How to integrate RAM for file sharing

Last Updated: Dec 26, 2017


This document instructs you on integrating the RAM service to share files and folders in user buckets. Other users have read-only permission, while the bucket owner can edit the objects.

  1. Process: Activate RAM -> Create a read-only authorization policy -> Create sub-accounts -> Grant permissions to the sub-accounts -> Verify FTP logon

Retrieve account ID

Retrieve your account ID, as shown in the following figure:

retrieve account ID

Activate RAM

Resource Access Management (RAM) is an Alibaba Cloud service designed for controlling resource access. By creating a policy, you can create a shared read account. Users can use this account to log on to the FTP tool and read your files.

Create an authorization policy

After activating RAM, go to the RAM console and click “Policies” on the left side. Follow the steps shown in the following diagram to create a new authorization policy:
new policy

Enter the authorization policy as follows:
new policy

Specify policy name and remarks (fields 1 and 2) as needed. “Policy content” in field 3 determines the policy.

  1. {
  2. "Version": "1",
  3. "Statement": [
  4. {
  5. "Action": [
  6. "oss:GetObject",
  7. "oss:HeadObject"
  8. ],
  9. "Resource": [
  10. "acs:oss:*:****************:test-hz-john-001/*"
  11. ],
  12. "Effect": "Allow"
  13. },
  14. {
  15. "Action": [
  16. "oss:ListObjects",
  17. "oss:GetBucketAcl",
  18. "oss:GetBucketLocation"
  19. ],
  20. "Resource": [
  21. "acs:oss:*:****************:test-hz-john-001"
  22. ],
  23. "Effect": "Allow"
  24. },
  25. {
  26. "Action": [
  27. "oss:ListBuckets"
  28. ],
  29. "Resource": [
  30. "acs:oss:*:****************:*"
  31. ],
  32. "Effect": "Allow"
  33. }
  34. ]
  35. }

In the preceding example, replace **************** with your own account ID and replace test-hz-john-001 with your bucket name. Then, copy all the content and paste it in “Policy content”. Finally, click “New Authorization Policy”.

Create an account

The preceding authorization policy produces a read-only policy. Then, we create an account and grant this policy to the account. Follow these steps to create an account:
new user

Remember to record the new account’s access_key.

Authorize the account

After that, we grant the new policy to the account.

Log on with the sub-account

Use the sub-account’s access_key and the bucket in the authorization policy to log on. Now, you can download files and folders, but upload operations fail.

Thank you! We've received your feedback.