You can configure Resource Access Management (RAM) policies to manage the permissions of users, such as employees, systems, or applications, and control the resources that can be accessed by users. For example, you can create a RAM policy to authorize users to list and read the objects that are stored in a specific bucket.
Attach a custom policy to a RAM user
- Create a custom policy. You can refer to the examples described in this topic based on actual scenarios and create a custom RAM policy by using scripts. For more information, see Create a custom policy.
A RAM policy contains a version number and a statement. Each statement contains the following elements: Effect, Action, Resource, and Condition. The Condition element is optional. For more information, see Overview.
Important In Object Storage Service (OSS), you can set Resource to an asterisk wildcard character (*) to specify resources of a specific type. The format that is used to specify the resources isacs:oss:{region}:{bucket_owner}:{bucket_name}/{object_name}
. For example, if Resource is set toacs:oss:*:*:mybucket/*
, all resources in the mybucket bucket are specified. If Resource is set toacs:oss:*:*:mybucket/abc*.txt
, all .txt objects in the mybucket bucket that are prefixed with abc are specified. - Attach the custom policy to a RAM user. Attach the RAM policy that is created in Step 1 to a RAM user. For more information, see Grant permissions to the RAM user.
Example 1: Authorize a RAM user to completely control a bucket
mybucket
. {
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": "oss:*",
"Resource": [
"acs:oss:*:*:mybucket",
"acs:oss:*:*:mybucket/*"
]
}
]
}
Example 2: Prohibit a RAM user from deleting multiple objects in a bucket
mybucket
that are prefixed with abc:{
"Version": "1",
"Statement": [
{
"Effect": "Deny",
"Action": [
"oss:DeleteObject"
],
"Resource": [
"acs:oss:*:*:mybucket/abc*.txt"
]
}
]
}
Example 3: Authorize a RAM user to list and read objects in a bucket
- Authorize a RAM user to list and read objects in a bucket by using OSS SDKs or ossutil
The following sample code provides an example on how to authorize a RAM user to list and read objects in a bucket named
mybucket
by using OSS SDKs or ossutil:{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": "oss:ListObjects", "Resource": "acs:oss:*:*:mybucket" }, { "Effect": "Allow", "Action": "oss:GetObject", "Resource": "acs:oss:*:*:mybucket/*" } ] }
- Authorize a RAM user to list and read objects in a bucket in the OSS console
The following sample code provides an example on how to authorize RAM users to list and read all resources in a bucket named
mybucket
in the OSS console:{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "oss:ListBuckets", "oss:GetBucketStat", "oss:GetBucketInfo", "oss:GetBucketTagging", "oss:GetBucketLifecycle", "oss:GetBucketWorm", "oss:GetBucketVersioning", "oss:GetBucketAcl" ], "Resource": "acs:oss:*:*:*" }, { "Effect": "Allow", "Action": [ "oss:ListObjects", "oss:GetBucketAcl" ], "Resource": "acs:oss:*:*:mybucket" }, { "Effect": "Allow", "Action": [ "oss:GetObject", "oss:GetObjectAcl" ], "Resource": "acs:oss:*:*:mybucket/*" } ] }
Example 4: Prohibit RAM users from deleting a bucket
The following sample code provides an example on how to prohibit RAM users from deleting a bucket named mybucket
:
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": "oss:*",
"Resource": [
"acs:oss:*:*:mybucket",
"acs:oss:*:*:mybucket/*"
]
},
{
"Effect": "Deny",
"Action": [
"oss:DeleteBucket"
],
"Resource": [
"acs:oss:*:*:mybucket"
]
}
]
}
Example 5: Authorize a RAM user to access multiple directories in a bucket
In this example, a bucket named mybucket
is used to store photos. The bucket contains multiple directories that are named based on the locations where the photos were captured. Each directory contains subdirectories that are named based on the years when the photos were captured.
