How to integrate RAM for file sharing

Last Updated: Oct 31, 2016


Introduction

This document instructs you on integrating the RAM service to share files and folders in user buckets. Other users will have read-only permission, while the bucket owner can edit the objects.

  1. Process: Activate RAM -> Create a read-only authorization policy -> Create sub-accounts -> Grant permissions to the sub-accounts -> Verify FTP logon

Retrieve account ID

Retrieve your account ID, as shown in the image below:

retrieve account ID

Activate RAM

Resource Access Management (RAM) is an Alibaba Cloud service designed for controlling resource access. By creating a policy, you can create a shared read account. Users can use this account to log on to the FTP tool and read your files.

Create an authorization policy

After activating RAM, go to the RAM console and click “Policies” on the left side. Follow the steps shown in the diagram below to create a new authorization policy:
new policy

Enter the authorization policy as shown below:
new policy

Specify policy name and remarks (fields 1 and 2) as needed. “Policy content” in field 3 determines the policy.

  1. {
  2. "Version": "1",
  3. "Statement": [
  4. {
  5. "Action": [
  6. "oss:GetObject",
  7. "oss:HeadObject"
  8. ],
  9. "Resource": [
  10. "acs:oss:*:****************:test-hz-john-001/*"
  11. ],
  12. "Effect": "Allow"
  13. },
  14. {
  15. "Action": [
  16. "oss:ListObjects",
  17. "oss:GetBucketAcl",
  18. "oss:GetBucketLocation"
  19. ],
  20. "Resource": [
  21. "acs:oss:*:****************:test-hz-john-001"
  22. ],
  23. "Effect": "Allow"
  24. },
  25. {
  26. "Action": [
  27. "oss:ListBuckets"
  28. ],
  29. "Resource": [
  30. "acs:oss:*:****************:*"
  31. ],
  32. "Effect": "Allow"
  33. }
  34. ]
  35. }

In the example above, replace **************** with your own account ID and replace test-hz-john-001 with your bucket name. Then, copy all the content and paste it in “Policy content”. Finally, click “New Authorization Policy”.

Create an account

The above authorization policy produces a read-only policy. Below, we will create an account and grant this policy to the account. Follow these steps to create an account:
new user

Remember to record the new account’s access_key.

Authorize the account

Below, we will grant the new policy to the account.
authorize

Log on with the sub-account

Use the sub-account’s access_key and the bucket in the authorization policy to log on. Now, you can download files and folders, but upload operations will fail.

Thank you! We've received your feedback.