All Products
Search

This Product

    Object Storage Service:Tutorial: Use bucket policies to restrict access to OSS over the Internet

    Document Center

    Object Storage Service:Tutorial: Use bucket policies to restrict access to OSS over the Internet

    Last Updated:Mar 13, 2024

    Bucket policies are authorization policies for Object Storage Service (OSS) buckets. You can use bucket policies to prevent specific RAM users from accessing OSS resources over the Internet.

    Scenarios

    Enterprise A creates a bucket named examplebucket in the China (Hangzhou) region. A large amount of internal data is stored in the examplefolder directory of examplebucket. Enterprise A does not want specific partners to access resources in the examplefolder directory over the Internet by using RAM users.

    To meet the preceding requirements of Enterprise A, you can configure a bucket policy by using the policy syntax.

    Procedure

    1. Log on to the OSS console.

    2. In the left-side navigation pane, click Buckets. On the Buckets page, click examplebucket.

    3. In the left-side navigation tree, choose Permission Control > Bucket Policy.

    4. On the page that appears, click the Add by Syntax tab and then click Edit.Bucket Policy

    5. In the code editor, enter the following policy:

      In the following policy, 137918634953xxxx is the user ID of the owner of the examplebucket bucket and the user IDs in the Principal element are the user IDs of the RAM users. 

      {
    "Version": "1",
    "Statement": [{
        "Effect": "Deny",
        "Action": [
            "oss:RestoreObject",
            "oss:ListObjects",
            "oss:AbortMultipartUpload",
            "oss:PutObjectAcl",
            "oss:GetObjectAcl",
            "oss:ListParts",
            "oss:DeleteObject",
            "oss:PutObject",
            "oss:GetObject",
            "oss:GetVodPlaylist",
            "oss:PostVodPlaylist",
            "oss:PublishRtmpStream",
            "oss:ListObjectVersions",
            "oss:GetObjectVersion",
            "oss:GetObjectVersionAcl",
            "oss:RestoreObjectVersion"
        ],
        "Principal": [            
            "26642223584287xxxx",
            "27658173539067xxxx",
            "24430533117653xxxx"
        ],
        "Resource": [            
            "acs:oss:*:137918634953xxxx:examplebucket/examplefolder/*"
        ],
        "Condition": {
            "StringNotLike": {
                "acs:SourceVpc": [
                    "vpc-*"
                ]
            }
        }
    }, {
        "Effect": "Deny",
        "Action": [
            "oss:ListObjects",
            "oss:GetObject"
        ],
        "Principal": [
            "26642223584287xxxx",
            "27658173539067xxxx",
            "24430533117653xxxx"
        ],
        "Resource": [
            "acs:oss:*:137918634953xxxx:examplebucket"
        ],
        "Condition": {
            "StringLike": {
                "oss:Prefix": [
                    "examplefolder/*"
                ]
            },
            "StringNotLike": {
                "acs:SourceVpc": [
                    "vpc-*"
                ]
            }
        }
    }]
}

    6. Click Save. In the message that appears, click OK.

    References

    • Data needs to be shared across multiple departments or projects. You may want users from other departments to download the data that is shared by your department. However, you may not want the users to write data or delete the shared data. In this case, you can implement data sharing across multiple departments based on bucket policies. For more information, see Tutorial: Share data across departments based on bucket policies.

    • You can grant different permissions, such as read-only permissions and read and write permissions, to anonymous users or RAM users in the same Alibaba Cloud account and across multiple Alibaba Cloud accounts to access or manage bucket resources. For more information, see Examples.