All Products
Search
Document Center

Object Storage Service:Manage object ACLs

Last Updated:Oct 18, 2023

Object Storage Service (OSS) allows you to set access control lists (ACLs) for objects. This way, you can conveniently control access to your objects.

Usage notes

  • When you use packaging tools such as Webpack and Browserify, install OSS SDK for Browser.js by running the npm install ali-oss command.

  • If you want to access an OSS bucket from a browser but no CORS rules are configured for the bucket, the browser rejects the request. Therefore, you must configure CORS rules for a bucket if you want to access the bucket from a browser. For more information, see Installation.

  • In most cases, OSS SDK for Browser.js is used in browsers. To prevent your AccessKey pair from being exposed, we recommend that you use temporary access credentials obtained from Security Token Service (STS) to access OSS.

    The temporary access credentials consist of an AccessKey pair and a security token. The AccessKey pair consists of an AccessKey ID and an AccessKey secret. For more information about how to obtain temporary access credentials, see Use STS for temporary access authorization.

Object ACLs

The following table describes the ACLs that you can configure for an object.

Note

The ACL of an object takes precedence over the ACL of the bucket in which the object is stored. For example, if the ACL of an object in a private bucket is set to public-read, all users, including anonymous users, can read the object.

ACL type

Description

Value

Inherited from bucket

The ACL of the object is the same as that of the bucket in which the object is stored.

default

Private

Only the object owner can perform read and write operations on the object. Other users cannot access the object.

private

Public read

Only the object owner can write data to the object. Other users, including anonymous users, can only read the object.

Warning

All users can access the object over the Internet. This may result in unexpected access to the object and unexpectedly high fees. Exercise caution when you set the ACL to this value.

public-read

Public read/write

All users, including anonymous users, can perform read and write operations on the object.

Warning

All users can access the object and write data to the object over the Internet. This may result in unexpected access to the object and unexpectedly high fees. If a user uploads illicit data or information, your legitimate rights and interests may be infringed. We recommend that you do not set the ACL to this value unless necessary.

public-read-write

Sample code

By default, after you upload an object, the ACL of the object is the same as that of the bucket in which the object is stored. You can use putACL to modify the ACL of the object.

<!DOCTYPE html>
<html lang="en">
  <head>
    <meta charset="UTF-8" />
    <title>Document</title>
  </head>
  <body>
    <script src="https://gosspublic.alicdn.com/aliyun-oss-sdk-6.18.0.min.js"></script>
    <script>
      const client = new OSS({
        // Specify the region in which the bucket is located. For example, if the bucket is located in the China (Hangzhou) region, set the region to oss-cn-hangzhou. 
        region: "yourRegion",
        // Specify the temporary AccessKey pair obtained from STS. The AccessKey pair consists of an AccessKey ID and an AccessKey secret. 
        accessKeyId: "yourAccessKeyId",
        accessKeySecret: "yourAccessKeySecret",
        // Specify the security token obtained from STS. 
        stsToken: "yourSecurityToken",
        // Specify the name of the bucket. Example: examplebucket. 
        bucket: "examplebucket",
      });

      async function getACL() {
        try {
          result = await client.getACL("examplefile.txt");
          console.log(result.acl);

          await client.putACL("examplefile.txt", "public-read");
          result = await client.getACL("examplefile.txt");
          console.log(result.acl);
        } catch (e) {
          console.log(e);
        }
      }

      getACL();
    </script>
  </body>
</html>

References

  • For the complete sample code that is used to manage the ACL of an object, visit GitHub.

  • For more information about the API operation that you can call to configure the ACL of an object, see PutObjectACL.

  • For more information about the API operation that you can call to query the ACL of an object, see GetObjectACL.