Questions
- View OSS permission definitions
- Assign the OSS read-only permission to a RAM user
- Assign the full OSS management permission to a RAM user
- Authorize a RAM user to list and read resources in a bucket
- Apply IP address-specific access control in OSS
- Authorization by OSS directory
- Authorize a RAM user complete management of a bucket
- RAM user authorized to manage a bucket notified of having no operation permissions when logging on to the OSS console
View OSS permission definitions
See Access control in the OSS product document.
Assign the OSS read-only permission to a RAM user
Create a RAM user in the RAM console and add the system authorization policy AliyunOSSReadOnlyAccess to the user. For more information about how to add an authorization policy, see Authorization.
Assign the full OSS management permission to a RAM user
Add the system authorization policy AliyunOSSFullAccess to the RAM user in the RAM console.
Authorize a RAM user to list and read resources in a bucket
If you need to authorize a RAM user (such as an application that represents you) to list and read the resources in a bucket using the OSS SDK or OSS CMD, you must create an authorization policy.Resource in, then you need to create a custom Authorization Policy to complete.
Assume that your bucket is named “myphotos”. Create the authorization policy as follows:
{
"Version": "1",
"Statement ":[
{
"Effect": "Allow",
"Action": "oss:ListObjects",
"Resource": "acs:oss:*:*:myphotos"
},
{
"Effect": "Allow",
"Action": "oss:GetObject",
"Resource": "acs:oss:*:*:myphotos/*"
}
]
}{
"Version": "1",
"Statement ":[
{
"Effect": "Allow",
"Action": "oss:ListBuckets",
"Resource": "acs:oss:*:*:*"
},
{
"Effect": "Allow",
"Action": [
"oss:ListObjects",
"oss:GetBucketAcl"
],
"Resource": "acs:oss:*:*:myphotos"
},
{
"Effect": "Allow",
"Action": [
"oss:GetObject",
"oss:GetObjectAcl"
],
"Resource": "acs:oss:*:*:myphotos/*"
}
]
}Apply IP address-specific access control in OSS
Example 1: Apply IP address-specific access control using the Allow command
The IP address segments 42.120.88.0/24 and 42.120.66.0/24 are allowed to read the information in the myphotos directory.
{
"Version": "1",
"Statement ":[
{
"Sid": "To allow listing all buckets",
"Effect": "Allow",
"Action": [
"oss:ListBuckets"
],
"Resource": [
"acs:oss:*:*:*"
]
},
{
"Sid": "To allow only the users in the specified IP address segment to obtain the information in the myphotos directory",
"Effect": "Allow",
"Action": [
"oss:ListObjects",
"oss:GetObject"
],
"Resource": [
"acs:oss:*:*:myphotos",
"acs:oss:*:*:myphotos/*"
],
"Condition ":{
"IpAddress": {
"acs:SourceIp": "42.120.88.0/24", "42.120.66.0/24"
}
}
}
]
}Example 2: Apply IP address-specific access control using the Deny command
If the IP address of a user is not within the 42.120.88.0/24 segment, the user cannot perform any OSS operations. Create an authorization policy as follows:
{
"Version": "1",
"Statement ":[
{
"Sid": "To allow listing all buckets",
"Effect": "Allow",
"Action": [
"oss:ListBuckets"
],
"Resource": [
"acs:oss:*:*:*"
]
},
{
"Sid": "To allow obtaining the information in the myphotos directory",
"Effect": "Allow",
"Action": [
"oss:ListObjects",
"oss:GetObject"
],
"Resource": [
"acs:oss:*:*:myphotos",
"acs:oss:*:*:myphotos/*"
]
},
{
"Sid": "To disallow IP addresses not in the 42.120.88.0/24 segment to access OSS",
"Effect": "Deny",
"Action": "oss:*",
"Resource": [
"acs:oss:*:*:*"
],
"Condition ":{
"NotIpAddress": {
"acs:SourceIp": ["42.120.88.0/24"]
}
}
}
]
}NOTE: A policy with the Deny command has a higher priority than the policy with the Allow command. (If the accessing operation of a user meets any policy with the Deny command, the user is disallowed to access the content.) Therefore, when a user whose IP address is not in the 42.120.88.0/24 segment attempts to access the information in the “myphotos” directory, the OSS service notifies the user of having no operation permissions.
Authorization by OSS directory
Authorization by directory is an advanced authorization function.Background
Assume that you have a photo bucket named “myphotos”. The bucket contains directories that indicate the places where the photos were taken. Each directory contains subdirectories that indicate the years when the photos were taken.
The directory tree is as follows:
myphotos[Bucket]
├── beijing
│ ├── 2014
│ └── 2015
├── hangzhou
│ ├── 2013
│ ├── 2014
│ └── 2015 //The read-only permission on this directory must be assigned.
