Access control lists (ACLs) are used to control access to Object Storage Service (OSS) buckets and objects stored in OSS buckets. After a request is sent to access data stored in OSS, OSS checks the ACL of the data and verifies whether the requester has required permissions. You can configure the ACL of an object when you upload the object or modify the ACL of an uploaded object.
Usage notes
- If you do not set the object ACL, the object ACL is default. In this case, the ACL of the object is the same as that of the bucket in which the object is stored.
- If you set the object ACL to a value that is different from the bucket ACL, the object ACL takes precedence. For example, if the ACL of an object is set to public-read, all authenticated and anonymous users can read the object regardless of the bucket ACL.
ACL types
The following table describes object ACL types.
ACL | Description |
---|---|
public-read-write | All users, including anonymous users, can perform read and write operations on the
object.
Warning When you set the object ACL to this value, all users can access the object and write
data to the object over the Internet. This may result in unexpected access to the
object and unexpectedly high fees. If a user uploads prohibited data or information,
your legitimate interests and rights may be infringed. Therefore, we recommend that
you do not set the object ACL to public-read-write except in special cases.
|
public-read | Only the bucket owner can write data to the object. Other users, including anonymous
users, can only read the object.
Warning All users can access the object over the Internet. This may result in unexpected access
to the object and unexpectedly high fees. Exercise caution when you set the object
ACL to public-read.
|
private | Only the bucket owner is allowed to perform read and write operations on the object.
Other users cannot access the object.
Note You can send object URLs to share your private objects with your partners. For more
information, see Add signatures to URLs.
|
default | The ACL of the object is the same as that of the bucket in which the object is stored. |
Use the OSS console
- Log on to the OSS console.
- In the left-side navigation pane, click Buckets. On the Buckets page, click the name of the desired bucket.
- In the left-side navigation pane, choose .
- Specify the ACL for an object.
- Click OK.
Use ossbrowser
You can use ossbrowser to perform the same object-level operations that you can perform in the OSS console. You can follow the on-screen instructions in ossbrowser to modify the ACL of an object. For more information about how to use ossbrowser, see Use ossbrowser.
Use OSS SDKs
The following code provides examples on how to modify the ACL of an object by using OSS SDKs for common programming languages. For more information about how to modify the ACL of an object by using OSS SDKs for other programming languages, see Overview.
import com.aliyun.oss.ClientException;
import com.aliyun.oss.OSS;
import com.aliyun.oss.OSSClientBuilder;
import com.aliyun.oss.OSSException;
import com.aliyun.oss.model.CannedAccessControlList;
public class Demo {
public static void main(String[] args) throws Exception {
// In this example, the endpoint of the China (Hangzhou) region is used. Specify your actual endpoint.
String endpoint = "https://oss-cn-hangzhou.aliyuncs.com";
// The AccessKey pair of an Alibaba Cloud account has permissions on all API operations. Using these credentials to perform operations in OSS is a high-risk operation. We recommend that you use a RAM user to call API operations or perform routine O&M. To create a RAM user, log on to the RAM console.
String accessKeyId = "yourAccessKeyId";
String accessKeySecret = "yourAccessKeySecret";
// Specify the bucket name. Example: examplebucket.
String bucketName = "examplebucket";
// Specify the full path of the object. The full path of the object cannot contain the bucket name. Example: testfolder/exampleobject.txt.
String objectName = "testfolder/exampleobject.txt";
// Create an OSSClient instance.
OSS ossClient = new OSSClientBuilder().build(endpoint, accessKeyId, accessKeySecret);
try {
// Set the ACL of the object to public read.
