You can use bucket policies to authorize other users to access your OSS resources.

Background information

Compared with RAM policies, bucket policies allows you to perform configurations by using the OSS console. The bucket owner can grant other users permissions to access OSS resources. You can use bucket policies to share private objects with specified users or groups.

Procedure

  1. Log on to the OSS console.
  2. Click Buckets, and then click the name of the target bucket.
  3. Click the Files tab. On the page that appears, click Authorize.
    Note You can also choose Access Control > Bucket Policy. In the Bucket Policy section, click Configure.
  4. In the Authorize dialog box that appears, click Authorize.
  5. In the Authorize page that appears, set the parameters listed in the following table and click OK.
    Parameter Description
    Applied To
    • Whole Bucket: The authorization policy applies to the whole bucket.
    • Specified Resource: The authorization policy applies only to specified resources. You must also enter the resource path. Example: abc/myphoto.png. If the policy applies to a directory, you must add an asterisk (*) at the end of the directory. Example: abc/*.
    Accounts
    • Sub Accounts: Select a RAM user under the current account from the drop-down list to grant the RAM user access to the bucket. You can also enter a keyword in the search box for fuzzy matching of a RAM user. You must access the OSS console by using an Alibaba Cloud account or a RAM user that has the management permissions on the bucket and the ListUsers permission in the RAM console. Otherwise, the RAM user list of the current Alibaba Cloud account are inaccessible.
    • Other Accounts: You can grant permissions to other accounts, including Alibaba Cloud accounts, RAM users, or temporary users generated by using STS.
      • If you need to grant an Alibaba Cloud account or a RAM user permissions to access your bucket, enter the UID of the account to which you want to grant the permissions.
      • If you need to grant a temporary user permissions to access your bucket, enter the user and role information in the following format: arn:sts::{RoleOwnerUid}:assumed-role/{RoleName}/{RoleSessionName}. For example, the role used to generate a temporary user is testrole, the UID of the Alibaba Cloud account that owns the role is 12345, and the RoleSessionName specified when the temporary user is generated is testsession. In this case, enter arn:sts::12345:assumed-role/testrole/testsession. An asterisk (*) wildcard is supported in the format. For example, if you want to grant permissions to all temporary users, you can enter arn:sts::*:*/*/*. For more information about how to generate a temporary user, see Access OSS with a temporary access credential provided by STS.
    • Anonymous Accounts (*): If you need to authorize all users, select Anonymous Accounts (*).
    Notice
    • If you grant a temporary user generated by using STS permissions to access your OSS resources, the temporary user cannot be used to access your resources in the OSS console. However, you can use ossutil, OSS API operations, and OSS SDKs to access your OSS resources.
    • For more information about how to grant the ListUsers permission to RAM users, see Grant permissions to a RAM user.
    Authorized Operation
    • Read Only: Authorized users can view, list, and download the resources.
    • Read/Write: Authorized users can read from and write to the resources.
    • Any operation: Authorized users can perform any operations on the resources.
    • None: Authorized users cannot perform any operations on the resources.
      Note If multiple bucket policies are configured for a user, the user has all the permissions defined in the policies. However, the policy whose Authorized Operation is set to None takes precedence. For example, if you set Read Only as the first policy and Read/Write as the second policy, the user obtains the Read/Write permissions as a result of combining the Read Only and Read/Write permissions. If you set None as the third policy, the user does not have permissions on the resources because None takes precedence.
    Conditions Optional. Only users that meet specific conditions can access OSS resources.
    • IP =: Specify IP addresses or CIDR blocks that can access OSS resources.
    • IP ≠: Specify IP addresses or CIDR blocks that cannot access OSS resources.
      Note
      • An example of an IP address is 10.10.10.10. Separate multiple IP addresses with commas (,).
      • An example of a CIDR block is 10.10.10.1/24.
    • Access Method: By default, authorized users can access OSS resources over both HTTP and HTTPS. To specify that authorized users can only access OSS resources by using one method, for example, HTTPS, configure parameters as follows:
      1. Set Authorized Operation to None.
      2. Set Conditions to Access Method.
      3. Set Access Method to HTTP.
  6. Use the authorized Alibaba Cloud account or RAM user to access authorized OSS resources.
    You can use an authorized Alibaba Cloud account or RAM user to access authorized OSS resources by using the following methods:
    • OSS console
      Log on to the OSS console. In the left-side navigation pane, click the + icon next to My OSS Paths, and add the path of the object to which you want to grant the RAM user permissions. For more information, see My OSS Paths.
      Notice
      • If you grant a temporary user generated by using STS permissions to access your OSS resources, the temporary user cannot be used to access your resources in the OSS console. However, you can use ossutil, OSS API operations, and OSS SDKs to access your OSS resources.
      • If you grant the RAM user permissions to access a specific folder or object, you may be prompted that you are not authorized to access OSS through the authorized path. In this case, ignore the prompt.
    • ossutil

