This tutorial demonstrates how to use Resource Access Management (RAM) policies to control access to Object Storage Service (OSS) buckets, directories, and objects in the directories.

Background information

RAM policies are configured based on users. You can manage users by configuring RAM policies. For users such as employees, systems, or applications, you can control which resources are accessible. For example, you can create a RAM policy to grant users read permissions on a bucket.

RAM policies are in the JSON format. A RAM policy includes the following fields:

  • Statement: the authorization statement. A RAM policy can include multiple authorization statements.
  • Effect: the effect of the policy. Valid values: Allow and Deny.
    Note If a RAM policy includes an Allow statement and a Deny statement at the same time, the Deny statement takes precedence over the Allow statement.
  • Action: the authorized actions on resources.

If you use RAM policies, we recommend that you use RAM Policy Editor to generate RAM policies. For more information, see RAM Policy Editor.

Compared with RAM policies, bucket policies can be configured in the OSS console. A bucket owner can grant other users permissions to access OSS resources. For more information, see Configure bucket policies to authorize other users to access OSS resources.

Buckets and directories

Alibaba Cloud OSS uses a flat data model structure instead of a hierarchical one. All objects are stored in buckets. Therefore, OSS does not have directories and subdirectories that are used in hierarchical file systems. However, you can simulate a directory hierarchy in the OSS console to group, classify, and manage objects. The following figure shows some sample directories in the OSS console. ram

OSS is a distributed object storage service in which objects are identified as key-value pairs. You can retrieve the content of an object based on the object name. For example, an object named oss-dg.pdf and the following three directories are stored in a bucket named ramtest-bucket: Development, Marketing, and Private.

  • When you create the Development directory, the OSS console creates an object whose key is Development/. A forward slash (/) is included in the key as a delimiter.
  • When you upload an object named ProjectA.docx to the Development directory, the OSS console uploads the object and sets its key to Development/ProjectA.docx.

    In the key, Development is the prefix and the forward slash (/) is the delimiter. You can retrieve a list of all objects that share a common prefix and delimiter in the bucket. In the console, click the Development directory. The console lists the objects in the directory. The following figure shows the objects in the Development directory.

    development
    Note To list objects in the Development directory of the ramtest-bucket bucket, the console sends a request to OSS to list objects whose names include the specified prefix Development and a forward slash (/) as the delimiter. Therefore, three objects with the following keys are stored in the ramtest-bucket bucket: Development/Alibaba Cloud.pdf, Development/ProjectA.docx, and Development/ProjectB.docx.

Before you go into this tutorial, you must understand the concept of root-level bucket content. In this example, the following objects are stored in ramtest-bucket bucket:

  • Development/Alibaba Cloud.pdf
  • Development/ProjectA.docx
  • Development/ProjectB.docx
  • Marketing/data2020.xlsx
  • Marketing/data2021.xlsx
  • Private/2017/images.zip
  • Private/2017/promote.pptx
  • oss-dg.pdf

The keys of these objects determine a logical hierarchy with Development, Marketing, and Private as root-level directories and oss-dg.pdf as a root-level object. When you click the bucket name in the OSS console, the common prefix and delimiter shared by multiple objects (Development/, Marketing/, and Private/) are displayed as root-level directories. The oss-dg.pdf object does not have a prefix. Therefore, it is displayed as a root-level object.

ram

Requests and responses

Before you grant permissions to RAM users, you must understand how the OSS console interacts with OSS when you click a bucket name in the console.

  • Send a request to access a bucket

    When you click the ramtest-bucket bucket in the OSS console, the console sends a GetBucket (ListObjects) request to OSS.

    • Sample request
      GET /?prefix=&delimiter=/ HTTP/1.1
      Host: ramtest-bucket.oss-cn-hangzhou.aliyuncs.com
      Date: Fri, 24 Feb 2012 08:43:27 GMT
      Authorization: OSS qn6qrrqxo2oawuk53otf****:DNrnx7xHk3sgysx7I8U9I9IY****

      In the preceding request, the value of the prefix parameter is empty and the value of the delimiter parameter is a forward slash (/).

