You can configure bucket policies to authorize other users to access specified Object Storage Service (OSS) resources.

Background information

  • The owner of a bucket can configure bucket policies for the bucket in the OSS console by using the graphical user interface (GUI) or by specifying policy syntax. Before you configure bucket policies by specifying policy syntax, you must understand the Action, Resource, and Condition fields in bucket policies. For more information, see Overview.
  • If you select Anonymous Accounts (*) for the Accounts parameter when you configure a bucket policy without specifying the Conditions parameter, the bucket policy applies to all users except for the bucket owner. If you select Anonymous Accounts (*) for the Accounts parameter when you configure a bucket policy and specify the Conditions parameter, the bucket policy applies to all users that include the bucket owner.
  • You can configure multiple bucket policies for a bucket. However, the total size of the policies cannot exceed 16 KB.

Method 1: Configure bucket policies by using the GUI

  1. Log on to the OSS console.
  2. In the left-side navigation pane, click Buckets. On the Buckets page, click the name of the bucket for which you want to configure bucket policies.
  3. In the left-side navigation pane, click Files. On the page that appears, click Authorize.
    You can also choose Access Control > Bucket Policy in the left-side navigation pane, and then click Configure in the Bucket Policy section.
  4. On the GUI tab, click Authorize.
  5. In the Authorize panel, configure the parameters and then click OK. The following table describes the parameters that you can configure.
    Parameter Description
    Applied To Select the resources you want to authorize other users to access.
    • Whole Bucket: The authorization policy applies to all resources in the whole bucket.
    • Specified Resource: The authorization policy applies only to specified resources in the bucket. You can configure multiple bucket policies for specific resources in a bucket.
      • Configure a bucket policy for a directory

        To configure a bucket policy to authorize users to access all subdirectories and objects within a directory, add an asterisk (*) after the directory name. For example, to authorize users to access all subdirectories and objects within a directory named abc, enter abc/*.

      • Configure a bucket policy for a specific object

        To configure a bucket policy to authorize users to access a specific object, enter the full path of the object that excludes the bucket name. For example, to authorize users to access an object named myphoto.png in the abc directory, enter abc/myphoto.png.

    Accounts Select the type of accounts that you want to authorize.
    • Anonymous Accounts (*): Select this option if you want to authorize all users to access the specified resources.
    • RAM Users: Select this option if you want to authorize the Resource Access Management (RAM) users of the current Alibaba Cloud account to access the specified resources. You can select individual RAM users from the drop-down list. To authorize multiple RAM users, we recommend that you enter the keyword of the RAM usernames in the search box for fuzzy match.
      Notice To select this option, you must access the OSS console by using an Alibaba Cloud account or a RAM user that has management permissions on the bucket and the ListUsers permission in the RAM console. Otherwise, the RAM user list of the current Alibaba Cloud account is inaccessible. For more information about how to grant the ListUsers permission to RAM users, see Grant permissions to a RAM user.
    • Other Accounts: Select this option if you want to authorize other Alibaba Cloud accounts, RAM users, or temporary users generated by Security Token Service (STS) to access the specified resources.
      • To authorize other Alibaba Cloud accounts or RAM users to access the specified resources, enter the UIDs of the accounts or RAM users.
      • To authorize temporary users generated by STS to access the specified resources, enter the user and role information in the following format: arn:sts::{RoleOwnerUid}:assumed-role/{RoleName}/{RoleSessionName}. For example, the role used to generate a temporary user is testrole, the UID of the Alibaba Cloud account that owns the role is 12345, and the RoleSessionName that is specified when the temporary user is generated is testsession. In this case, enter arn:sts::12345:assumed-role/testrole/testsession. To authorize all temporary users to access the specified resources, use asterisks (*) as wildcards. For example, enter arn:sts::*:*/*/*. For more information about how to generate a temporary user, see Use a temporary credential provided by STS to access OSS.
      Notice If you authorize a temporary user generated by STS to access your OSS resources, the temporary user cannot use the OSS console to access your resources. However, the user can use ossutil, OSS API operations, or OSS SDKs to access your OSS resources.
    Authorized Operation You can use the following methods to specify authorized operations: Basic Settings and Advanced Settings.
    • Basic Settings
      If you select this method, you can configure the following permissions based on your requirements. You can move the pointer over the mark icon on the right side of each permission to view the actions that correspond to the permission option.
      • Read Only: Authorized users can view, list, and download the specified resources.
      • Read/Write: Authorized users can read data from and write data to the specified resources.
      • Any Operation: Authorized users can perform all operations on the specified resources.
      • None: Authorized users cannot perform operations on the specified resources.
      Notice
      • If multiple bucket policies are configured for a user, the user has all the permissions defined in the policies. However, the policy in which Authorized Operation is set to None takes precedence. For example, if you configure a policy to grant the Read Only permission to a user, and then configure another policy to grant the Read/Write permission to the same user, the permission of the user is Read/Write. If you configure a third policy to grant the None permission to the user, the permission of the user is None.
      • The authorization effect for Read Only, Read/Write, and Any Operation is Allow, and the authorization effect for None is Deny.
    • Advanced Settings

      If you select this method, you must configure the following parameters:

      • Effect: Select Allow or Deny.
      • Action: Specify the operation that you want to allow or deny. You can specify an action that is supported by OSS. For more information about the actions that you can specify, see Overview.
    Conditions Optional. You can configure this parameter in both Basic Settings and Advanced Settings to specify the conditions that users must meet to access OSS resources.
    • Access Method: By default, authorized users can access OSS resources over both HTTP and HTTPS. If you want the authorized users to access the specified resources in the bucket by using HTTPS, select HTTPS. If you want the authorized users to access the specified resources in the bucket by using HTTP, select HTTP. Compared with HTTP, HTTPS is more secure.

