All Products
Search
Document Center

Data Security Center:MaskOssImage

Last Updated:May 08, 2026

Use the MaskOssImage operation to mask images stored as objects.

Operation description

Prerequisites

To use this operation, you must have an image masking quota. Each call deducts one unit from your quota.

QPS limit

The QPS limit for a single user is 10. If you exceed this limit, API calls are throttled, which can affect your business. To prevent service disruptions, operate within this limit.

Usage notes

After masking is complete, the system stores the masked image in the aliyun_dsc_desensitization folder within the source bucket.

For example, an image at exampledir/test.png in a bucket is saved as aliyun_dsc_desensitization/exampledir/test.png after masking.

For more information, see https://www.alibabacloud.com/help/zh/dsc/data-security-center/user-guide/picture-desensitization

Try it now

Try this API in OpenAPI Explorer, no manual signing needed. Successful calls auto-generate SDK code matching your parameters. Download it with built-in credential security for local usage.

Test

RAM authorization

The table below describes the authorization required to call this API. You can define it in a Resource Access Management (RAM) policy. The table's columns are detailed below:

  • Action: The actions can be used in the Action element of RAM permission policy statements to grant permissions to perform the operation.

  • API: The API that you can call to perform the action.

  • Access level: The predefined level of access granted for each API. Valid values: create, list, get, update, and delete.

  • Resource type: The type of the resource that supports authorization to perform the action. It indicates if the action supports resource-level permission. The specified resource must be compatible with the action. Otherwise, the policy will be ineffective.

    • For APIs with resource-level permissions, required resource types are marked with an asterisk (*). Specify the corresponding Alibaba Cloud Resource Name (ARN) in the Resource element of the policy.

    • For APIs without resource-level permissions, it is shown as All Resources. Use an asterisk (*) in the Resource element of the policy.

  • Condition key: The condition keys defined by the service. The key allows for granular control, applying to either actions alone or actions associated with specific resources. In addition to service-specific condition keys, Alibaba Cloud provides a set of common condition keys applicable across all RAM-supported services.

  • Dependent action: The dependent actions required to run the action. To complete the action, the RAM user or the RAM role must have the permissions to perform all dependent actions.

Action

Access level

Resource type

Condition key

Dependent action

yundun-sddp:MaskOssImage

none

*All Resource

*

  • acs:ResourceGroupId
None

Request syntax

POST  HTTP/1.1

Request parameters

Parameter

Type

Required

Description

Example

BucketName

string

Yes

The name of the OSS bucket.

sddp-api-demo-bucket

ObjectKey

string

Yes

The full key of the object stored in OSS.

dir1/test.png

ServiceRegionId

string

Yes

The region where the bucket is located.

cn-hangzhou

MaskRuleIdList

string

Yes

A comma-separated list of masking rule IDs.

The following rule IDs correspond to the listed sensitive data types:

3000: Images that contain ID card information (Chinese mainland)

3009: Images that contain license plate information (Chinese mainland)

3002: Images that contain faces

1002: Names (Simplified Chinese)

1003: Addresses (Chinese mainland)

4003: Unified Social Credit Code

63009: Images that contain eyes

3000,3002

IsSupportRestore

boolean

No

Specifies whether you can restore the original image from the masked version.

true

IsAlwaysUpload

boolean

No

Specifies whether to always upload the processed image.

If you set this to false, the image is uploaded only if it matches a masking rule.

If you set this to true, the processed image is always uploaded.

true

Response elements

Element

Type

Description

Example

object

Response schema

RequestId

string

The request ID.

136082B3-B21F-5E9D-B68E-991FFD205D24

Examples

Success response

JSON format

{
  "RequestId": "136082B3-B21F-5E9D-B68E-991FFD205D24"
}

Error codes

HTTP status code

Error code

Error message

Description

400 IdempotentParameterMismatch The request uses the same client token as a previous, but non-identical request. Do not reuse a client token with different requests, unless the requests are identical.

See Error Codes for a complete list.

Release notes

See Release Notes for a complete list.