mybucket[Bucket]
├── beijing
│ ├── 2014
│ └── 2015
├── hangzhou
│ ├── 2013
│ ├── 2014
│ └── 2015
└── qingdao
├── 2014
└── 2015
In this example, RAM policies are created to grant a RAM user read-only permissions on the mybucket/hangzhou/2014/
and mybucket/hangzhou/2015/
directories. Authorization based on directories is an advanced feature of RAM policies. The complexity of RAM policies varies based on scenarios. You can refer to the RAM policies in the following scenarios to grant permissions to RAM users:
- Authorize a RAM user to only read objects in the
mybucket/hangzhou/2014/
andmybucket/hangzhou/2015/
directoriesIn this scenario, the RAM user knows the full path of the object to be accessed. We recommend that you configure the RAM policy to authorize the RAM user to access the object by using the full path of the object.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "oss:GetObject" ], "Resource": [ "acs:oss:*:*:mybucket/hangzhou/2014/*", "acs:oss:*:*:mybucket/hangzhou/2015/*" ] } ] }
- Authorize a RAM user to access the
mybucket/hangzhou/2014/
andmybucket/hangzhou/2015/
directories and list the objects in the directories by using ossutilIn this scenario, the RAM user does not know the objects in the directories and can use ossutil or call API operations to obtain information about the objects in the directories. In this case, the permissions to perform the
ListObjects
operation must be specified in the RM policy.{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "oss:GetObject" ], "Resource": [ "acs:oss:*:*:mybucket/hangzhou/2014/*", "acs:oss:*:*:mybucket/hangzhou/2015/*" ] }, { "Effect": "Allow", "Action": [ "oss:ListObjects" ], "Resource": [ "acs:oss:*:*:mybucket" ], "Condition":{ "StringLike":{ "oss:Prefix": [ "hangzhou/2014/*", "hangzhou/2015/*" ] } } } ] }
- Authorize RAM users to access directories in the OSS console
In this scenario, the RAM user can use the OSS console to access the
mybucket/hangzhou/2014/
andmybucket/hangzhou/2015/
directories from the root directory by level.{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "oss:ListBuckets", "oss:GetBucketStat", "oss:GetBucketInfo", "oss:GetBucketTagging", "oss:GetBucketLifecycle", "oss:GetBucketWorm", "oss:GetBucketVersioning", "oss:GetBucketAcl" ], "Resource": [ "acs:oss:*:*:*" ] }, { "Effect": "Allow", "Action": [ "oss:GetObject", "oss:GetObjectAcl" ], "Resource": [ "acs:oss:*:*:mybucket/hangzhou/2014/*", "acs:oss:*:*:mybucket/hangzhou/2015/*" ] }, { "Effect": "Allow", "Action": [ "oss:ListObjects" ], "Resource": [ "acs:oss:*:*:mybucket" ], "Condition": { "StringLike": { "oss:Delimiter": "/", "oss:Prefix": [ "", "hangzhou/", "hangzhou/2014/*", "hangzhou/2015/*" ] } } } ] }
Example 6: Prohibit a RAM user from deleting an object in a bucket
The following sample code provides an example on how to prohibit a RAM user from deleting an object in a bucket named mybucket
:
{
"Version": "1",
"Statement": [
{
"Effect": "Deny",
"Action": [
"oss:DeleteObject"
],
"Resource": [
"acs:oss:*:*:mybucket/*"
]
}
]
}
Example 7: Prohibit a RAM user from accessing objects with specific tags
The following sample code with a Deny statement provides an example on how to prohibit a RAM user from accessing objects that are stored in the examplebucket bucket and have the status:ok and key1:value1 tags:
{
"Version": "1",
"Statement": [
{
"Effect": "Deny",
"Action": [
"oss:GetObject"
],
"Resource": [
"acs:oss:*:1746495857602745:examplebucket/*"
],
"Condition": {
"StringEquals": {
"oss:ExistingObjectTag/status":"ok",
"oss:ExistingObjectTag/key1":"value1"
}
}
}
]
}
Example 8: Authorize a RAM user to access OSS from specific IP addresses
- Add IP address conditions in the
Allow
statementThe following sample code provides an example on how to authorize a RAM user to read objects in a bucket named
