result.acl); // public-read
  } catch (e) {
    console.log(e);
  }
}
Notice
  • If you do not set an ACL for an object when you upload the object, the ACL of the object is the same as that of the bucket where the object is stored.
  • If the ACL of an object is not Default, the object ACL takes precedence over the bucket ACL when you access the object.
  • If the ACL of an object is Public Read or Public Read/Write, you can access the object by entering the object URL in a browser. Example: http://bucket-name.oss-cn-hangzhou.aliyuncs.com/object.jpg.