└── qingdao
├── 2014
└── 2015Assume that you need to assign the read-only permission on the myphotos/hangzhou/2015/ directory to a RAM user. The required authorization policy depends on the application scenario. The following describes the authorization policies for three scenarios by policy complexity, from simplest to more complex.
In this scenario, the RAM user knows the complete paths of all files and can directly read the files using the complete paths. A software system requires such permission assignment, because the file paths in the software system comply with a certain rule (for example, files are named after employee IDs) or the file paths have persisted in the database of the software system.
{
"Version": "1",
"Statement ":[
{
"Effect": "Allow",
"Action": [
"oss:GetObject"
],
"Resource": [
"acs:oss:*:*:myphotos/hangzhou/2015/*"
]
}
]
}myphotos/hangzhou/2015/ directory, but does not know what files are available in the directory. Therefore, the files must be listed.
Generally, software developers require such permission assignment. The developers do not know what files are available in a directory and use the OSS CMD or API to directly obtain the directory information.
In this scenario, the ListObjects permission that is not required in scenario 1 must be added. Because only the files in the myphotos/hangzhou/2015/ directory are to be listed, the oss:Prefix condition must be added to the ListObjects permission.
{
"Version": "1",
"Statement ":[
{
"Effect": "Allow",
"Action": [
"oss:GetObject"
],
"Resource": [
"acs:oss:*:*:myphotos/hangzhou/2015/*"
]
},
{
"Effect": "Allow",
"Action": [
"oss:ListObjects"
],
"Resource": [
"acs:oss:*:*:myphotos"
],
"Condition":{
"StringLike":{
"oss:Prefix":"hangzhou/2015/"
}
}
}
]
}myphotos/hangzhou/2015/ directory.
This is the most easy-to-use scenario. When the RAM user uses the visual OSS client to access the myphotos/hangzhou/2015/ directory, like Windows File Explorer, the visual OSS client allows the RAM user to access the target directory from the root directory through levels of sub-directories.
- Permission to list all buckets
- Permission to list the subdirectories of the “myphotos” directory (In this example, the subdirectories include beijing, hangzhou, and qingdao.)
- Permission to list the subdirectories under “myphotos/hangzhou” (The subdirectories include 2013, 2014, and 2015.)
{
"Version": "1",
"Statement ":[
{
"Effect": "Allow",
"Action": [
"oss:ListBuckets",
"oss:GetBucketAcl"
],
"Resource": [
"acs:oss:*:*:*"
]
},
{
"Effect": "Allow",
"Action": [
"oss:GetObject",
"oss:GetObjectAcl"
],
"Resource": [
"acs:oss:*:*:myphotos/hangzhou/2015/*"
]
},
{
"Effect": "Allow",
"Action": [
"oss:ListObjects"
],
"Resource": [
"acs:oss:*:*:myphotos"
],
"Condition": {
"StringLike": {
"oss:Delimiter": "/",
"oss:Prefix": [
"",
"hangzhou/",
"hangzhou/2015/*"
]
}
}
}
]
}Authorize a RAM user complete management of a bucket
You need to create an authorization policy first. Assume that your bucket is named “myphotos”. Create the authorization policy as follows:
{
"Version": "1",
"Statement ":[
{
"Effect": "Allow",
"Action": "oss:*",
"Resource": [
"acs:oss:*:*:myphotos",
"acs:oss:*:*:myphotos/*"
]
}
]
}Then, add the authorization policy for this user.
RAM user authorized to manage a bucket notified of having no operation permissions when logging on to the OSS console
{
"Version": "1",
"Statement ":[
{
"Effect": "Allow",
"Action": [
"oss:ListObjects"
],
"Resource": "acs:oss:*:*:myphotos"
},
{
"Effect": "Allow",
"Action": [
"oss:GetObject"
],
"Resource": "acs:oss:*:*:myphotos/*"
}
]
}However, the RAM user was notified of having no operation permissions when logging on to the OSS console.
The reason is that when the RAM user logs on to the OSS console, the OSS console makes the RAM user access the OSS service as authorized. For a better user interaction experience, the OSS console also calls the ListBuckets, GetBucketAcl, and GetObjectAcl operations. (GetBucketAcl specifies whether a bucket is private or public. GetObjectAcl specifies an object is private or public.)
Therefore, to enable the RAM user to manage a bucket on the OSS console, you need to create the authorization policy as follows:
{
"Version": "1",
"Statement ":[
{
"Effect": "Allow",
"Action": "oss:ListBuckets",
"Resource": "acs:oss:*:*:*"
},
{
"Effect": "Allow",
"Action": [
"oss:ListObjects",
"oss:GetBucketAcl"
],
"Resource": "acs:oss:*:*:myphotos"
},
{
"Effect": "Allow",
"Action": [
"oss:GetObject",
"oss:GetObjectAcl"
],
"Resource": "acs:oss:*:*:myphotos/*"
}
]
}