You can configure Resource Access Management (RAM) policies to manage the permissions of users, such as employees, systems, or applications, and control the resources that can be accessed by users. For example, you can create a RAM policy to authorize users to list and read the objects that are stored in a specific bucket.

Attach a custom policy to a RAM user

  1. Create a custom policy.
    You can refer to the examples described in this topic based on actual scenarios and create a custom RAM policy by using scripts. For more information, see Create a custom policy.

    A RAM policy contains a version number and a statement. Each statement contains the following elements: Effect, Action, Resource, and Condition. The Condition element is optional. For more information, see Overview.

    Important In Object Storage Service (OSS), you can set Resource to an asterisk wildcard character (*) to specify resources of a specific type. The format that is used to specify the resources is acs:oss:{region}:{bucket_owner}:{bucket_name}/{object_name}. For example, if Resource is set to acs:oss:*:*:mybucket/*, all resources in the mybucket bucket are specified. If Resource is set to acs:oss:*:*:mybucket/abc*.txt, all .txt objects in the mybucket bucket that are prefixed with abc are specified.
  2. Attach the custom policy to a RAM user.
    Attach the RAM policy that is created in Step 1 to a RAM user. For more information, see Grant permissions to the RAM user.

Example 1: Authorize a RAM user to completely control a bucket

The following sample code provides an example on how to authorize a RAM user to completely control a bucket named mybucket.
Warning We recommend that you do not authorize RAM users to completely control a bucket used by mobile apps because it is highly risky.
{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "oss:*",
            "Resource": [
                "acs:oss:*:*:mybucket",
                "acs:oss:*:*:mybucket/*"
            ]
        }
    ]
}

Example 2: Prohibit a RAM user from deleting multiple objects in a bucket

The following sample code provides an example on how to prohibit RAM users from deleting all .txt objects in a bucket named mybucket that are prefixed with abc:
{
  "Version": "1",
  "Statement": [
        {
         "Effect": "Deny",
         "Action": [
           "oss:DeleteObject"
         ],
         "Resource": [
           "acs:oss:*:*:mybucket/abc*.txt"
         ]
     }
   ]
}

Example 3: Authorize a RAM user to list and read objects in a bucket

  • Authorize a RAM user to list and read objects in a bucket by using OSS SDKs or ossutil

    The following sample code provides an example on how to authorize a RAM user to list and read objects in a bucket named mybucket by using OSS SDKs or ossutil:

    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": "oss:ListObjects",
                "Resource": "acs:oss:*:*:mybucket"
            },
            {
                "Effect": "Allow",
                "Action": "oss:GetObject",
                "Resource": "acs:oss:*:*:mybucket/*"
            }
        ]
    }
  • Authorize a RAM user to list and read objects in a bucket in the OSS console

    The following sample code provides an example on how to authorize RAM users to list and read all resources in a bucket named mybucket in the OSS console:

    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                          "oss:ListBuckets",
                          "oss:GetBucketStat",
                          "oss:GetBucketInfo",
                          "oss:GetBucketTagging",
                          "oss:GetBucketLifecycle",
                          "oss:GetBucketWorm",                      
                          "oss:GetBucketVersioning", 
                          "oss:GetBucketAcl" 
                          ],    
                "Resource": "acs:oss:*:*:*"
            },
            {
                "Effect": "Allow",
                "Action": [
                    "oss:ListObjects",
                    "oss:GetBucketAcl"
                ],
                "Resource": "acs:oss:*:*:mybucket"
            },
            {
                "Effect": "Allow",
                "Action": [
                    "oss:GetObject",
                    "oss:GetObjectAcl"
                ],
                "Resource": "acs:oss:*:*:mybucket/*"
            }
        ]
    }

Example 4: Prohibit RAM users from deleting a bucket

The following sample code provides an example on how to prohibit RAM users from deleting a bucket named mybucket:

{
  "Version": "1",
  "Statement": [
      {
          "Effect": "Allow",
          "Action": "oss:*",
          "Resource": [
              "acs:oss:*:*:mybucket",
              "acs:oss:*:*:mybucket/*"
          ]
      },
        {
         "Effect": "Deny",
         "Action": [
           "oss:DeleteBucket"
         ],
         "Resource": [
           "acs:oss:*:*:mybucket"
         ]
     }
   ]
}

Example 5: Authorize a RAM user to access multiple directories in a bucket

In this example, a bucket named mybucket is used to store photos. The bucket contains multiple directories that are named based on the locations where the photos were captured. Each directory contains subdirectories that are named based on the years when the photos were captured.

