Use RAM to manage OSS permissions

Edit in GitHub

Last Updated: Apr 01, 2020 Edit in GitHub

This topic describes how to manage Object Storage Service (OSS) permissions of a RAM user by using RAM. In the RAM console, you can create custom policies and attach them to a RAM user.

Prerequisites

An Alibaba Cloud account is created. If not, create one before proceeding. To create an Alibaba Cloud account, click account registration page.
You have a basic understanding of the following common system policies:
- AliyunOSSFullAccess: grants a RAM user the permissions to manage OSS buckets.
- AliyunOSSReadOnlyAccess: grants a RAM user the read-only permission on OSS buckets.
You have a basic understanding of OSS permissions. For more information, see Overview.

Attach a custom policy to a RAM user

Create a custom policy based on OSS authorization examples.

For more information, see Create a custom policy.
On the Policies page, click the name of the policy.
On the References tab, click Grant Permission.
In the dialog box that appears, enter the name or ID of the RAM user in the Principal field. Then, select the RAM user from the auto-complete results.
Click OK. Click Finished.

Note For more information, see Grant permissions to a RAM user and Grant permissions to a RAM user group.

OSS authorization examples

Example 1: Authorize a RAM user to manage a bucket named myphotos.

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "oss:*",
            "Resource": [
                "acs:oss:*:*:myphotos",
                "acs:oss:*:*:myphotos/*"
            ]
        }
    ]
}

Example 2: Authorize a RAM user to list and read resources in a bucket.

To authorize a RAM user to list and read resources in a bucket named myphotos by using the OSS SDK or OSS CLI, use the following sample script:

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "oss:ListObjects",
            "Resource": "acs:oss:*:*:myphotos"
        },
        {
            "Effect": "Allow",
            "Action": "oss:GetObject",
            "Resource": "acs:oss:*:*:myphotos/*"
        }
    ]
}

To authorize a RAM user to use the OSS console to list and read resources in a bucket named myphotos, use the following sample script:

Note When a RAM user logs on to the OSS console, the ListBuckets, GetBucketAcl, and GetObjectAcl API operations are called to check whether the bucket is public.

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                      "oss:ListBuckets",
                      "oss:GetBucketStat",
                      "oss:GetBucketInfo",
                      "oss:GetBucketTagging",
                      "oss:GetBucketAcl" 
                      ],    
            "Resource": "acs:oss:*:*:*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "oss:ListObjects",
                "oss:GetBucketAcl"
            ],
            "Resource": "acs:oss:*:*:myphotos"
        },
        {
            "Effect": "Allow",
            "Action": [
                "oss:GetObject",
                "oss:GetObjectAcl"
            ],
            "Resource": "acs:oss:*:*:myphotos/*"
        }
    ]
}

Example 3: Authorize a RAM user to use a specified IP address to access an OSS bucket.

Add an IP address condition to the Allow element. This allows a RAM user to read data from the myphotos bucket by using an IP address in the 192.168.0.0/16 or 172.12.0.0/16 CIDR block.

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                      "oss:ListBuckets",
                      "oss:GetBucketStat",
                      "oss:GetBucketInfo",
                      "oss:GetBucketTagging",
                      "oss:GetBucketAcl" 
                      ], 
            "Resource": [
                "acs:oss:*:*:*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "oss:ListObjects",
                "oss:GetObject"
            ],
            "Resource": [
                "acs:oss:*:*:myphotos",
                "acs:oss:*:*:myphotos/*"
            ],
            "Condition":{
                "IpAddress": {
                    "acs:SourceIp": ["192.168.0.0/16", "172.12.0.0/16"]
                }
            }
        }
    ]
}

Add an IP address condition to the Deny element. If the IP address of a RAM user is not in the 192.168.0.0/16 CIDR block, the RAM user cannot access or manage the myphotos bucket.

