Introduction

This document instructs you on integrating the RAM service to share files and folders in user buckets. Other users have read-only permission, while the bucket owner can edit the objects.

Process: Activate RAM -> Create a read-only authorization policy -> Create sub-accounts -> Grant permissions to the sub-accounts -> Verify FTP logon

Retrieve account ID

Retrieve your account ID,  as shown in the following figure:

Activate RAM

Resource Access Management (RAM)  is an Alibaba Cloud service designed for controlling resource access. By creating a policy, you can create a shared read account. Users can use this account to log on to the FTP tool and read your files

Create an authorization policy

After activating RAM, go to the RAM console and click Policies on the left side. Follow the steps shown in the following diagram to create a new authorization policy:

Enter the authorization policy as follows:

Specify policy name and remarks (fields 1 and 2) as needed. Policy Content in field 3 determines the policy.

{
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "oss:GetObject",
        "oss:HeadObject"
      ],
      "Resource": [
        "acs:oss:*:****************:test-hz-john-001/*"
      ],
      "Effect": "Allow"
    },
    {
      "Action": [
        "oss:ListObjects",
        "oss:GetBucketAcl",
        "oss:GetBucketLocation"
      ],
      "Resource": [
        "acs:oss:*:****************:test-hz-john-001"
      ],
      "Effect": "Allow"
    },
    {
      "Action": [
        "oss:ListBuckets"
      ],
      "Resource": [
        "acs:oss:*:****************:*"
      ],
      "Effect": "Allow"
    }
  ]
}

In the preceding example, replace **************** with your own account ID and replace test-hz-john-001 with your bucket name. Then, copy all the content and paste it in the policy content. Finally, click New Authorization Policy.

Create an account

The preceding authorization policy produces a read-only policy. Then, we create an account and grant this policy to the account. Follow these steps to create an account:

Note
Remember to record the new account’s access_key.

Authorize the account

After that, we grant the new policy to the account.

Log on with the sub-account

Use the sub-account’s access_key and the bucket in the authorization policy to log on. Now, you can download files and folders, but upload operations fail.