You can configure RAM policies to manage the permissions of users such as employees, systems, or applications and control the resources that can be accessed by users. For example, you can create a RAM policy to authorize users to list and read the objects stored in a specified bucket.

Attach a custom policy to a RAM user

  1. Create a custom policy.
    You can refer to the examples described in this topic based on actual scenarios and create a custom RAM policy by using scripts. For more information about specific operations, see Create a custom policy.

    A RAM policy consists of the Version and Statement elements. A Statement contains the Effect, Action, Resource, and Condition fields, in which the Condition field is optional. For more information, see Overview.

    Notice In OSS, you can set Resource to an asterisk (*) to specify resources of a specific type. The format to specify the resources is acs:oss:{region}:{bucket_owner}:{bucket_name}/{object_name}. For example, if Resource is set to acs:oss:*:*:mybucket/*, all resources in mybucket are specified. If Resource is set to acs:oss:*:*:mybucket/abc*.txt, all .txt objects in mybucket that are prefixed with abc are specified.
  2. Attach the custom policy to a RAM user.
    Attach the RAM policy created in Step 1 to a RAM user. For more information, see Grant permissions to a RAM user.

Example 1: Authorize a RAM user to completely control a bucket

The following RAM policy authorizes a RAM user to completely control a bucket named mybucket.
Warning We recommend that you do not authorize RAM users to completely control a bucket used by mobile apps because it is highly risky.
{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "oss:*",
            "Resource": [
                "acs:oss:*:*:mybucket",
                "acs:oss:*:*:mybucket/*"
            ]
        }
    ]
}

Example 2: Prohibit a RAM user from deleting multiple objects in a bucket

The following code provides an example on how to prohibit RAM users from deleting all .txt objects in mybucket that are prefixed with abc:
{
  "Version": "1",
  "Statement": [
        {
         "Effect": "Deny",
         "Action": [
           "oss:DeleteObject"
         ],
         "Resource": [
           "acs:oss:*:*:mybucket/abc*.txt"
         ]
     }
   ]
}

Example 3: Authorize a RAM user to list and read objects in a bucket

  • Authorize a RAM user to list and read objects in a bucket by using OSS SDKs or ossutil

    The following RAM policy authorizes a RAM user to list and read objects in a bucket named mybucket by using OSS SDKs or ossutil:

    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": "oss:ListObjects",
                "Resource": "acs:oss:*:*:mybucket"
            },
            {
                "Effect": "Allow",
                "Action": "oss:GetObject",
                "Resource": "acs:oss:*:*:mybucket/*"
            }
        ]
    }
  • Authorize a RAM user to list and read objects in a bucket in the OSS console

    The following code provides an example on how to authorize RAM users to list and read all resources in a bucket named mybucket in the OSS console:

    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                          "oss:ListBuckets",
                          "oss:GetBucketStat",
                          "oss:GetBucketInfo",
                          "oss:GetBucketTagging",
                          "oss:GetBucketLifecycle",
                          "oss:GetBucketWorm",                      
                          "oss:GetBucketVersioning", 
                          "oss:GetBucketAcl" 
                          ],    
                "Resource": "acs:oss:*:*:*"
            },
            {
                "Effect": "Allow",
                "Action": [
                    "oss:ListObjects",
                    "oss:GetBucketAcl"
                ],
                "Resource": "acs:oss:*:*:mybucket"
            },
            {
                "Effect": "Allow",
                "Action": [
                    "oss:GetObject",
                    "oss:GetObjectAcl"
                ],
                "Resource": "acs:oss:*:*:mybucket/*"
            }
        ]
    }

Example 4: Prohibit RAM users from deleting a bucket

The following code provides an example on how to prohibit RAM users from deleting resources in a bucket named mybucket:

{
  "Version": "1",
  "Statement": [
      {
          "Effect": "Allow",
          "Action": "oss:*",
          "Resource": [
              "acs:oss:*:*:mybucket",
              "acs:oss:*:*:mybucket/*"
          ]
      },
        {
         "Effect": "Deny",
         "Action": [
           "oss:DeleteBucket"
         ],
         "Resource": [
           "acs:oss:*:*:mybucket"
         ]
     }
   ]
}