      If you want to force all requests to access resources in the bucket by using one protocol, such as HTTPS, you must specify the syntax of the bucket policy. For more information, see How do I configure an HTTPS request and an SSL certificate?.

    • IP =: Specify the IP addresses or Classless Inter-Domain Routing (CIDR) blocks that can be used to access OSS resources. Separate multiple IP addresses with commas (,).
    • IP ≠: Specify IP addresses or CIDR blocks that cannot be used to access OSS resources. Separate multiple IP addresses with commas (,).
  6. Click OK.

Method 2: Configure bucket policies by specifying policy syntax

  1. Log on to the OSS console.
  2. In the left-side navigation pane, click Buckets. On the Buckets page, click the name of the bucket for which you want to configure bucket policies.
  3. In the left-side navigation pane, click Files. On the page that appears, click Authorize.
  4. On the Syntax tab, click Edit.
    You can specify policy syntax based on your requirements to manage fine-grained permissions. The following examples describe the bucket policies configured by the resource owner whose UID is 174649585760xxxx in different scenarios:
    • Example 1: Allow anonymous users to list all objects in a bucket named examplebucket.
      {
          "Statement": [
              {
                  "Action": [
                      "oss:ListObjects",
                      "oss:ListObjectVersions"
      
                  ],
                  "Effect": "Allow",            
                  "Principal": [
                      "*"
                  ],            
                  "Resource": [
                      "acs:oss:*:174649585760xxxx:examplebucket"
                  ]
              },
      
          ],
          "Version": "1"
      }
    • Example 2: Forbid anonymous users whose IP addresses are not in the CIDR block 192.168.0.0/16 from managing a bucket named examplebucket.
      {
          "Version": "1",
          "Statement": [
              {
                  "Effect": "Deny",
                  "Action": "oss:*",
                  
                  "Principal": [
                      "*"
                  ],            
                  "Resource": [
                      "acs:oss:*:174649585760xxxx:examplebucket"
                  ],
                  "Condition":{
                      "NotIpAddress": {
                          "acs:SourceIp": ["192.168.0.0/16"]
                      }
                  }
              }
          ]
      }
    • Example 3: Allow a RAM user whose UID is 20214760404935xxxx only to read the hangzhou/2020 and hangzhou/2015 directories in a bucket named examplebucket.
      {
          "Statement": [
              {
                  "Action": [
                      "oss:GetObject",
                      "oss:GetObjectAcl",
                      "oss:GetObjectVersion",
                      "oss:GetObjectVersionAcl"
      
                  ],
                  "Effect": "Allow",             
                  "Principal": [
                      "20214760404935xxxx"
                  ],            
                  "Resource": [
                      "acs:oss:*:174649585760xxxx:examplebucket/hangzhou/2020/*",
                      "acs:oss:*:174649585760xxxx:examplebucket/hangzhou/2015/*"
                  ]
              },
              {
                  "Action": [
                      "oss:ListObjects",
                      "oss:ListObjectVersions"
                  ],
                  "Condition": {
                      "StringLike": {
                          "oss:Prefix": [
                              "hangzhou/2020/*",
                              "hangzhou/2015/*"
                          ]
                      }
                  },
                  "Effect": "Allow",
                  "Principal": [
                      "20214760404935xxxx"
                  ],
                  "Resource": [
                      "acs:oss:*:174649585760xxxx:examplebucket"
                  ]
              }
          ],
          "Version": "1"
      }
  5. Click Save.

Access authorized OSS resources

After you configure a bucket policy for a bucket, you can use the following methods to access the resources specified in the policy:

  • Object URL (only for authorized anonymous users)

    Anonymous users can enter the URL of an object specified in the policy in a browser to access the object. The URL of the object consists of the default domain name of the bucket or a custom domain name mapped to the bucket and the path of the object. Example: http://mybucket.oss-cn-beijing.aliyuncs.com/file/myphoto.png. For more information, see OSS domain names.

  • OSS console

    Log on to the OSS console. In the left-side navigation pane, click the + icon next to My OSS Paths. In the Add Path panel, add the bucket name and object path specified in the bucket policy. For more information, see Set OSS paths.

  • ossutil

    Use the account authorized by the bucket policy to log on to ossutil to access the resources specified in the policy. For more information, see ossutil.

  • ossbrowser

    Use the account authorized by the bucket policy to log on to ossbrowser. Enter the path of the object specified by the policy in the Preset OSS Path field. For more information, see ossbrowser.

  • OSS SDK

    You can use OSS SDKs for the following programming languages to access the resources specified in the bucket policy: Java, PHP, Node.js, Python, Browser.js, .NET, Android, Go, iOS, C++, and C.