      Use an authorized Alibaba Cloud account to access authorized OSS resources by using ossutil. For more information, see Overview.

    • ossbrowser

      Use an authorized Alibaba Cloud account to log on to ossbrowser. Enter the authorized folder in the Preset OSS Path field. For more information, see Quick start.

    • OSS SDK

      Use the OSS SDKs in various programming languages to access authorized OSS resources. For more information, see Introduction.

    • Object URL (for authorized anonymous users only)

      Enter the URL of an object in a browser to access the object. The object URL consists of the object path and the OSS domain name of the bucket or the custom domain name bound to the bucket. For more information, see Bind custom domain names. Example: http://mybucket.oss-cn-beijing.aliyuncs.com/file/myphoto.png. For more information, see OSS domain names.

Scenarios

Scenario 1: Company A wants to authorize its partner, Company B, to access the objects in the date/ directory of a bucket. The procedure is as follows:

  1. Configure the bucket policy. For more information, see Procedure. Set the parameters as follows:
    • Applied To: Select Specified Resource and set Resource Paths to date/*.
    • Accounts: Select Other Accounts and enter the UID of the RAM user of Company B.
    • Authorized Operation: Select Read Only.
    • Conditions: Leave it unspecified.
  2. Employees of Company B use the authorized RAM user and follow Step 6 to access resources authorized by Company A.

Scenario 2: Company C wants to authorize its employees to access internal public documents stored in the file/ directory of an OSS bucket.

Because Company C has a large number of employees, authorization by using RAM policies takes a lot of time and effort. In this case, Company C can configure a bucket policy to specify an IP address that can be used to access the specified resources. The procedure is as follows:

  1. Configure the bucket policy. For more information, see Procedure. Set the parameters as follows:
    • Applied To: Enter the specified file/* directory.
    • Accounts: Select Anonymous Accounts (*).
    • Authorized Operations: Select Read Only.
    • Conditions: Select IP = and enter the public IP address of Company C.
  2. For more information about how to authorize employees of Company C to use an Alibaba Cloud account to access authorized resources, see Step 6.

Scenario 3: Company D wants to authorize its employees and its partner, Company E, to access product documentation stored in the public/ directory of an OSS bucket. To ensure access security, only access requests over HTTPS are allowed.

Three policies must be configured to meet the preceding requirements. The procedure is as follows:

  1. Configure a bucket policy to grant the access permission to Company E based on the steps described in Scenario 1.
  2. Configure a bucket policy to grant the employees of Company D permissions to access OSS resources based on the steps described in Scenario 2.
  3. Configure a bucket policy to deny access requests over HTTP, as shown in the following figure.
  4. After the policies are configured, access the authorized resources. For more information, see Step 6. Before you access the resources, note that:
    • You must send requests over HTTPS when you access the resources on a web page. Example: https://mybucket.oss-cn-beijing.aliyuncs.com/file/myphoto.png.
    • Access through the console is not affected because the console is accessed over HTTPS.
    • When you log on to ossbrowser, select HTTPS encryption.

      If your ossbrowser is not the latest version, update your ossbrowser or set Endpoint to Customize and enter the corresponding HTTPS endpoint. Example: https://oss-cn-beijing.aliyuncs.com.

    • When setting Endpoint on ossutil, you must enter the corresponding HTTPS endpoint. Example: https://oss-cn-beijing.aliyuncs.com.