Example 5: Authorize a RAM user to access multiple folders in a bucket

In this example, a bucket named mybucket is used to store photos. The bucket contains multiple folders that are named based on the locations where the photos were captured. Each folder contains subfolders that are named based on the years when the photos were captured.

mybucket[Bucket]
  ├── beijing
  │   ├── 2014
  │   └── 2015
  ├── hangzhou
  │   ├── 2013
  │   ├── 2014
  │   └── 2015 
  └── qingdao
      ├── 2014
      └── 2015

In this example, RAM policies are created to grant a RAM user read-only permissions on the mybucket/hangzhou/2014/ and mybucket/hangzhou/2015/ folders. Authorization based on folders is an advanced feature of RAM policies. The complexity of RAM policies is different based on scenarios. You can refer to the RAM policies in the following scenarios to grant permissions to users:

  • Authorize a RAM user to only read objects in the mybucket/hangzhou/2014/ and mybucket/hangzhou/2015/ folders

    In this scenario, the RAM user knows the full path of the object to be accessed. Therefore, we recommend that you configure the RAM policy to allow the RAM user to access the object by using the full path of the object.

    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "oss:GetObject"
                ],
                "Resource": [
                    "acs:oss:*:*:mybucket/hangzhou/2014/*",
                    "acs:oss:*:*:mybucket/hangzhou/2015/*"
                ]
            }
        ]
    }
  • Authorize a RAM user to access the mybucket/hangzhou/2014/ and mybucket/hangzhou/2015/ folders and list the objects in the folders by using ossutil

    In this scenario, the RAM user does not know the objects in the folders and can use ossutil or call API operations to obtain the information about the objects in the folders. In this case, the permission to perform ListObjects must be specified in the policy.

    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "oss:GetObject"
                ],
                "Resource": [
                    "acs:oss:*:*:mybucket/hangzhou/2014/*",
                    "acs:oss:*:*:mybucket/hangzhou/2015/*"
                ]
            },
            {
                "Effect": "Allow",
                "Action": [
                    "oss:ListObjects"
                ],
                "Resource": [
                    "acs:oss:*:*:mybucket"
                ],
                "Condition":{
                    "StringLike":{
                        "oss:Prefix": [
                            "hangzhou/2014/*",
                        "hangzhou/2015/*"
                         ]
                    }
                }
            }
        ]
    }
  • Authorize RAM users to access directories in the OSS console

    In this scenario, the RAM user can use the OSS console to access the mybucket/hangzhou/2014/ and mybucket/hangzhou/2015/ folders from the root folder by level.

    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                          "oss:ListBuckets",
                          "oss:GetBucketStat",
                          "oss:GetBucketInfo",
                          "oss:GetBucketTagging",
                          "oss:GetBucketLifecycle",
                          "oss:GetBucketWorm",                      
                          "oss:GetBucketVersioning", 
                          "oss:GetBucketAcl" 
                          ], 
                "Resource": [
                    "acs:oss:*:*:*"
                ]
            },
            {
                "Effect": "Allow",
                "Action": [
                    "oss:GetObject",
                    "oss:GetObjectAcl"
                ],
                "Resource": [
                    "acs:oss:*:*:mybucket/hangzhou/2014/*",
                    "acs:oss:*:*:mybucket/hangzhou/2015/*"
                ]
            },
            {
                "Effect": "Allow",
                "Action": [
                    "oss:ListObjects"
                ],
                "Resource": [
                    "acs:oss:*:*:mybucket"
                ],
                "Condition": {
                    "StringLike": {
                        "oss:Delimiter": "/",
                        "oss:Prefix": [
                            "",
                            "hangzhou/",
                            "hangzhou/2014/*",
                            "hangzhou/2015/*"
                        ]
                    }
                }
            }
        ]
    }

Example 6: Prohibit a RAM user from deleting an object in a bucket

The following RAM policy prohibits a RAM user from deleting an object in a bucket named mybucket:

{
  "Version": "1",
  "Statement": [
        {
         "Effect": "Deny",
         "Action": [
           "oss:DeleteObject"
         ],
         "Resource": [
           "acs:oss:*:*:mybucket/*"
         ]
     }
   ]
}

Example 7: Prohibit a RAM user from accessing objects with specified tags

The following RAM policy includes a Deny statement that prohibits a RAM user from accessing objects that are stored in the examplebucket bucket and have the status:ok and key1:value1 tags:

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": [
                "oss:GetObject"
            ],
            "Resource": [
                "acs:oss:*:1746495857602745:examplebucket/*"
            ],
            "Condition": {
                "StringEquals": {
                    "oss:ExistingObjectTag/status":"ok",
                    "oss:ExistingObjectTag/key1":"value1"
                }
            }
        }
    ]
}

Example 8: Authorize a RAM user to access OSS from specified IP addresses

  • Add IP address conditions in the Allow statement

    The following RAM policy authorizes a RAM user to read objects in a bucket named mybucket from only IP addresses in the 192.168.0.0/16 and 172.12.0.0/16 CIDR blocks that are specified in the Allow statement:

    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                          "oss:ListBuckets",
                          "oss:GetBucketStat",
                          "oss:GetBucketInfo",
                          "oss:GetBucketTagging",
                          "oss:GetBucketAcl" 
                          ], 
                "Resource": [
                    "acs:oss:*:*:*"
                ]
            },
            {
                "Effect": "Allow",
                "Action": [
                    "oss:ListObjects",
                    "oss:GetObject"
                ],
                "Resource": [
                    "acs:oss:*:*:mybucket",
                    "acs:oss:*:*:mybucket/*"
                ],
                "Condition":{
                    "IpAddress": {
                        "acs:SourceIp": ["192.168.0.0/16", "172.12.0.0/16"]
                    }
                }
            }
        ]
    }
  • Add IP address conditions in the Deny statement

    The following RAM policy authorizes a RAM user to perform operations on OSS resources from only IP addresses in the 192.168.0.0/16 CIDR block that is specified in the Deny statement. Operations performed from other IP addresses are prohibited.

    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                          "oss:ListBuckets",
                          "oss:GetBucketStat",
                          "oss:GetBucketInfo",
                          "oss:GetBucketTagging",
                          "oss:GetBucketAcl" 
                          ], 
                "Resource": [
                    "acs:oss:*:*:*"
                ]
            },
            {
                "Effect": "Allow",
                "Action": [
                    "oss:ListObjects",
                    "oss:GetObject"
                ],
                "Resource": [
                    "acs:oss:*:*:mybucket",
                    "acs:oss:*:*:mybucket/*"
                ]
            },
            {
                "Effect": "Deny",
                "Action": "oss:*",
                "Resource": [
                    "acs:oss:*:*:*"
                ],
                "Condition":{
                    "NotIpAddress": {
                        "acs:SourceIp": ["192.168.0.0/16"]
                    }
                }
            }
        ]
    }
    Note In a RAM policy, a Deny statement takes precedence over an Allow statement. Therefore, when a RAM user attempts to read data in the mybucket bucket from an IP address that is not in the 192.168.0.0/16 CIDR block, OSS notifies the RAM user of having no permissions.

Example 9: Use RAM or STS to authorize other users to access OSS resources

In this scenario, you can create a RAM policy to perform the following operations:
  • Authorize specific users to access the bucket named mybucket and the objects prefixed with mybucket/file*.
  • Authorize the users to perform the following operations: GetBucketAcl, GetBucket, PutObject, GetObject, and DeleteObject.
  • In the Condition field, set UserAgent to java-sdk and the source IP address to 192.168.0.1. Only users that meet these conditions can access specified OSS resources.
  • Authorize the users to list only objects prefixed with foo.

The following RAM policy can meet the requirements of the preceding scenario:

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "oss:GetBucketAcl",
                "oss:ListObjects"
            ],
            "Resource": [
                "acs:oss:*:177530505652XXXX:mybucket"
            ],
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "acs:UserAgent": "java-sdk",
                    "oss:Prefix": "foo"
                },
                "IpAddress": {
                    "acs:SourceIp": "192.168.0.1"
                }
            }
        },
        {
            "Action": [
                "oss:PutObject",
                "oss:GetObject",
                "oss:DeleteObject"
            ],
            "Resource": [
                "acs:oss:*:177530505652XXXX:mybucket/file*"
            ],
            "Effect": "Allow",
            "Condition": {
               "StringEquals": {
                    "acs:UserAgent": "java-sdk"
                },
                "IpAddress": {
                    "acs:SourceIp": "192.168.0.1"
                }
            }
        }
    ]
}