All Products
Search

This Product

    Cloud Storage Gateway:Permissions required for a RAM user to activate an on-premises gateway

    Document Center

    Cloud Storage Gateway:Permissions required for a RAM user to activate an on-premises gateway

    Last Updated:Oct 28, 2025

    When you activate an on-premises gateway, the Resource Access Management (RAM) user that corresponds to the provided AccessKey ID and AccessKey secret must have specific permissions to ensure that the gateway functions correctly. This topic describes the permissions required for each feature.

    Cloud Storage Gateway permissions

    An on-premises gateway must interact with the console for management. You must grant the AliyunHCSSGWFullAccess system permission.

    OSS permissions

    An on-premises gateway must manage OSS buckets to upload and download files. You must grant the AliyunOSSFullAccess system permission.

    For more granular permission control, refer to the OSS operation permissions listed below. If you require stricter permissions, you can scope the permissions to the specific bucket that is used by the on-premises gateway.

    {
"Action": [
"oss:ListBuckets",
"oss:ListObjects",
"oss:GetObject",
"oss:PutObject",
"oss:DeleteObject",
"oss:HeadObject",
"oss:CopyObject",
"oss:InitiateMultipartUpload",
"oss:UploadPart",
"oss:UploadPartCopy",
"oss:CompleteMultipartUpload",
"oss:AbortMultipartUpload",
"oss:ListMultipartUploads",
"oss:ListParts",
"oss:GetBucketStat",
"oss:GetBucketWebsite",
"oss:GetBucketInfo",
"oss:GetBucketEncryption",
"oss:GetBucketVersioning",
"oss:PutBucketEncryption",
"oss:DeleteBucketEncryption",
"oss:RestoreObject",
"oss:PutObjectTagging",
"oss:GetObjectTagging",
"oss:DeleteObjectTagging"
],
"Resource":"*",
"Effect":"Allow"
}

    MNS-related

    Cloud Storage Gateway uses Message Service (MNS) to detect and deliver incremental changes in OSS in seconds. This feature is called express synchronization. To use this feature, you must grant the AliyunMNSFullAccess system permission. For more granular control, refer to the MNS operation permissions listed below.

    {
"Action": [
"mns:SendMessage",
"mns:ReceiveMessage",
"mns:PublishMessage",
"mns:DeleteMessage",
"mns:GetQueueAttributes",
"mns:GetTopicAttributes",
"mns:PutEventNotifications",
"mns:DeleteEventNotifications",
"mns:UpdateEventNotifications",
"mns:GetEvent",
"mns:Subscribe",
"mns:Unsubscribe"
],
"Resource":"*",
"Effect":"Allow"
}