Access control lists (ACLs) can be used to define the access permissions of users or user groups on data stored in Object Storage Service (OSS). After a request is sent to access data stored in OSS, OSS checks the ACL of the data and verifies whether the requester has required permissions. You can configure the ACL of an object when you upload the object or modify the ACL of an uploaded object.

Usage notes

  • If you do not set the object ACL, the object ACL is default. In that case, the ACL of the object is the same as that of the bucket in which the object is stored.
  • If you set the object ACL to a value that is different from the bucket ACL, the object ACL takes precedence. For example, if the ACL of an object is set to public read, all authenticated and anonymous users can read the object regardless of the bucket ACL.

ACL types

The following table describes object ACL types.

ACL Description
public-read-write Public read/write: All users, including anonymous users, can perform read and write operations on objects in the bucket.
Warning When you set the object ACL to this value, all users can access the object over the Internet and write data to the object. This may result in unexpected access to the data in your bucket and unexpectedly high fees. If a user uploads prohibited data or information, your legitimate interests and rights may be infringed. Therefore, we recommend that you do not set the object ACL to public read/write except in special cases.
public-read Only the bucket owner can write data to the object. Other users, including anonymous users, can only read the object.
Warning All users can access the object over the Internet. This may result in unexpected access to the data in your bucket and unexpectedly high fees. Exercise caution when you set the object ACL to public read.
private Private: Only the bucket owner is allowed to perform read and write permissions on the object. Other users cannot access the object.
Note You can configure and send the object URL to share your private objects with your partners. For more information, see Add signatures to URLs.
default Default value: The ACL of the object is the same as that of the bucket in which the object is stored.

Use the OSS console

  1. Log on to the OSS console.
  2. In the left-side navigation pane, click Buckets. On the Buckets page, click the name of the bucket for which you want to modify the ACL.
  3. In the left-side navigation pane, click Files.
  4. Select the object for which you want to modify the ACL. Click the name of the object. In the View Details panel, Click Set ACL.
    Alternatively, move the pointer over More in the Actions column of the object and choose Set ACL from the shortcut menu.
  5. In the Set ACL panel, modify the ACL of the object.
  6. Click OK.

Use ossbrowser

ossbrowser supports the same object-wide operations as the OSS console. You can follow the on-screen instructions in ossbrowser to modify the ACL of an object. For more information about how to use ossbrowser, see Use ossbrowser.

Use OSS SDKs

The following code provides examples on how to modify the ACL of an object by using OSS SDKs for common programming languages. For more information about how to modify the ACL of an object by using OSS SDKs for other programming languages, see Overview. 

// The endpoint of the China (Hangzhou) region is used in this example. Specify the actual endpoint.
String endpoint = "http://oss-cn-hangzhou.aliyuncs.com";
// Security risks may arise if you use the AccessKey pair of an Alibaba Cloud account to log on to OSS, because the account has permissions on all API operations. We recommend that you use a RAM user to call API operations or perform routine operations and maintenance. To create a RAM user, log on to https://ram.console.aliyun.com.
String accessKeyId = "<yourAccessKeyId>";
String accessKeySecret = "<yourAccessKeySecret>";

// Create an OSSClient instance.
OSS ossClient = new OSSClientBuilder().build(endpoint, accessKeyId, accessKeySecret);

// Configure the ACL of the specified object to public read.
ossClient.setObjectAcl("<yourBucketName>", "<yourObjectName>", CannedAccessControlList.PublicRead);

// Shut down the OSSClient instance.
ossClient.shutdown();
			
using Aliyun.OSS;
using Aliyun.OSS.Common;

var endpoint = "<yourEndpoint>";
var accessKeyId = "<yourAccessKeyId>";
var accessKeySecret = "<yourAccessKeySecret>";
var bucketName = "<yourBucketName>";
var objectName = "<yourObjectName>";

// Create an OSSClient instance.
var client = new OssClient(endpoint, accessKeyId, accessKeySecret);
// Configure the object ACL.
try
{
    // Use SetObjectAcl to configure the ACL of the object.
    client.SetObjectAcl(bucketName, objectName, CannedAccessControlList.PublicRead);
    Console.WriteLine("Set Object:{0} ACL succeeded ", objectName);
}
catch (Exception ex)
{
    Console.WriteLine("Set Object ACL failed with error info: {0}", ex.Message);
}
// Query the ACL of the object.
try
{
    // Use GetObjectAcl to query the ACL of the object.
    var result = client.GetObjectAcl(bucketName, objectName);
    Console.WriteLine("Get Object ACL succeeded, Id: {0}  ACL: {1}",
        result.Owner.Id, result.ACL.ToString());
}
catch (OssException ex)
{
    Console.WriteLine("Failed with error code: {0}; Error info: {1}. \nRequestID: {2}\tHostID: {3}",
        ex.ErrorCode, ex.Message, ex.RequestId, ex.HostId);
}
catch (Exception ex)
{
    Console.WriteLine("Failed with error info: {0}", ex.Message);
}

Use ossutil

For more information about how to use ossutil to configure or modify the ACL of a bucket, see Configure or modify the ACLs of objects.

Use the RESTful API

If your program requires more custom options to configure the ACL of an object, you can call RESTful API operations. In this case, you must manually write code to calculate the signature. For more information, see PutObjectACL.

References

In addition to object ACLs, OSS provides bucket ACLs, bucket policies, and RAM policies for you to control access to your buckets and objects in OSS. For more information, see Overview.