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                      "oss:ListBuckets",
                      "oss:GetBucketStat",
                      "oss:GetBucketInfo",
                      "oss:GetBucketTagging",
                      "oss:GetBucketAcl" 
                      ], 
            "Resource": [
                "acs:oss:*:*:*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "oss:ListObjects",
                "oss:GetObject"
            ],
            "Resource": [
                "acs:oss:*:*:myphotos",
                "acs:oss:*:*:myphotos/*"
            ]
        },
        {
            "Effect": "Deny",
            "Action": "oss:*",
            "Resource": [
                "acs:oss:*:*:*"
            ],
            "Condition":{
                "NotIpAddress": {
                    "acs:SourceIp": ["192.168.0.0/16"]
                }
            }
        }
    ]
}

Note A policy with the Deny command has a higher priority than a policy with the Allow command. When a RAM user attempts to read data from the myphotos bucket, but the IP address is not in the 192.168.0.0/16 CIDR block, OSS notifies the RAM user of having no permissions.

Example 4: Authorize a RAM user to read data from an OSS directory.

In this example, the bucket that stores photos is named myphotos. The bucket contains directories that indicate the location where the photos were captured. Each directory contains subdirectories that indicate the years when the photos were captured.

myphotos[Bucket]
  ├── beijing
  │   ├── 2014
  │   └── 2015
  ├── hangzhou
  │   ├── 2013
  │   ├── 2014
  │   └── 2015 // Grant read-only permissions on this directory to a RAM user.
  └── qingdao
      ├── 2014
      └── 2015

You can use different policies to grant read-only permissions on the myphotos/hangzhou/2015/ directory to a RAM user based on specific scenarios. The following examples describe three typical scenarios:

Scenario 1: Authorize a RAM user to read data from objects in the directory, but do not authorize the RAM user to list objects.
In this scenario, the RAM user can use the full path to read object data. We recommend that you attach this policy to your applications.
```
{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "oss:GetObject"
            ],
            "Resource": [
                "acs:oss:*:*:myphotos/hangzhou/2015/*"
            ]
        }
    ]
}
```

Scenario 2: Authorize a RAM user to use the OSS CLI to access the myphotos/hangzhou/2015/ directory and list objects in the directory.

In this scenario, the RAM user can use the OSS CLI or call API operations to read data from the directory. We recommend that you use this policy to grant the relevant permissions to your software developers.

In this scenario, the ListObjects permission is required.

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "oss:GetObject"
            ],
            "Resource": [
                "acs:oss:*:*:myphotos/hangzhou/2015/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "oss:ListObjects"
            ],
            "Resource": [
                "acs:oss:*:*:myphotos"
            ],
            "Condition":{
                "StringLike":{
                    "oss:Prefix":"hangzhou/2015/*"
                }
            }
        }
    ]
}

Scenario 3: Authorize a RAM user to use the OSS console to access the directory.

In this scenario, the RAM user can use a visual OSS client (for example, Windows File Explorer) to access the myphotos/hangzhou/2015/ directory.

The following permissions are required:

Permission to list all buckets
Permission to list directories under myphotos
Permission to list directories under myphotos/hangzhou

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                      "oss:ListBuckets",
                      "oss:GetBucketStat",
                      "oss:GetBucketInfo",
                      "oss:GetBucketTagging",
                      "oss:GetBucketAcl" 
                      ], 
            "Resource": [
                "acs:oss:*:*:*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "oss:GetObject",
                "oss:GetObjectAcl"
            ],
            "Resource": [
                "acs:oss:*:*:myphotos/hangzhou/2015/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "oss:ListObjects"
            ],
            "Resource": [
                "acs:oss:*:*:myphotos"
            ],
            "Condition": {
                "StringLike": {
                    "oss:Delimiter": "/",
                    "oss:Prefix": [
                        "",
                        "hangzhou/",
                        "hangzhou/2015/*"
                    ]
                }
            }
        }
    ]
}