mybucket[Bucket]
  ├── beijing
  │   ├── 2014
  │   └── 2015
  ├── hangzhou
  │   ├── 2013
  │   ├── 2014
  │   └── 2015 
  └── qingdao
      ├── 2014
      └── 2015

In this example, RAM policies are created to grant a RAM user read-only permissions on the mybucket/hangzhou/2014/ and mybucket/hangzhou/2015/ directories. Authorization based on directories is an advanced feature of RAM policies. The complexity of RAM policies varies based on scenarios. You can refer to the RAM policies in the following scenarios to grant permissions to RAM users:

  • Authorize a RAM user to only read objects in the mybucket/hangzhou/2014/ and mybucket/hangzhou/2015/ directories

    In this scenario, the RAM user knows the full path of the object to be accessed. We recommend that you configure the RAM policy to authorize the RAM user to access the object by using the full path of the object.

    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "oss:GetObject"
                ],
                "Resource": [
                    "acs:oss:*:*:mybucket/hangzhou/2014/*",
                    "acs:oss:*:*:mybucket/hangzhou/2015/*"
                ]
            }
        ]
    }
  • Authorize a RAM user to access the mybucket/hangzhou/2014/ and mybucket/hangzhou/2015/ directories and list the objects in the directories by using ossutil

    In this scenario, the RAM user does not know the objects in the directories and can use ossutil or call API operations to obtain information about the objects in the directories. In this case, the permissions to perform the ListObjects operation must be specified in the RM policy.

    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "oss:GetObject"
                ],
                "Resource": [
                    "acs:oss:*:*:mybucket/hangzhou/2014/*",
                    "acs:oss:*:*:mybucket/hangzhou/2015/*"
                ]
            },
            {
                "Effect": "Allow",
                "Action": [
                    "oss:ListObjects"
                ],
                "Resource": [
                    "acs:oss:*:*:mybucket"
                ],
                "Condition":{
                    "StringLike":{
                        "oss:Prefix": [
                            "hangzhou/2014/*",
                        "hangzhou/2015/*"
                         ]
                    }
                }
            }
        ]
    }
  • Authorize RAM users to access directories in the OSS console

    In this scenario, the RAM user can use the OSS console to access the mybucket/hangzhou/2014/ and mybucket/hangzhou/2015/ directories from the root directory by level.

    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                          "oss:ListBuckets",
                          "oss:GetBucketStat",
                          "oss:GetBucketInfo",
                          "oss:GetBucketTagging",
                          "oss:GetBucketLifecycle",
                          "oss:GetBucketWorm",                      
                          "oss:GetBucketVersioning", 
                          "oss:GetBucketAcl" 
                          ], 
                "Resource": [
                    "acs:oss:*:*:*"
                ]
            },
            {
                "Effect": "Allow",
                "Action": [
                    "oss:GetObject",
                    "oss:GetObjectAcl"
                ],
                "Resource": [
                    "acs:oss:*:*:mybucket/hangzhou/2014/*",
                    "acs:oss:*:*:mybucket/hangzhou/2015/*"
                ]
            },
            {
                "Effect": "Allow",
                "Action": [
                    "oss:ListObjects"
                ],
                "Resource": [
                    "acs:oss:*:*:mybucket"
                ],
                "Condition": {
                    "StringLike": {
                        "oss:Delimiter": "/",
                        "oss:Prefix": [
                            "",
                            "hangzhou/",
                            "hangzhou/2014/*",
                            "hangzhou/2015/*"
                        ]
                    }
                }
            }
        ]
    }

Example 6: Prohibit a RAM user from deleting an object in a bucket

The following sample code provides an example on how to prohibit a RAM user from deleting an object in a bucket named mybucket:

{
  "Version": "1",
  "Statement": [
        {
         "Effect": "Deny",
         "Action": [
           "oss:DeleteObject"
         ],
         "Resource": [
           "acs:oss:*:*:mybucket/*"
         ]
     }
   ]
}

Example 7: Prohibit a RAM user from accessing objects with specific tags

The following sample code with a Deny statement provides an example on how to prohibit a RAM user from accessing objects that are stored in the examplebucket bucket and have the status:ok and key1:value1 tags:

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": [
                "oss:GetObject"
            ],
            "Resource": [
                "acs:oss:*:1746495857602745:examplebucket/*"
            ],
            "Condition": {
                "StringEquals": {
                    "oss:ExistingObjectTag/status":"ok",
                    "oss:ExistingObjectTag/key1":"value1"
                }
            }
        }
    ]
}

Example 8: Authorize a RAM user to access OSS from specific IP addresses

  • Add IP address conditions in the Allow statement

    The following sample code provides an example on how to authorize a RAM user to read objects in a bucket named mybucket from only IP addresses in the 192.168.0.0/16 and 172.12.0.0/16 CIDR blocks that are specified in the Allow statement:

    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                          "oss:ListBuckets",
                          "oss:GetBucketStat",
                          "oss:GetBucketInfo",
                          "oss:GetBucketTagging",
                          "oss:GetBucketAcl" 
                          ], 
                "Resource": [
                    "acs:oss:*:*:*"
                ]
            },
            {
                "Effect": "Allow",
                "Action": [
                    "oss:ListObjects",
                    "oss:GetObject"
                ],
                "Resource": [
                    "acs:oss:*:*:mybucket",
                    "acs:oss:*:*:mybucket/*"
                ],
                "Condition":{
                    "IpAddress": {
                        "acs:SourceIp": ["192.168.0.0/16", "198.51.100.0/24"]
                    }
                }
            }
        ]
    }
  • Add IP address conditions in the Deny statement

    The following RAM policy sample code provides an example on how to authorize a RAM user to perform operations on OSS resources from only IP addresses in the 192.168.0.0/16 CIDR block that is specified in the Deny statement. Operations performed from other IP addresses are prohibited.

    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                          "oss:ListBuckets",
                          "oss:GetBucketStat",
                          "oss:GetBucketInfo",
                          "oss:GetBucketTagging",
                          "oss:GetBucketAcl" 
                          ], 
                "Resource": [
                    "acs:oss:*:*:*"
                ]
            },
            {
                "Effect": "Allow",
                "Action": [
                    "oss:ListObjects",
                    "oss:GetObject"
                ],
                "Resource": [
                    "acs:oss:*:*:mybucket",
                    "acs:oss:*:*:mybucket/*"
                ]
            },
            {
                "Effect": "Deny",
                "Action": "oss:*",
                "Resource": [
                    "acs:oss:*:*:*"
                ],
                "Condition":{
                    "NotIpAddress": {
                        "acs:SourceIp": ["192.168.0.0/16"]
                    }
                }
            }
        ]
    }
    Note In a RAM policy, a Deny statement takes precedence over an Allow statement. Therefore, when a RAM user attempts to read data in the mybucket bucket from an IP address that is not in the 192.168.0.0/16 CIDR block, OSS notifies the RAM user of having no permissions.

Example 9: Use RAM or STS to authorize other users to access OSS resources

In this scenario, you can create a RAM policy to perform the following operations:
  • Authorize specific users to access the bucket named mybucket and the objects prefixed with mybucket/file*.
  • Authorize the users to perform the following operations: GetBucketAcl, GetBucket, PutObject, GetObject, and DeleteObject.
  • In the Condition field, set UserAgent to java-sdk and the source IP address to 192.168.0.1. Only users that meet these conditions can access specific OSS resources.
  • Authorize the users to list only objects prefixed with foo.

The following RAM policy can meet the requirements of the preceding scenario:

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "oss:GetBucketAcl",
                "oss:ListObjects"
            ],
            "Resource": [
                "acs:oss:*:177530505652XXXX:mybucket"
            ],
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "acs:UserAgent": "java-sdk",
                    "oss:Prefix": "foo"
                },
                "IpAddress": {
                    "acs:SourceIp": "192.168.0.1"
                }
            }
        },
        {
            "Action": [
                "oss:PutObject",
                "oss:GetObject",
                "oss:DeleteObject"
            ],
            "Resource": [
                "acs:oss:*:177530505652XXXX:mybucket/file*"
            ],
            "Effect": "Allow",
            "Condition": {
               "StringEquals": {
                    "acs:UserAgent": "java-sdk"
                },
                "IpAddress": {
                    "acs:SourceIp": "192.168.0.1"
                }
            }
        }
    ]
}

Example 10: Use RAM policies to specify that the access control list (ACL) of uploaded objects cannot be public-read or public-read-write

The following sample code provides an example on how to specify that the ACL of objects uploaded to the examplebucket bucket cannot be public-read or public-read-write.

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": [
              "oss:PutObject",
              "oss:PutObjectAcl"
              ],
            "Resource": [
                "acs:oss:*:*:examplebucket",
                "acs:oss:*:*:examplebucket/*"
            ],
            "Condition": {
                "StringEquals": {
                    "oss:x-oss-object-acl": [
                        "public-read",
                        "public-read-write"
                    ]
                }
            }
        }
    ]
}

Example 11: Authorize a RAM user to use Intelligent Media Management (IMM) features

The following sample code provides an example on how to authorize a RAM user to use IMM features.

{
  "Version": "1",
  "Statement": [
        {
         "Effect": "Allow",
         "Action": [
           "oss:ProcessImm",
           "oss:ram:GetRole"
         ],
         "Resource": "*"
     }
   ]
}