You can configure RAM policies to manage the permissions of users such as employees, systems, or applications and control the resources that can be accessed by users. For example, you can create a RAM policy to authorize users to list and read the objects stored in a specified bucket.
Attach a custom policy to a RAM user
Example 1: Authorize a RAM user to completely control a bucket
mybucket.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": "oss:*",
"Resource": [
"acs:oss:*:*:mybucket",
"acs:oss:*:*:mybucket/*"
]
}
]
}Example 2: Prohibit a RAM user from deleting multiple objects in a bucket
mybucket that are prefixed with abc:{
"Version": "1",
"Statement": [
{
"Effect": "Deny",
"Action": [
"oss:DeleteObject"
],
"Resource": [
"acs:oss:*:*:mybucket/abc*.txt"
]
}
]
}Example 3: Authorize a RAM user to list and read objects in a bucket
- Authorize a RAM user to list and read objects in a bucket by using OSS SDKs or ossutil
The following RAM policy authorizes a RAM user to list and read objects in a bucket named
mybucketby using OSS SDKs or ossutil:{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": "oss:ListObjects", "Resource": "acs:oss:*:*:mybucket" }, { "Effect": "Allow", "Action": "oss:GetObject", "Resource": "acs:oss:*:*:mybucket/*" } ] } - Authorize a RAM user to list and read objects in a bucket in the OSS console
The following code provides an example on how to authorize RAM users to list and read all resources in a bucket named
mybucketin the OSS console:{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "oss:ListBuckets", "oss:GetBucketStat", "oss:GetBucketInfo", "oss:GetBucketTagging", "oss:GetBucketLifecycle", "oss:GetBucketWorm", "oss:GetBucketVersioning", "oss:GetBucketAcl" ], "Resource": "acs:oss:*:*:*" }, { "Effect": "Allow", "Action": [ "oss:ListObjects", "oss:GetBucketAcl" ], "Resource": "acs:oss:*:*:mybucket" }, { "Effect": "Allow", "Action": [ "oss:GetObject", "oss:GetObjectAcl" ], "Resource": "acs:oss:*:*:mybucket/*" } ] }
Example 4: Prohibit RAM users from deleting a bucket
The following code provides an example on how to prohibit RAM users from deleting
resources in a bucket named mybucket:
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": "oss:*",
"Resource": [
"acs:oss:*:*:mybucket",
"acs:oss:*:*:mybucket/*"
]
},
{
"Effect": "Deny",
"Action": [
"oss:DeleteBucket"
],
"Resource": [
"acs:oss:*:*:mybucket"
]
}
]
}Example 5: Authorize a RAM user to access multiple folders in a bucket
In this example, a bucket named mybucket is used to store photos. The bucket contains multiple folders that are named based
on the locations where the photos were captured. Each folder contains subfolders that
are named based on the years when the photos were captured.
mybucket[Bucket]
├── beijing
│ ├── 2014
│ └── 2015
├── hangzhou
│ ├── 2013
│ ├── 2014
│ └── 2015
└── qingdao
├── 2014
└── 2015In this example, RAM policies are created to grant a RAM user read-only permissions
on the mybucket/hangzhou/2014/ and mybucket/hangzhou/2015/ folders. Authorization based on folders is an advanced feature of RAM policies. The
complexity of RAM policies is different based on scenarios. You can refer to the RAM
policies in the following scenarios to grant permissions to users:
- Authorize a RAM user to only read objects in the
mybucket/hangzhou/2014/andmybucket/hangzhou/2015/foldersIn this scenario, the RAM user knows the full path of the object to be accessed. Therefore, we recommend that you configure the RAM policy to allow the RAM user to access the object by using the full path of the object.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "oss:GetObject" ], "Resource": [ "acs:oss:*:*:mybucket/hangzhou/2014/*", "acs:oss:*:*:mybucket/hangzhou/2015/*" ] } ] } - Authorize a RAM user to access the
mybucket/hangzhou/2014/andmybucket/hangzhou/2015/folders and list the objects in the folders by using ossutilIn this scenario, the RAM user does not know the objects in the folders and can use ossutil or call API operations to obtain the information about the objects in the folders. In this case, the permission to perform
ListObjectsmust be specified in the policy.{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "oss:GetObject" ], "Resource": [ "acs:oss:*:*:mybucket/hangzhou/2014/*", "acs:oss:*:*:mybucket/hangzhou/2015/*" ] }, { "Effect": "Allow", "Action": [ "oss:ListObjects" ], "Resource": [ "acs:oss:*:*:mybucket" ], "Condition":{ "StringLike":{ "oss:Prefix": [ "hangzhou/2014/*", "hangzhou/2015/*" ] } } } ] } - Authorize RAM users to access directories in the OSS console