    • Sample response
      HTTP/1.1 200 OK
      x-oss-request-id: 534B371674E88A4D8906****
      Date: Fri, 7 Aug 2020 08:43:27 GMT
      Content-Type: application/xml
      Content-Length: 712
      Connection: keep-alive
      Server: AliyunOSS
      <?xml version="1.0" encoding="UTF-8"?>
      <ListBucketResult xmlns=¡±http://doc.oss-cn-hangzhou.aliyuncs.com¡±>
      <Name>ramtest-bucket</Name>
      <Prefix></Prefix>
      <Marker></Marker>
      <MaxKeys>100</MaxKeys>
      <Delimiter>/</Delimiter>
          <IsTruncated>false</IsTruncated>
          <Contents>
              <Key>oss-dg.pdf</Key>
              ...
          </Contents>
         <CommonPrefixes>
              <Prefix>Development</Prefix>
         </CommonPrefixes>
            <CommonPrefixes>
              <Prefix>Marketing</Prefix>
         </CommonPrefixes>
            <CommonPrefixes>
              <Prefix>Private</Prefix>
         </CommonPrefixes>
      </ListBucketResult>
    • Response parsing

      The console parses the response returned by OSS and displays the objects and directories in the root directory of the bucket.

      ram
  • Send a request to access a directory stored in the bucket

    When you click the Development/ directory of the ramtest-bucket bucket in the console, the console sends a GetBucket (ListObjects) request to OSS. The request includes the prefix and delimiter parameters.

    • Sample request
      GET /?prefix=Development/&delimiter=/ HTTP/1.1
      Host: oss-example.oss-cn-hangzhou.aliyuncs.com
      Date: Fri, 24 Feb 2012 08:43:27 GMT
      Authorization: OSS qn6qrrqxo2oawuk53otf****:DNrnx7xHk3sgysx7I8U9I9IY****

      In the request, the value of the prefix parameter is Development/ and the value of the delimiter parameter is a forward slash (/).

    • Sample response

      In the response, OSS returns objects whose keys include the specified prefix.

      HTTP/1.1 200 OK
      x-oss-request-id: 534B371674E88A4D8906****
      Date: Fri, 7 Aug 2020 08:43:27 GMT
      Content-Type: application/xml
      Content-Length: 712
      Connection: keep-alive
      Server: AliyunOSS
      <?xml version="1.0" encoding="UTF-8"?>
      <ListBucketResult xmlns=¡±http://doc.oss-cn-hangzhou.aliyuncs.com¡±>
      <Name>ramtest-bucket</Name>
      <Prefix>Development/</Prefix>
      <Marker></Marker>
      <MaxKeys>100</MaxKeys>
      <Delimiter>/</Delimiter>
          <IsTruncated>false</IsTruncated>
          <Contents>
              <Key>ProjectA.docx</Key>
              ...
          </Contents>
          <Contents>
              <Key>ProjectB.docx</Key>
              ...
          </Contents>
          <Contents>
              <Key>Alibaba Cloud.pdf</Key>
              ...
          </Contents>
      </ListBucketResult>
    • Response parsing

      The console parses the response returned by OSS and displays the objects in the Development/ directory.

      development

Scenarios

Example: You are the owner of the ramtest-bucket bucket, and the access control list (ACL) of every object or directory in the bucket is private by default. You want to grant read and write permissions on the Development directory stored in the bucket and its subdirectories and objects to RAM user Anne, read-only permissions on the Marketing directory and its subdirectories and objects to RAM user Leo. In addition, you want to prevent all RAM users within the current Alibaba Cloud account from accessing the Private directory.

Step 1: Create a bucket and upload objects to the bucket.

  1. Create the ramtest-bucket bucket.
    1. Log on to the OSS console by using your Alibaba Cloud account.
    2. Create a bucket named ramtest-bucket. For more information, see Create buckets.
  2. Create the following directories in the bucket: Development, Marketing, and Private. For more information, see Create directories.
  3. Upload objects to specified paths based on the following requirements:
    • Upload the oss-dg.pdf object to the root-level directory in the ramtest-bucket.
    • Upload the Alibaba Cloud.pdf, ProjectA.docx, and ProjectB.docx objects to the Development directory.
    • Upload the data2020.xlsx and data2021.xlsx objects to the Marketing directory.
    • Upload the images.zip and promote.pptx objects to the Private directory.

    For more information, see Upload objects.

Step 2: Create RAM users Anne and Leo.

