A bucket policy allows you to allow or deny access of anonymous users or identified users, such as Alibaba Cloud accounts, RAM users, and RAM roles, to specific Object Storage Service (OSS) resources. For example, you can grant read-only permissions on specific OSS resources to a RAM user of another Alibaba Cloud account.
Common description
Compared with RAM policies, bucket policies contain the Principal element that is used to specify the users to whom you want to grant permissions. You can specify the Principal element to allow or deny access to specific OSS resources from different users in a fine-grained manner. If you do not want to grant different users different permissions on specific OSS resources, you can manage permissions in a centralized manner. This prevents repeated authorization or restriction for different users. For example, you can set the Principal element to the UIDs of multiple RAM users to match specific RAM users. You can set the Principal element to an asterisk (*) to match all users.
Usage notes
If you set the Principal element to an asterisk (*) and specify the Condition element when you configure a bucket policy, the bucket policy takes effect for all users including the bucket owner. In this case, if the Deny statement is triggered, the access requests from the bucket owner that has full permissions on the bucket are rejected.
If you set the Principal element to an asterisk (*) and do not specify the Condition element when you configure a bucket policy, the bucket policy takes effect for all users except the bucket owner. In this case, the Deny statement is not triggered, and the access requests from the bucket owner that has full permissions on the bucket are not rejected.
Example 1: Grant specific RAM users the permissions to read and write a bucket
If you want to grant specific members of your team or partners the permissions to upload, download, and manage objects in a bucket, you can configure a bucket policy to grant the permissions to the RAM users that correspond to these members. You do not need to configure access policies for each RAM user. The following sample code provides an example on how to configure a bucket policy to grant the RAM users whose UIDs are 27737962156157xxxx and 20214760404935xxxx the permissions to read and write a bucket named examplebucket.
In the following Allow statement, the RAM users are not granted the permissions to list buckets. In this case, the RAM users cannot view all buckets on the Buckets page in the OSS console or find and open a specific bucket. The RAM users can access a specific bucket by adding it to the favorite path. The RAM users do not need to have the permissions to list buckets. For more information, see OSS access paths.
{
"Version":"1",
"Statement":[
{
"Effect":"Allow",
"Action":[
"oss:GetObject",
"oss:PutObject",
"oss:GetObjectAcl",
"oss:PutObjectAcl",
"oss:AbortMultipartUpload",
"oss:ListParts",
"oss:RestoreObject",
"oss:GetVodPlaylist",
"oss:PostVodPlaylist",
"oss:PublishRtmpStream",
"oss:ListObjectVersions",
"oss:GetObjectVersion",
"oss:GetObjectVersionAcl",
"oss:RestoreObjectVersion"
],
"Principal":[
"27737962156157xxxx",
"20214760404935xxxx"
],
"Resource":[
"acs:oss:*:174649585760xxxx:examplebucket/*"
]
},
{
"Effect":"Allow",
"Action":[
"oss:ListObjects"
],
"Principal":[
"27737962156157xxxx",
"20214760404935xxxx"
],
"Resource":[
"acs:oss:*:174649585760xxxx:examplebucket"
],
"Condition":{
"StringLike":{
"oss:Prefix":[
"*"
]
}
}
}
]
}Example 2: Grant specific RAM users the permissions to read specific directories of a bucket
If you need to protect specific project objects in a bucket from tampering but want to allow specific project members to list and read these objects, you can grant the members the permissions to list and read the project objects. The following sample code provides an example on how to configure a bucket policy to grant a RAM user whose UID is 20214760404935xxxx the permissions to read the hangzhou/2020 and shanghai/2015 directories of a bucket named examplebucket.
In the following Allow statement, the RAM user is not granted the permissions to list buckets. In this case, the RAM user cannot view all buckets on the Buckets page in the OSS console or find and open a specific bucket. The RAM user can access a specific bucket by adding it to the favorite path. The RAM user does not need to have the permissions to list buckets. For more information, see OSS access paths.