In this scenario, the RAM user can use the OSS console to access the
mybucket/hangzhou/2014/andmybucket/hangzhou/2015/folders from the root folder by level.{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "oss:ListBuckets", "oss:GetBucketStat", "oss:GetBucketInfo", "oss:GetBucketTagging", "oss:GetBucketLifecycle", "oss:GetBucketWorm", "oss:GetBucketVersioning", "oss:GetBucketAcl" ], "Resource": [ "acs:oss:*:*:*" ] }, { "Effect": "Allow", "Action": [ "oss:GetObject", "oss:GetObjectAcl" ], "Resource": [ "acs:oss:*:*:mybucket/hangzhou/2014/*", "acs:oss:*:*:mybucket/hangzhou/2015/*" ] }, { "Effect": "Allow", "Action": [ "oss:ListObjects" ], "Resource": [ "acs:oss:*:*:mybucket" ], "Condition": { "StringLike": { "oss:Delimiter": "/", "oss:Prefix": [ "", "hangzhou/", "hangzhou/2014/*", "hangzhou/2015/*" ] } } } ] }
Example 6: Prohibit a RAM user from deleting an object in a bucket
The following RAM policy prohibits a RAM user from deleting an object in a bucket
named mybucket:
{
"Version": "1",
"Statement": [
{
"Effect": "Deny",
"Action": [
"oss:DeleteObject"
],
"Resource": [
"acs:oss:*:*:mybucket/*"
]
}
]
}Example 7: Prohibit a RAM user from accessing objects with specified tags
The following RAM policy includes a Deny statement that prohibits a RAM user from accessing objects that are stored in the examplebucket bucket and have the status:ok and key1:value1 tags:
{
"Version": "1",
"Statement": [
{
"Effect": "Deny",
"Action": [
"oss:GetObject"
],
"Resource": [
"acs:oss:*:1746495857602745:examplebucket/*"
],
"Condition": {
"StringEquals": {
"oss:ExistingObjectTag/status":"ok",
"oss:ExistingObjectTag/key1":"value1"
}
}
}
]
}Example 8: Authorize a RAM user to access OSS from specified IP addresses
- Add IP address conditions in the
AllowstatementThe following RAM policy authorizes a RAM user to read objects in a bucket named
mybucketfrom only IP addresses in the192.168.0.0/16and172.12.0.0/16CIDR blocks that are specified in theAllowstatement:{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "oss:ListBuckets", "oss:GetBucketStat", "oss:GetBucketInfo", "oss:GetBucketTagging", "oss:GetBucketAcl" ], "Resource": [ "acs:oss:*:*:*" ] }, { "Effect": "Allow", "Action": [ "oss:ListObjects", "oss:GetObject" ], "Resource": [ "acs:oss:*:*:mybucket", "acs:oss:*:*:mybucket/*" ], "Condition":{ "IpAddress": { "acs:SourceIp": ["192.168.0.0/16", "172.12.0.0/16"] } } } ] } - Add IP address conditions in the
DenystatementThe following RAM policy authorizes a RAM user to perform operations on OSS resources from only IP addresses in the
192.168.0.0/16CIDR block that is specified in theDenystatement. Operations performed from other IP addresses are prohibited.{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "oss:ListBuckets", "oss:GetBucketStat", "oss:GetBucketInfo", "oss:GetBucketTagging", "oss:GetBucketAcl" ], "Resource": [ "acs:oss:*:*:*" ] }, { "Effect": "Allow", "Action": [ "oss:ListObjects", "oss:GetObject" ], "Resource": [ "acs:oss:*:*:mybucket", "acs:oss:*:*:mybucket/*" ] }, { "Effect": "Deny", "Action": "oss:*", "Resource": [ "acs:oss:*:*:*" ], "Condition":{ "NotIpAddress": { "acs:SourceIp": ["192.168.0.0/16"] } } } ] }Note In a RAM policy, a Deny statement takes precedence over an Allow statement. Therefore, when a RAM user attempts to read data in the mybucket bucket from an IP address that is not in the192.168.0.0/16CIDR block, OSS notifies the RAM user of having no permissions.
Example 9: Use RAM or STS to authorize other users to access OSS resources
- Authorize specific users to access the bucket named
mybucketand the objects prefixed withmybucket/file*. - Authorize the users to perform the following operations: GetBucketAcl, GetBucket, PutObject, GetObject, and DeleteObject.
- In the Condition field, set UserAgent to java-sdk and the source IP address to
192.168.0.1. Only users that meet these conditions can access specified OSS resources. - Authorize the users to list only objects prefixed with foo.
The following RAM policy can meet the requirements of the preceding scenario:
{
"Version": "1",
"Statement": [
{
"Action": [
"oss:GetBucketAcl",
"oss:ListObjects"
],
"Resource": [
"acs:oss:*:177530505652XXXX:mybucket"
],
"Effect": "Allow",
"Condition": {
"StringEquals": {
"acs:UserAgent": "java-sdk",
"oss:Prefix": "foo"
},
"IpAddress": {
"acs:SourceIp": "192.168.0.1"
}
}
},
{
"Action": [
"oss:PutObject",
"oss:GetObject",
"oss:DeleteObject"
],
"Resource": [
"acs:oss:*:177530505652XXXX:mybucket/file*"
],
"Effect": "Allow",
"Condition": {
"StringEquals": {
"acs:UserAgent": "java-sdk"
},
"IpAddress": {
"acs:SourceIp": "192.168.0.1"
}
}
}
]
}