ossClient.setObjectAcl(bucketName, objectName, CannedAccessControlList.PublicRead);
} catch (OSSException oe) {
System.out.println("Caught an OSSException, which means your request made it to OSS, "
+ "but was rejected with an error response for some reason.");
System.out.println("Error Message:" + oe.getErrorMessage());
System.out.println("Error Code:" + oe.getErrorCode());
System.out.println("Request ID:" + oe.getRequestId());
System.out.println("Host ID:" + oe.getHostId());
} catch (ClientException ce) {
System.out.println("Caught an ClientException, which means the client encountered "
+ "a serious internal problem while trying to communicate with OSS, "
+ "such as not being able to access the network.");
System.out.println("Error Message:" + ce.getMessage());
} finally {
if (ossClient != null) {
ossClient.shutdown();
}
}
}
}
<?php
if (is_file(__DIR__ . '/../autoload.php')) {
require_once __DIR__ . '/../autoload.php';
}
if (is_file(__DIR__ . '/../vendor/autoload.php')) {
require_once __DIR__ . '/../vendor/autoload.php';
}
use OSS\OssClient;
use OSS\Core\OssException;
// The AccessKey pair of an Alibaba Cloud account has permissions on all API operations. Using these credentials to perform operations in OSS is a high-risk operation. We recommend that you use a RAM user to call API operations or perform routine O&M. To create a RAM user, log on to the RAM console.
$accessKeyId = "<yourAccessKeyId>";
$accessKeySecret = "<yourAccessKeySecret>";
// In this example, the endpoint of the China (Hangzhou) region is used. Specify your actual endpoint.
$endpoint = "http://oss-cn-hangzhou.aliyuncs.com";
$bucket= "<yourBucketName>";
$object = "<yourObjectName>";
// Configure the ACL of the object to public read. If you do not specify the ACL of the object, the ACL of the object inherits the ACL of the bucket in which the object is stored.
$acl = "public-read";
try {
$ossClient = new OssClient($accessKeyId, $accessKeySecret, $endpoint);
$ossClient->putObjectAcl($bucket, $object, $acl);
} catch (OssException $e) {
printf(__FUNCTION__ . ": FAILED\n");
printf($e->getMessage() . "\n");
return;
}
print(__FUNCTION__ . ": OK" . "\n");
const oss = require('ali-oss');
const store = oss({
// Specify the region in which the bucket is located. For example, if your bucket is located in the China (Hangzhou) region, set the region to oss-cn-hangzhou.
region: 'yourregion',
// The AccessKey pair of an Alibaba Cloud account has permissions on all API operations. Using these credentials to perform operations in OSS is a high-risk operation. We recommend that you use a RAM user to call API operations or perform routine O&M. To create a RAM user, log on to the RAM console.
accessKeyId: 'yourAccessKeyId',
accessKeySecret: 'yourAccessKeySecret',
// Set yourbucketname to the name of your bucket.
bucket: 'yourbucketname'
});
// yourObjectName specifies the complete path of the object. The path cannot contain the bucket name. Example: example/test.txt.
await store.putACL('yourObjectName', 'public-read');
# -*- coding: utf-8 -*-
import oss2
# The AccessKey pair of an Alibaba Cloud account has permissions on all API operations. Using these credentials to perform operations in OSS is a high-risk operation. We recommend that you use a RAM user to call API operations or perform routine O&M. To create a RAM user, log on to the RAM console.
auth = oss2.Auth('yourAccessKeyId', 'yourAccessKeySecret')
# Specify the endpoint of the region in which the bucket is located. For example, if the bucket is located in the China (Hangzhou) region, set the endpoint to https://oss-cn-hangzhou.aliyuncs.com.
# Set yourBucketName to the name of the bucket.
bucket = oss2.Bucket(auth, 'https://oss-cn-hangzhou.aliyuncs.com', 'yourBucketName')
# Specify the full path of the object. The full path of the object cannot contain the bucket name.
bucket.put_object_acl('yourObjectName', oss2.OBJECT_ACL_PUBLIC_READ)
let OSS = require('ali-oss')
let client = new OSS({
// Specify the region in which the bucket is located. For example, if the bucket is located in the China (Hangzhou) region, set the region to oss-cn-hangzhou.
region: 'yourRegion',
// Specify the temporary AccessKey pair obtained from Security Token Service (STS). The AccessKey pair consists of an AccessKey ID and an AccessKey secret.
accessKeyId: 'yourAccessKeyId',
accessKeySecret: 'yourAccessKeySecret',
// Specify the name of the bucket. Example: examplebucket.
bucket: "examplebucket"
});
async function getACL () {
try {
let result = await client.getACL('my-object');
console.log(result.acl); // default
await client.putACL('my-object', 'public-read');
let result = await client.getACL('my-object');
console.log(result.acl); // public-read
} catch (e) {
console.log(e);
}
}
getACL();
using Aliyun.OSS;
using Aliyun.OSS.Common;
// Specify the endpoint of the region in which the bucket is located. For example, if the bucket is located in the China (Hangzhou) region, set the endpoint to https://oss-cn-hangzhou.aliyuncs.com.