{
"Version":"1",
"Statement":[
{
"Action":[
"oss:GetObject",
"oss:GetObjectAcl",
"oss:GetObjectVersion",
"oss:GetObjectVersionAcl"
],
"Effect":"Allow",
"Principal":[
"20214760404935xxxx"
],
"Resource":[
"acs:oss:*:174649585760xxxx:examplebucket/hangzhou/2020/*",
"acs:oss:*:174649585760xxxx:examplebucket/shanghai/2015/*"
]
},
{
"Action":[
"oss:ListObjects",
"oss:ListObjectVersions"
],
"Condition":{
"StringLike":{
"oss:Prefix":[
"hangzhou/2020/*",
"shanghai/2015/*"
]
}
},
"Effect":"Allow",
"Principal":[
"20214760404935xxxx"
],
"Resource":[
"acs:oss:*:174649585760xxxx:examplebucket"
]
}
]
}Example 3: Grant all users the permissions to only list all objects in a bucket
If your bucket is used for public resource sharing and you want all users to view object names but not object content, you can set the Principal element to an asterisk (*) and grant all users the permissions to list all objects in the bucket. The following sample code provides an example on how to configure a bucket policy to grant all users the permissions to only list all objects in a bucket named examplebucket:
{
"Version":"1",
"Statement":[
{
"Action":[
"oss:ListObjects",
"oss:ListObjectVersions"
],
"Effect":"Allow",
"Principal":[
"*"
],
"Resource":[
"acs:oss:*:174649585760xxxx:examplebucket"
]
}
]
}Example 4: Grant specific RAM users the permissions to view information about a bucket and list all objects in the bucket
If you want to grant specific members of your team or partners the permissions to view information about a bucket and list all objects in the bucket, you can configure a bucket policy to grant the permissions to the RAM users that correspond to these members. You do not need to configure access policies for each RAM user. The following sample code provides an example on how to grant specific RAM users the permissions to view information about a bucket named examplebucket and list objects in the bucket.
In the following Allow statement, the RAM users are not granted the permissions to list buckets. In this case, the RAM users cannot view all buckets on the Buckets page in the OSS console or find and open a specific bucket. The RAM users can access a specific bucket by adding it to the favorite path. The RAM users do not need to have the permissions to list buckets. For more information, see OSS access paths.
{
"Version":"1",
"Statement":[
{
"Action":[
"oss:Get*",
"oss:ListObjects",
"oss:ListObjectVersions"
],
"Effect":"Allow",
"Principal":[
"20214760404935xxxx"
],
"Resource":[
"acs:oss:*:174649585760xxxx:examplebucket"
]
}
]
}Example 5: Reject requests sent by users who do not use a specific VPC
If you want to allow access to a bucket only from a specific VPC, you can specify the acs:SourceVpc parameter as a condition and add a Deny statement to a bucket policy to reject requests from other VPCs or the Internet. Requests from other VPCs do not match the specified condition and the Deny statement in the bucket policy is triggered. Requests from the Internet do not match the specified condition because the requests do not contain the specified VPC information and the Deny statement in the bucket policy is triggered. The following sample code provides an example on how to configure a bucket policy to reject requests to read objects in a bucket named examplebucket from users who do not use the t4nlw426y44rd3iq4xxxx VPC.
In the following Deny statement, the Principal element is an asterisk (*) and the Condition element is specified. In this case, the Deny policy statement takes effect on all users, including the bucket owner. If the bucket owner that has full permissions on the bucket initiates a request to read objects in the bucket by using another VPC, the request is rejected.
The following Deny statement is used only to deny access and does not grant access permissions. If the authorized principal has not been granted access permissions, you can add an Allow statement.
{
"Version":"1",
"Statement":[
{
"Effect":"Deny",
"Action":[
"oss:GetObject"
],
"Principal":[
"*"
],
"Resource":[
"acs:oss:*:174649585760xxxx:examplebucket/*"
],
"Condition":{
"StringNotEquals":{
"acs:SourceVpc":[
"vpc-t4nlw426y44rd3iq4xxxx"
]
}
}
}
]
}Example 6: Reject requests sent by users who do not use a specific public IP address
If you want to allow access to a bucket only from a specific public IP address, you can specify the acs:SourceIp parameter as a condition and add a Deny statement to a bucket policy to reject requests from VPCs or other public IP addresses. Requests from other public IP addresses do not match the specified conditions and the Deny statement in the bucket policy is triggered. Requests from VPCs do not match the specified conditions and the Deny statement in the bucket policy is triggered. The following sample code provides an example on how to configure a bucket policy to reject requests to read objects in a bucket named examplebucket from users who do not use the 203.0.113.5 public IP address.
