edit-icon download-icon

Set access permissions

Last Updated: Nov 07, 2017

OSS allows you to set access permissions for buckets and objects, so that you can conveniently control external access to your resources. A bucket is enabled with three types of access permissions:

  • public-read-write: Anonymous users are allowed to create/retrieve/delete objects in the bucket.
  • public-read: Anonymous users are allowed to retrieve objects in the bucket.
  • private: Anonymous users are not allowed to access objects in the bucket. Signature is required for all accesses.

When a bucket is created, the private permission applies by default. You can use Client.SetBucketACL to set the ACL of the bucket. The preceding three ACLs correspond to the three constants (ACLPublicReadWrite, ACLPublicRead, and ACLPrivate) of Go SDK respectively.

Bucket access permissions

Note: For the example code of bucket ACL configuration, see sample/bucket_acl.go.

  1. import "fmt"
  2. import "github.com/aliyun/aliyun-oss-go-sdk/oss"
  3. client, err := oss.New("Endpoint", "AccessKeyId", "AccessKeySecret")
  4. if err != nil {
  5. // HandleError(err)
  6. }
  7. // Set the bucket ACL
  8. err = client.SetBucketACL("my-bucket", oss.ACLPublicRead)
  9. if err != nil {
  10. // HandleError(err)
  11. }
  12. // View the bucket ACL
  13. aclRes, err := client.GetBucketACL("my-bucket")
  14. if err != nil {
  15. // HandleError(err)
  16. }
  17. fmt.Println("Bucket ACL:", aclRes.ACL)

Object access permissions

An object is enabled with four types of access permissions:

  • default: The object inherits the access permissions of the bucket it belongs to, that is, the access permission of the object is the same as that of the bucket where the object is stored.
  • public-read-write: Anonymous users are allowed to read/write the object.
  • public-read: Anonymous users are allowed to read the object.
  • private: Anonymous users are not allowed to access objects in the bucket. Signature is required for all accesses.

When an object is created, the default permission applies by default. You can use Bucket.SetObjectACL to set the object ACL. The preceding four ACLs correspond to the constants (ACLDefault, ACLPublicReadWrite, ACLPublicRead, and ACLPrivate) of Go SDK respectively.

Note: The example code of object ACL configuration can be found in sample/object_acl.go.

  1. import "fmt"
  2. import "github.com/aliyun/aliyun-oss-go-sdk/oss"
  3. client, err := oss.New("Endpoint", "AccessKeyId", "AccessKeySecret")
  4. if err != nil {
  5. // HandleError(err)
  6. }
  7. bucket, err := client.Bucket("my-bucket")
  8. if err != nil {
  9. // HandleError(err)
  10. }
  11. // Set the object ACL
  12. err = bucket.SetObjectACL("my-object", oss.ACLPrivate)
  13. if err != nil {
  14. // HandleError(err)
  15. }
  16. // View the object ACL
  17. aclRes, err := bucket.GetObjectACL("my-object")
  18. if err != nil {
  19. // HandleError(err)
  20. }
  21. fmt.Println("Object ACL:", aclRes.ACL)

Note:

  • If an object is configured with an ACL policy (not default), the object ACL takes priority during permission authentication when the object is accessed. The bucket ACL is ignored.

  • When anonymous access is allowed (the ACL is set to public-read or public-read-write), you can directly access the object through a browser, for example, http://bucket-name.oss-cn-hangzhou.aliyuncs.com/object.jpg.

For more information about ACL, see Access Control.

Thank you! We've received your feedback.