This topic describes how to manage Object Storage Service (OSS) permissions of a RAM user by using RAM. In the RAM console, you can create custom policies and attach them to a RAM user.
Prerequisites
- An Alibaba Cloud account is created. If not, create one before proceeding. To create an Alibaba Cloud account, click account registration page.
- You have a basic understanding of the following common system policies:
- AliyunOSSFullAccess: grants a RAM user the permissions to manage OSS buckets.
- AliyunOSSReadOnlyAccess: grants a RAM user the read-only permission on OSS buckets.
- You have a basic understanding of OSS permissions. For more information, see Overview.
Attach a custom policy to a RAM user
OSS authorization examples
- Example 1: Authorize a RAM user to manage a bucket named
myphotos
.{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": "oss:*", "Resource": [ "acs:oss:*:*:myphotos", "acs:oss:*:*:myphotos/*" ] } ] }
- Example 2: Authorize a RAM user to list and read resources in a bucket.
- To authorize a RAM user to list and read resources in a bucket named
myphotos
by using the OSS SDK or OSS CLI, use the following sample script:{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": "oss:ListObjects", "Resource": "acs:oss:*:*:myphotos" }, { "Effect": "Allow", "Action": "oss:GetObject", "Resource": "acs:oss:*:*:myphotos/*" } ] }
- To authorize a RAM user to use the OSS console to list and read resources in a bucket
named myphotos, use the following sample script:
Note When a RAM user logs on to the OSS console, the
ListBuckets
,GetBucketAcl
, andGetObjectAcl
API operations are called to check whether the bucket is public.{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "oss:ListBuckets", "oss:GetBucketStat", "oss:GetBucketInfo", "oss:GetBucketTagging", "oss:GetBucketAcl" ], "Resource": "acs:oss:*:*:*" }, { "Effect": "Allow", "Action": [ "oss:ListObjects", "oss:GetBucketAcl" ], "Resource": "acs:oss:*:*:myphotos" }, { "Effect": "Allow", "Action": [ "oss:GetObject", "oss:GetObjectAcl" ], "Resource": "acs:oss:*:*:myphotos/*" } ] }
- To authorize a RAM user to list and read resources in a bucket named
- Example 3: Authorize a RAM user to use a specified IP address to access an OSS bucket.
- Add an IP address condition to the
Allow
element. This allows a RAM user to read data from themyphotos
bucket by using an IP address in the192.168.0.0/16
or172.12.0.0/16
CIDR block.{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "oss:ListBuckets", "oss:GetBucketStat", "oss:GetBucketInfo", "oss:GetBucketTagging", "oss:GetBucketAcl" ], "Resource": [ "acs:oss:*:*:*" ] }, { "Effect": "Allow", "Action": [ "oss:ListObjects", "oss:GetObject" ], "Resource": [ "acs:oss:*:*:myphotos", "acs:oss:*:*:myphotos/*" ], "Condition":{ "IpAddress": { "acs:SourceIp": ["192.168.0.0/16", "172.12.0.0/16"] } } } ] }
- Add an IP address condition to the
Deny
element. If the IP address of a RAM user is not in the192.168.0.0/16
CIDR block, the RAM user cannot access or manage the myphotos bucket.{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "oss:ListBuckets", "oss:GetBucketStat", "oss:GetBucketInfo", "oss:GetBucketTagging", "oss:GetBucketAcl" ], "Resource": [ "acs:oss:*:*:*" ] }, { "Effect": "Allow", "Action": [ "oss:ListObjects", "oss:GetObject" ], "Resource": [ "acs:oss:*:*:myphotos", "acs:oss:*:*:myphotos/*" ] }, { "Effect": "Deny", "Action": "oss:*", "Resource": [ "acs:oss:*:*:*" ], "Condition":{ "NotIpAddress": { "acs:SourceIp": ["192.168.0.0/16"] } } } ] }
Note A policy with the Deny command has a higher priority than a policy with the Allow command. When a RAM user attempts to read data from themyphotos
bucket, but the IP address is not in the192.168.0.0/16
CIDR block, OSS notifies the RAM user of having no permissions.
- Add an IP address condition to the
- Example 4: Authorize a RAM user to read data from an OSS directory.
In this example, the bucket that stores photos is named
myphotos
. The bucket contains directories that indicate the location where the photos were captured. Each directory contains subdirectories that indicate the years when the photos were captured.myphotos[Bucket] ├── beijing │ ├── 2014 │ └── 2015 ├── hangzhou │ ├── 2013 │ ├── 2014 │ └── 2015 // Grant read-only permissions on this directory to a RAM user. └── qingdao ├── 2014 └── 2015
You can use different policies to grant read-only permissions on the
myphotos/hangzhou/2015/
directory to a RAM user based on specific scenarios. The following examples describe three typical scenarios:- Scenario 1: Authorize a RAM user to read data from objects in the directory, but do
not authorize the RAM user to list objects.
In this scenario, the RAM user can use the full path to read object data. We recommend that you attach this policy to your applications.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "oss:GetObject" ], "Resource": [ "acs:oss:*:*:myphotos/hangzhou/2015/*" ] } ] }
- Scenario 2: Authorize a RAM user to use the OSS CLI to access the
myphotos/hangzhou/2015/
directory and list objects in the directory.In this scenario, the RAM user can use the OSS CLI or call API operations to read data from the directory. We recommend that you use this policy to grant the relevant permissions to your software developers.
In this scenario, the
ListObjects
permission is required.{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "oss:GetObject" ], "Resource": [ "acs:oss:*:*:myphotos/hangzhou/2015/*" ] }, { "Effect": "Allow", "Action": [ "oss:ListObjects" ], "Resource": [ "acs:oss:*:*:myphotos" ], "Condition":{ "StringLike":{ "oss:Prefix":"hangzhou/2015/*" } } } ] }
- Scenario 3: Authorize a RAM user to use the OSS console to access the directory.
In this scenario, the RAM user can use a visual OSS client (for example, Windows File Explorer) to access the
myphotos/hangzhou/2015/
directory.The following permissions are required:
- Permission to list all
buckets
- Permission to list directories under
myphotos
- Permission to list directories under
myphotos/hangzhou
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "oss:ListBuckets", "oss:GetBucketStat", "oss:GetBucketInfo", "oss:GetBucketTagging", "oss:GetBucketAcl" ], "Resource": [ "acs:oss:*:*:*" ] }, { "Effect": "Allow", "Action": [ "oss:GetObject", "oss:GetObjectAcl" ], "Resource": [ "acs:oss:*:*:myphotos/hangzhou/2015/*" ] }, { "Effect": "Allow", "Action": [ "oss:ListObjects" ], "Resource": [ "acs:oss:*:*:myphotos" ], "Condition": { "StringLike": { "oss:Delimiter": "/", "oss:Prefix": [ "", "hangzhou/", "hangzhou/2015/*" ] } } } ] }
- Permission to list all
- Scenario 1: Authorize a RAM user to read data from objects in the directory, but do
not authorize the RAM user to list objects.