var endpoint = "yourEndpoint";
// The AccessKey pair of an Alibaba Cloud account has permissions on all API operations. Using these credentials to perform operations in Object Storage Service (OSS) is a high-risk operation. We recommend that you use a RAM user to call API operations or perform routine O&M. To create a RAM user, log on to the RAM console.
var accessKeyId = "yourAccessKeyId";
var accessKeySecret = "yourAccessKeySecret";
// Specify the bucket name. Example: examplebucket.
var bucketName = "examplebucket";
// Specify the full path of the object. The full path of the object cannot contain the bucket name. Example: exampledir/exampleobject.txt.
var objectName = "exampleobject.txt";
// Create an OSSClient instance.
var client = new OssClient(endpoint, accessKeyId, accessKeySecret);
// Configure the ACL of the object.
try
{
// Call SetObjectAcl to configure the ACL of the object.
client.SetObjectAcl(bucketName, objectName, CannedAccessControlList.PublicRead);
Console.WriteLine("Set Object:{0} ACL succeeded ", objectName);
}
catch (Exception ex)
{
Console.WriteLine("Set Object ACL failed with error info: {0}", ex.Message);
}
// Query the ACL of the object.
try
{
// Call GetObjectAcl to query the ACL of the object.
var result = client.GetObjectAcl(bucketName, objectName);
Console.WriteLine("Get Object ACL succeeded, Id: {0} ACL: {1}",
result.Owner.Id, result.ACL.ToString());
}
catch (OssException ex)
{
Console.WriteLine("Failed with error code: {0}; Error info: {1}. \nRequestID: {2}\tHostID: {3}",
ex.ErrorCode, ex.Message, ex.RequestId, ex.HostId);
}
catch (Exception ex)
{
Console.WriteLine("Failed with error info: {0}", ex.Message);
}
// Specify the bucket name such as examplebucket and the full path of the object such as exampledir/exampleobject.txt. The full path cannot contain the bucket name.
GetObjectACLRequest request = new GetObjectACLRequest("examplebucket", "exampledir/exampleobject.txt");
// Obtain the ACL of the object.
oss.asyncGetObjectACL(request, new OSSCompletedCallback<GetObjectACLRequest, GetObjectACLResult>() {
@Override
public void onSuccess(GetObjectACLRequest request, GetObjectACLResult result) {
Log.d("GetObjectACL", "Success!");
Log.d("ObjectAcl", result.getObjectACL());
Log.d("Owner", result.getObjectOwner());
Log.d("ID", result.getObjectOwnerID());
}
@Override
public void onFailure(GetObjectACLRequest request, ClientException clientException, ServiceException serviceException) {
// Handle request exceptions.
if (clientException != null) {
// Handle client-side exceptions such as network errors.
clientException.printStackTrace();
}
if (serviceException != null) {
// Handle server-side exceptions.
Log.e("ErrorCode", serviceException.getErrorCode());
Log.e("RequestId", serviceException.getRequestId());
Log.e("HostId", serviceException.getHostId());
Log.e("RawMessage", serviceException.getRawMessage());
}
}
});
package main
import (
"fmt"
"os"
"github.com/aliyun/aliyun-oss-go-sdk/oss"
)
func main() {
// Create an OSSClient instance.
// Specify the endpoint of the region in which the bucket is located. For example, if the bucket is located in the China (Hangzhou) region, set the endpoint to https://oss-cn-hangzhou.aliyuncs.com. Specify your actual endpoint.
// The AccessKey pair of an Alibaba Cloud account has permissions on all API operations. Using these credentials to perform operations in OSS is a high-risk operation. We recommend that you use a RAM user to call API operations or perform routine O&M. To create a RAM user, log on to the RAM console.
client, err := oss.New("yourEndpoint", "yourAccessKeyId", "yourAccessKeySecret")
if err != nil {
fmt.Println("Error:", err)
os.Exit(-1)
}
// Specify the name of the bucket.
bucket, err := client.Bucket("yourBucketName")
if err != nil {
fmt.Println("Error:", err)
os.Exit(-1)
}
// Configure the ACL of the object.