mybucket
from only IP addresses in the192.168.0.0/16
and172.12.0.0/16
CIDR blocks that are specified in theAllow
statement:{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "oss:ListBuckets", "oss:GetBucketStat", "oss:GetBucketInfo", "oss:GetBucketTagging", "oss:GetBucketAcl" ], "Resource": [ "acs:oss:*:*:*" ] }, { "Effect": "Allow", "Action": [ "oss:ListObjects", "oss:GetObject" ], "Resource": [ "acs:oss:*:*:mybucket", "acs:oss:*:*:mybucket/*" ], "Condition":{ "IpAddress": { "acs:SourceIp": ["192.168.0.0/16", "198.51.100.0/24"] } } } ] }
- Add IP address conditions in the
Deny
statementThe following RAM policy sample code provides an example on how to authorize a RAM user to perform operations on OSS resources from only IP addresses in the
192.168.0.0/16
CIDR block that is specified in theDeny
statement. Operations performed from other IP addresses are prohibited.{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "oss:ListBuckets", "oss:GetBucketStat", "oss:GetBucketInfo", "oss:GetBucketTagging", "oss:GetBucketAcl" ], "Resource": [ "acs:oss:*:*:*" ] }, { "Effect": "Allow", "Action": [ "oss:ListObjects", "oss:GetObject" ], "Resource": [ "acs:oss:*:*:mybucket", "acs:oss:*:*:mybucket/*" ] }, { "Effect": "Deny", "Action": "oss:*", "Resource": [ "acs:oss:*:*:*" ], "Condition":{ "NotIpAddress": { "acs:SourceIp": ["192.168.0.0/16"] } } } ] }
Note In a RAM policy, a Deny statement takes precedence over an Allow statement. Therefore, when a RAM user attempts to read data in the mybucket bucket from an IP address that is not in the192.168.0.0/16
CIDR block, OSS notifies the RAM user of having no permissions.
Example 9: Use RAM or STS to authorize other users to access OSS resources
- Authorize specific users to access the bucket named
mybucket
and the objects prefixed withmybucket/file*
. - Authorize the users to perform the following operations: GetBucketAcl, GetBucket, PutObject, GetObject, and DeleteObject.
- In the Condition field, set UserAgent to java-sdk and the source IP address to
192.168.0.1
. Only users that meet these conditions can access specific OSS resources. - Authorize the users to list only objects prefixed with foo.
The following RAM policy can meet the requirements of the preceding scenario:
{
"Version": "1",
"Statement": [
{
"Action": [
"oss:GetBucketAcl",
"oss:ListObjects"
],
"Resource": [
"acs:oss:*:177530505652XXXX:mybucket"
],
"Effect": "Allow",
"Condition": {
"StringEquals": {
"acs:UserAgent": "java-sdk",
"oss:Prefix": "foo"
},
"IpAddress": {
"acs:SourceIp": "192.168.0.1"
}
}
},
{
"Action": [
"oss:PutObject",
"oss:GetObject",
"oss:DeleteObject"
],
"Resource": [
"acs:oss:*:177530505652XXXX:mybucket/file*"
],
"Effect": "Allow",
"Condition": {
"StringEquals": {
"acs:UserAgent": "java-sdk"
},
"IpAddress": {
"acs:SourceIp": "192.168.0.1"
}
}
}
]
}
Example 10: Use RAM policies to specify that the access control list (ACL) of uploaded objects cannot be public-read or public-read-write
The following sample code provides an example on how to specify that the ACL of objects uploaded to the examplebucket bucket cannot be public-read or public-read-write.
{
"Version": "1",
"Statement": [
{
"Effect": "Deny",
"Action": [
"oss:PutObject",
"oss:PutObjectAcl"
],
"Resource": [
"acs:oss:*:*:examplebucket",
"acs:oss:*:*:examplebucket/*"
],
"Condition": {
"StringEquals": {
"oss:x-oss-object-acl": [
"public-read",
"public-read-write"
]
}
}
}
]
}
Example 11: Authorize a RAM user to use Intelligent Media Management (IMM) features
The following sample code provides an example on how to authorize a RAM user to use IMM features.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"oss:ProcessImm",
"oss:ram:GetRole"
],
"Resource": "*"
}
]
}