Create RAM users Anne and Leo by using the RAM console. For more information about how to create a RAM user, see Create a RAM user.

Step 3: Grant read and write permissions on the Development directory to RAM user Anne.

  1. Create a custom policy named AllowAnneToReadAndWriteFolderDevelopment and grant RAM user Anne read and write permissions on the Development directory and all objects stored in it.
    1. In the left-side navigation pane, choose Permissions > Policies.
    2. On the Policies page, click Create Policy.
    3. On the Create Custom Policy page, set Policy Name to AllowAnneToReadAndWriteFolderDevelopment and Configuration Mode to script. The policy document contains the following configurations:
      {
          "Version":"1",
          "Statement":[
              {
                  "Effect":"Allow",
                  "Action":[
                      "oss:ListObjects"
                  ],
                  "Resource":[
                      "acs:oss:*:*:ramtest-bucket"
                  ],
                  "Condition":{
                      "StringEquals":{
                          "oss:Prefix":[
                              "Development",
                              "Development/*"
                          ]
                      }
                  }
              },
              {
                  "Effect":"Allow",
                  "Action":[
                      "oss:GetObject",
                      "oss:PutObject",
                      "oss:GetObjectAcl"
                  ],
                  "Resource":[
                      "acs:oss:*:*:ramtest-bucket/Development/*"
                  ]
              }
          ]
      }
    4. Click OK.
  2. Attach the AllowAnneToReadAndWriteFolderDevelopment policy to RAM user Anne. For more information, see Grant permissions to a RAM user.

Step 4: Grant RAM user Leo read-only permissions on the Marketing directory.

Refer to Step 3 to create a custom policy named AllowLeoToReadAndWriteFolderMarketing and grant RAM user Leo read-only permissions on the Marketing directory and all objects stored in it. The policy document contains the following configurations:
{
    "Version":"1",
    "Statement":[
        {
            "Effect":"Allow",
            "Action":[
                "oss:ListObjects"
            ],
            "Resource":[
                "acs:oss:*:*:ramtest-bucket"
            ],
            "Condition":{
                "StringEquals":{
                    "oss:Prefix":[
                        "Marketing",
                        "Marketing/*"
                    ]
                }
            }
        },
        {
            "Effect":"Allow",
            "Action":[
                "oss:GetObject",
                "oss:GetObjectAcl"
            ],
            "Resource":[
                "acs:oss:*:*:ramtest-bucket/Marketing/*"
            ]
        }
    ]
}

Step 5: Deny all RAM users within the current Alibaba Cloud account access to the Private directory.

  1. Create a user group and add members to it.
    For more information about how to create a user group, see Create a user group. After you create the user group, add all RAM users within the current Alibaba Cloud account to the group. For more information, see Add a RAM user to a RAM user group.
  2. Create a custom policy named DenyAllRamToAccessFolderPrivate and deny all RAM users within the current Alibaba Cloud account access to the Private directory.
    1. In the left-side navigation pane, choose Permissions > Policies.
    2. On the Policies page, click Create Policy.
    3. On the Create Custom Policy page, set Policy Name to DenyAllRamToAccessFolderPrivate and Configuration Mode to script. The policy document contains the following configurations:
      {
          "Version":"1",
          "Statement":[
              {
                  "Effect":"Deny",
                  "Action":[
                      "oss:*"
                  ],
                  "Resource":[
                      "acs:oss:*:*:ramtest-bucket/Private/*"
                  ],
                  "Condition":{
      
                  }
              },
              {
                  "Effect":"Deny",
                  "Action":[
                      "oss:ListObjects"
                  ],
                  "Resource":[
                      "acs:oss:*:*:*"
                  ],
                  "Condition":{
                      "StringEquals":{
                          "oss:Prefix":[
                              "Private/",
                              "Private/*"
                          ]
                      }
                  }
              }
          ]
      }
    4. Click OK.
  3. Attach the DenyAllRamToAccessFolderPrivate policy to the user group. For more information, see Grant permissions to a RAM user group.
    After you attach the RAM policy, all the RAM users in the group cannot access the Private directory stored in the ramtest-bucket bucket. In addition, when RAM users request to list the Private/2017/images.zip and Private/2017/promote.pptx objects stored in the Private directory, OSS returns an error response.