// Set yourObjectName to the full path of the object. The full path cannot contain the bucket name.
err = bucket.SetObjectACL("yourObjectName", oss.ACLPublicReadWrite)
if err != nil {
fmt.Println("Error:", err)
os.Exit(-1)
}
// Query the ACL of the object.
aclRes, err := bucket.GetObjectACL("yourObjectName")
if err != nil {
fmt.Println("Error:", err)
os.Exit(-1)
}
fmt.Println("Object ACL:", aclRes.ACL)
}
OSSPutObjectACLRequest *request = [OSSPutObjectACLRequest new];
// Specify the name of the bucket. Example: examplebucket.
request.bucketName = @"examplebucket";
// Specify the full path of the object. The full path cannot contain the bucket name. Example: exampleobject.txt.
request.objectKey = @"exampleobject.txt";
/**
* Configure the ACL of the object.
* public-read
* private
* public-read-write
* default: inherited from the bucket
*/
request.acl = @"private";
OSSTask * putObjectACLTask = [client putObjectACL:request];
[putObjectACLTask continueWithBlock:^id(OSSTask *task) {
if (!task.error) {
NSLog(@"put object ACL success!");
} else {
NSLog(@"put object ACL failed, error: %@", task.error);
}
return nil;
}];
#include <alibabacloud/oss/OssClient.h>
using namespace AlibabaCloud::OSS;
int main(void)
{
/* Initialize the information about the account used to access OSS. */
/* The AccessKey pair of an Alibaba Cloud account has permissions on all API operations. Using these credentials to perform operations in OSS is a high-risk operation. We recommend that you use a RAM user to call API operations or perform routine O&M. To create a RAM user, log on to the RAM console. */
std::string AccessKeyId = "yourAccessKeyId";
std::string AccessKeySecret = "yourAccessKeySecret";
/* Specify the endpoint of the region in which the bucket is located. For example, if the bucket is located in the China (Hangzhou) region, set the endpoint to https://oss-cn-hangzhou.aliyuncs.com. */
std::string Endpoint = "https://oss-cn-hangzhou.aliyuncs.com";
/* Specify the name of the bucket. Example: examplebucket. */
std::string BucketName = "examplebucket";
/* Specify the full path of the object. The full path cannot contain the bucket name. Example: exampledir/exampleobject.txt. */
std::string ObjectName = "exampledir/exampleobject.txt";
/* Initialize resources such as network resources. */
InitializeSdk();
ClientConfiguration conf;
OssClient client(Endpoint, AccessKeyId, AccessKeySecret, conf);
/* Configure the ACL of the object. */
SetObjectAclRequest request(BucketName, ObjectName);
request.setAcl(CannedAccessControlList::Private);
auto outcome = client.SetObjectAcl(request);
if (!outcome.isSuccess()) {
/* Handle exceptions. */
std::cout << "SetObjectAcl fail" <<
",code:" << outcome.error().Code() <<
",message:" << outcome.error().Message() <<
",requestId:" << outcome.error().RequestId() << std::endl;
ShutdownSdk();
return -1;
}
/* Release resources such as network resources. */
ShutdownSdk();
return 0;
}
#include "oss_api.h"
#include "aos_http_io.h"
/* Specify the endpoint of the region in which the bucket is located. For example, if the bucket is located in the China (Hangzhou) region, set the endpoint to https://oss-cn-hangzhou.aliyuncs.com. */
const char *endpoint = "yourEndpoint";
/* The AccessKey pair of an Alibaba Cloud account has permissions on all API operations. Using these credentials to perform operations in Object Storage Service (OSS) is a high-risk operation. We recommend that you use a RAM user to call API operations or perform routine O&M. To create a RAM user, log on to the RAM console. */
const char *access_key_id = "yourAccessKeyId";
const char *access_key_secret = "yourAccessKeySecret";
/* Specify the bucket name. Example: examplebucket. */
const char *bucket_name = "examplebucket";
/* Specify the full path of the object. The full path of the object cannot contain the bucket name. Example: exampledir/exampleobject.txt. */
const char *object_name = "exampledir/exampleobject.txt";
void init_options(oss_request_options_t *options)
{
options->config = oss_config_create(options->pool);
/* Use a char* string to initialize the aos_string_t data type. */
