Share OSS assets across accounts using a bucket policy

Updated at:
Copy as MD

Resources in Alibaba Cloud Object Storage Service (OSS) are private by default. To allow a partner to use your OSS resources for editing, grant them access to the bucket by using a bucket policy.

Background information

Company A wants to allow its partner, Company B, to use files stored in an OSS bucket as media assets for editing. However, Company A does not want to set the bucket to public-read or directly copy the files to Company B. Instead, Company A can use a bucket policy to grant its partner access to the bucket, allowing Company B to reference these media assets in the timeline.

Add a bucket policy to grant access

Intelligent Media Services (IMS) accesses customer OSS files by assuming the system role AliyunICEDefaultRole. When Company A grants Company B permission to access a bucket, the AliyunICEDefaultRole assumed by Company B's account can access Company A's bucket. Follow these steps:

  1. Obtain the Alibaba Cloud account ID of Company B.

    Company B logs in to its Alibaba Cloud account. In the console, click the profile picture in the upper-right corner. Find and record the Alibaba Cloud account ID from the pop-up box.

    The value is labeled account ID.

  1. Grant the AliyunICEDefaultRole assumed by Company B's account access to the authorized resources.

    1. Log on to the OSS console.

    2. On the Buckets page, click the name of the target bucket.

    3. In the left-side navigation pane, choose Permission Control > Bucket Policy.

    4. On the Bucket Policy page, on the Add in GUI tab, click Authorize.

    5. In the Authorize panel, configure the policy. For Authorized User, select Other Accounts, and enter the following ARN. Replace the placeholder with the Alibaba Cloud account ID from Step 1.

      arn:sts::COMPANY_B_ACCOUNT_ID:assumed-role/AliyunICEDefaultRole/*
    6. For details on configuring other parameters, see Grant access to specific resources by using a bucket policy.

    7. Click OK.

      Example:

      In the Authorized Resource area, select Entire Bucket. In the Authorized User area, select Other Accounts and enter the ARN for the AliyunICEDefaultRole assumed by Company B's account (format: arn:sts::ACCOUNT_ID:assumed-role/AliyunICEDefaultRole/*). In the Authorized Operation area, select Simple Settings and select Read/Write. In the Conditions (Optional) area, set the access method to HTTPS and click OK.

Advanced configurations

  • Multi-account authorization: You can grant multiple Alibaba Cloud accounts editing access to the media assets in this bucket by entering multiple values for Authorized User.

  • Operation permissions: If Authorized Operation is "Read-Only", Company B can only use the bucket's media assets as input. If Authorized Operation is "Read/Write", Company B can also write edited output to the bucket.