This topic describes how to manage OSS permissions of RAM users by creating policies in RAM.
Common policies
The following table lists some common policies that can be created in RAM to manage OSS permissions.
| Policy | Description |
|---|---|
| AliyunOSSFullAccess | Grants a RAM user full management permissions for OSS instances. |
| AliyunOSSReadOnlyAccess | Grants a RAM user read-only permission for OSS instances. |
Note For more information about OSS permissions, see Overview.
Attach custom policies to RAM users
- Create custom policies according to the subsequent OSS authorization examples.
For more information, see Create a custom policy.
- Locate the target policy and click the policy name.
- On the References tab, click Grant Permission.
- In the Principal field, enter the ID or name of the target RAM user.
- Click OK.
Note You can also attach policies to a RAM user or a RAM user group as needed. For more information, see Grant permission to a RAM userand Grant permission to a RAM user group.
OSS authorization examples
- Example 1: As a RAM administrator, authorize a user to fully manage an OSS bucket.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": "oss:*", "Resource": [ "acs:oss:*:*:myphotos", "acs:oss:*:*:myphotos/*" ] } ] } - Example 2: As a RAM administrator, authorize a user to list and read resources in
an OSS bucket.
- Authorize a RAM to list and read resources in an OSS bucket by using the OSS CLI or
by using OSS SDKs. The name of the OSS bucket is
myphotos.{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": "oss:ListObjects", "Resource": "acs:oss:*:*:myphotos" }, { "Effect": "Allow", "Action": "oss:GetObject", "Resource": "acs:oss:*:*:myphotos/*" } ] } - Authorize a RAM user to operate on resources in the OSS console.
Note When a RAM user logs on to the OSS console, the console calls the
ListBuckets,GetBucketAcl, andGetObjectAclactions to check whether the bucket is public.{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "oss:ListBuckets", "oss:GetBucketStat", "oss:GetBucketInfo", "oss:GetBucketAcl" ], "Resource": "acs:oss:*:*:*" }, { "Effect": "Allow", "Action": [ "oss:ListObjects", "oss:GetBucketAcl" ], "Resource": "acs:oss:*:*:myphotos" }, { "Effect": "Allow", "Action": [ "oss:GetObject", "oss:GetObjectAcl" ], "Resource": "acs:oss:*:*:myphotos/*" } ] }
- Authorize a RAM to list and read resources in an OSS bucket by using the OSS CLI or
by using OSS SDKs. The name of the OSS bucket is
- Example 3: As a RAM administrator, authorize a RAM user to access OSS instances by
using a specified IP address.
- Add the following condition in the
Allowelement. This allows the IP address segments192.168.0.0/16and172.12.0.0/16to read data inmyphotos.{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "oss:ListBuckets", "oss:GetBucketStat", "oss:GetBucketInfo", "oss:GetBucketAcl" ], "Resource": [ "acs:oss:*:*:*" ] }, { "Effect": "Allow", "Action": [ "oss:ListObjects", "oss:GetObject" ], "Resource": [ "acs:oss:*:*:myphotos", "acs:oss:*:*:myphotos/*" ], "Condition":{ "IpAddress": { "acs:SourceIp": ["192.168.0.0/16", "172.12.0.0/16"] } } } ] } - Add the following condition in the
Denyelement. If the IP address of a RAM user is not within the192.168.0.0/16segment, the user cannot perform any operations on OSS instances.{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "oss:ListBuckets", "oss:GetBucketStat", "oss:GetBucketInfo", "oss:GetBucketAcl" ], "Resource": [ "acs:oss:*:*:*" ] }, { "Effect": "Allow", "Action": [ "oss:ListObjects", "oss:GetObject" ], "Resource": [ "acs:oss:*:*:myphotos", "acs:oss:*:*:myphotos/*" ] }, { "Effect": "Deny", "Action": "oss:*", "Resource": [ "acs:oss:*:*:*" ], "Condition":{ "NotIpAddress": { "acs:SourceIp": ["192.168.0.0/16"] } } } ] }Note A policy with the Deny command has a higher priority than the policy with the Allow command. Therefore, when a RAM user whose IP address is not within the192.168.0.0/16segment attempts to access data inmyphotos, OSS notifies the user of having no permissions.
- Add the following condition in the
- Example 4: Authorize a RAM user by OSS directory.
You have a photo bucket named myphotos. The bucket contains directories that indicate the places where the photos were taken. Each directory contains sub-directories that indicate the years when the photos were taken.
myphotos[Bucket] ├── beijing │ ├── 2014 │ └── 2015 ├── hangzhou │ ├── 2013 │ ├── 2014 │ └── 2015 //Grant read-only permission on this directory to users. └── qingdao ├── 2014 └── 2015You can grant read-only permission on themyphotos/hangzhou/2015/directory to a RAM user according to application scenarios and policy complexity. The following are examples of the application scenarios:- Scenario 1: Authorize a RAM user to read files in the directory without them having
to list the files.
In this scenario, the RAM user knows the complete paths of all files and can directly read the files by using the complete paths. Generally, a software system requires permission assignment for this.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "oss:GetObject" ], "Resource": [ "acs:oss:*:*:myphotos/hangzhou/2015/*" ] } ] } - Scenario 2: Authorize a RAM user to access the
myphotos/hangzhou/2015/directory and list files in the directory by using the OSS CLI.Generally, software developers require such permission assignment. The developers do not know what files are available in a directory and can use the OSS CLI or API to directly obtain the directory information.
In this scenario, theListObjectspermission is required.{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "oss:GetObject" ], "Resource": [ "acs:oss:*:*:myphotos/hangzhou/2015/*" ] }, { "Effect": "Allow", "Action": [ "oss:ListObjects" ], "Resource": [ "acs:oss:*:*:myphotos" ], "Condition":{ "StringLike":{ "oss:Prefix":"hangzhou/2015/*" } } } ] } - Scenario 3: Authorize a RAM user to access the
myphotos/hangzhou/2015/directory by using the OSS console.In this scenario, the RAM user uses a visual OSS client, such as Windows File Explorer, to access the
myphotos/hangzhou/2015/directory from the root directory through levels of sub-directories.The following permissions are required:- Permission to list all buckets
- Permission to list directories under
myphotos - Permission to list directories under
myphotos/hangzhou
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "oss:ListBuckets", "oss:GetBucketStat", "oss:GetBucketInfo", "oss:GetBucketAcl" ], "Resource": [ "acs:oss:*:*:*" ] }, { "Effect": "Allow", "Action": [ "oss:GetObject", "oss:GetObjectAcl" ], "Resource": [ "acs:oss:*:*:myphotos/hangzhou/2015/*" ] }, { "Effect": "Allow", "Action": [ "oss:ListObjects" ], "Resource": [ "acs:oss:*:*:myphotos" ], "Condition": { "StringLike": { "oss:Delimiter": "/", "oss:Prefix": [ "", "hangzhou/", "hangzhou/2015/*" ] } } } ] }
- Scenario 1: Authorize a RAM user to read files in the directory without them having
to list the files.