If a RAM user needs to use the Alibaba Cloud OSS Private Bucket Access feature, the RAM user must be granted the ListRoles permission first.


  1. Log on to the RAM console.
  2. In the left-side navigation pane, choose Permissions > Policies.
  3. On the Policies page, click Create Policy.
  4. Create a custom policy.
    Create a custom policy
    1. Specify the Policy Name.
    2. Optional. Enter remarks in the Note field.
    3. Set the Configuration Mode to Script.
    4. Enter the following code in the Policy Document field.
          "Version": "1",
          "Statement": [
                  "Action": "ram:ListRoles",
                  "Resource": "*",
                  "Effect": "Allow"
    5. Click OK.
  5. Navigate to the Identities > Users page.
  6. Find the target RAM user and click Add Permissions in the Actions column.
  7. Grant the required permission to the RAM user.
    Select the custom policy
    1. Select Custom Policy from the Select Policy drop-down list.
    2. Select the custom policy created in step 4.
    3. Click OK.
  8. Go to the CDN console to enable Alibaba Cloud OSS Private Bucket Access. For more information, see Enable private bucket back-to-origin authorization.