Set access permissions

Last Updated: Jun 27, 2017

OSS allows you to set access permissions for buckets and objects respectively, so that you can conveniently control external access to your resources. A bucket is enabled with three types of access permissions:

Type Description
public-read-write Anonymous users are allowed to create/retrieve/delete objects in the bucket.
public-read Anonymous users are allowed to retrieve objects in the bucket.
private Anonymous users are not allowed to access objects in the bucket. Signature is required for all accesses.

When a bucket is created, the private permission applies by default. Use putBucketACL to set bucket permissions and use getBucketACL to get the bucket permission.

  1. var co = require('co');
  2. var OSS = require('ali-oss')
  3. var client = new OSS({
  4. region: '<Your region>'
  5. accessKeyId: '<Your AccessKeyId>',
  6. accessKeySecret: '<Your AccessKeySecret>',
  7. bucket: '<Your bucket name>'
  8. });
  9. co(function* () {
  10. var result = yield client.getBucketACL('bucket-name');
  11. console.log(result);
  12. var result = yield client.putBucketACL('bucket-name', 'region', 'acl');
  13. console.log(result);
  14. }).catch(function (err) {
  15. console.log(err);
  16. });

An object is enabled with four types of access permissions:

Type Description
default The object inherits the access permissions of the bucket it belongs to, that is, the access permission of the object is the same as that of the bucket where the object is stored.
public-read-write Anonymous users are allowed to read/write the object.
public-read Anonymous users are allowed to read the object.
private Anonymous users are not allowed to access objects in the bucket. Signature is required for all accesses.

When an object is created, the default permission applies by default. You can use putACL to set the object permissions.

  1. var co = require('co');
  2. var OSS = require('ali-oss')
  3. var client = new OSS({
  4. region: '<Your region>'
  5. accessKeyId: '<Your AccessKeyId>',
  6. accessKeySecret: '<Your AccessKeySecret>',
  7. bucket: '<Your bucket name>'
  8. });
  9. co(function* () {
  10. var result = yield client.getACL('my-object');
  11. console.log(result.acl); // default
  12. yield client.putACL('my-object', 'public-read');
  13. var result = yield client.getACL('my-object');
  14. console.log(result.acl); // public-read
  15. }).catch(function (err) {
  16. console.log(err);
  17. });

Note:

  • If an object is configured with an ACL policy (not default), the object ACL takes priority during permission authentication when the object is accessed. The bucket ACL will be ignored.
  • If anonymous access is allowed (public-read or public-read-write is configured for the object), you can directly access the object using a browser. For example: http://bucket-name.oss-cn-hangzhou.aliyuncs.com/object.jpg.

For more information about ACL, refer to Access Control.

Thank you! We've received your feedback.