aos_str_set(&options->config->endpoint, endpoint);
aos_str_set(&options->config->access_key_id, access_key_id);
aos_str_set(&options->config->access_key_secret, access_key_secret);
/* Specify whether to use CNAME. A value of 0 indicates that CNAME is not used. */
options->config->is_cname = 0;
/* Configure network parameters such as the timeout period. */
options->ctl = aos_http_controller_create(options->pool, 0);
}
int main(int argc, char *argv[])
{
/* Call the aos_http_io_initialize method in main() to initialize global resources such as networks and memory. */
if (aos_http_io_initialize(NULL, 0) != AOSE_OK) {
exit(1);
}
/* Create a memory pool to manage memory. aos_pool_t is equivalent to apr_pool_t. The code used to create a memory pool is included in the APR library. */
aos_pool_t *pool;
/* Create a memory pool. The value of the second parameter is NULL. This value indicates that the pool does not inherit other memory pools. */
aos_pool_create(&pool, NULL);
/* Create and initialize options. This parameter includes global configuration information such as endpoint, access_key_id, access_key_secret, is_cname, and curl. */
oss_request_options_t *oss_client_options;
/* Allocate the memory resources in the memory pool to the options. */
oss_client_options = oss_request_options_create(pool);
/* Initialize oss_client_options. */
init_options(oss_client_options);
/* Initialize the parameters. */
aos_string_t bucket;
aos_string_t object;
aos_table_t *resp_headers = NULL;
aos_status_t *resp_status = NULL;
aos_str_set(&bucket, bucket_name);
aos_str_set(&object, object_name);
oss_acl_e oss_acl = OSS_ACL_PUBLIC_READ;
/* Set the ACL of the object. */
resp_status = oss_put_object_acl(oss_client_options, &bucket, &object, oss_acl, &resp_headers);
if (aos_status_is_ok(resp_status)) {
printf("put object acl success!\n");
} else {
printf("put object acl failed!\n");
}
/* Query the ACL of the object. */
aos_string_t oss_acl_string;
resp_status = oss_get_object_acl(oss_client_options, &bucket, &object, &oss_acl_string, &resp_headers);
if (aos_status_is_ok(resp_status)) {
printf("get object acl success!\n");
printf("acl: %s \n", oss_acl_string.data);
} else {
printf("get object acl failed!\n");
}
/* Release the memory pool. This operation releases the memory resources allocated for the request. */
aos_pool_destroy(pool);
/* Release the allocated global resources. */
aos_http_io_deinitialize();
return 0;
}
require 'aliyun/oss'
client = Aliyun::OSS::Client.new(
# Specify the endpoint of the region in which the bucket is located. For example, if the bucket is located in the China (Hangzhou) region, set the endpoint to https://oss-cn-hangzhou.aliyuncs.com.
endpoint: 'https://oss-cn-hangzhou.aliyuncs.com',
# The AccessKey pair of an Alibaba Cloud account has permissions on all API operations. Using these credentials to perform operations in OSS is a high-risk operation. We recommend that you use a RAM user to call API operations or perform routine O&M. To create a RAM user, log on to the RAM console.
access_key_id: 'AccessKeyId', access_key_secret: 'AccessKeySecret')
# Specify the bucket name. Example: examplebucket.
bucket = client.get_bucket('examplebucket')
# Replace my-object with the full path of the object. The full path cannot contain the bucket name.
acl = bucket.get_object_acl('my-object')
puts acl # default
bucket.set_object_acl('my-object', Aliyun::OSS::ACL::PUBLIC_READ)
acl = bucket.get_object_acl('my-object')
puts acl # public-read
Use ossutil
For more information about how to use ossutil to configure or modify the ACL of an object, see Configure or modify the ACLs of objects.
Use RESTful APIs
If your business requires a high level of customization, you can directly call RESTful APIs. To directly call an API, you must include the signature calculation in your code. For more information, see PutObjectACL.
References
In addition to object ACLs, OSS provides bucket ACLs, bucket policies, and RAM policies for you to control access to your buckets and objects in OSS. For more information, see Overview.