In the following Deny statement, the Principal element is an asterisk (*) and the Condition element is specified. In this case, the Deny policy statement takes effect on all users, including the bucket owner. If the bucket owner that has full permissions on the bucket initiates a request to read objects in the bucket by using another public IP address, the request is rejected.
The following Deny statement is used only to deny access and does not grant access permissions. If the authorized principal has not been granted access permissions, you can add an Allow statement.
{
"Version":"1",
"Statement":[
{
"Effect":"Deny",
"Action":[
"oss:GetObject"
],
"Principal":[
"*"
],
"Resource":[
"acs:oss:*:174649585760xxxx:examplebucket/*"
],
"Condition":{
"NotIpAddress":{
"acs:SourceIp":[
"203.0.113.5"
]
}
}
}
]
}Example 7: Reject requests sent by users who do not use a specific CIDR block of a VPC
If you want to allow access to a bucket only from a specific CIDR block of a VPC, you can add the following two Deny statements to a bucket policy:
Specify the
acs:SourceVpcparameter as a condition and add a Deny statement to the bucket policy to reject requests from other VPCs or the Internet. Requests from other VPCs do not match the specified conditions and the Deny statement in the bucket policy is triggered. Requests from the Internet do not match the specified conditions because the requests from the Internet do not contain the specified VPC information and the Deny statement in the bucket policy is triggered.Specify the
acs:SourceIpandacs:SourceVpcparameters as a condition and add a Deny statement to the bucket policy to reject requests from other CIDR blocks of VPCs.
After you add the preceding two Deny statements to the bucket policy, the logical relationship between the two statements is OR. If one of the preceding conditions is met, the request is rejected. The following sample code provides an example on how to configure a bucket policy to reject requests to read objects in a bucket named examplebucket from users who do not use the 192.168.0.0/16 CIDR block of the t4nlw426y44rd3iq4xxxx VPC.
In the following Deny statement, the Principal element is an asterisk (*) and the Condition element is specified. In this case, the Deny policy statement takes effect on all users, including the bucket owner. If the bucket owner that has full permissions on the bucket initiates a request to read objects in the bucket by using another CIDR block of a VPC, the request is rejected.
The following Deny statement is used only to deny access and does not grant access permissions. If the authorized principal has not been granted access permissions, you can add an Allow statement.
{
"Version":"1",
"Statement":[
{
"Effect":"Deny",
"Action":[
"oss:GetObject"
],
"Principal":[
"*"
],
"Resource":[
"acs:oss:*:174649585760xxxx:examplebucket/*"
],
"Condition":{
"StringNotEquals":{
"acs:SourceVpc":[
"vpc-t4nlw426y44rd3iq4xxxx"
]
}
}
},
{
"Effect":"Deny",
"Action":[
"oss:GetObject"
],
"Principal":[
"*"
],
"Resource":[
"acs:oss:*:174649585760xxxx:examplebucket/*"
],
"Condition":{
"StringEquals":{
"acs:SourceVpc":[
"vpc-t4nlw426y44rd3iq4xxxx"
]
},
"NotIpAddress":{
"acs:SourceIp":[
"192.168.0.0/16"
]
}
}
}
]
}Example 8: Reject requests sent by users who do not use a specific public IP address or VPC
If you want to allow access to a bucket only from a specific public IP address or VPC, you can add the following two Deny statements to a bucket policy:
Specify the
acs:SourceIpparameter as a condition and add a Deny statement to the bucket policy to reject requests from other public IP addresses. However, the VPC has IP addresses, and you also want to allow access to the bucket from a specific VPC at the same time. When you reject requests from other public IP addresses, you must specify theacs:SourceVpcparameter of theStringNotLikefield as a condition to prevent the requests from the specified VPC from being rejected.Specify the
acs: SourceVpcparameter as a condition and add a Deny statement to the bucket policy to reject requests from other VPCs. However, you want to allow access to the bucket from a specific public IP address at the same time, and the public IP address does not contain the specified VPC ID. When you reject requests from other VPCs, you must specify theacs:SourceVpcparameter of theStringLikefield as a condition.
After you add the preceding two Deny statements to the bucket policy, the logical relationship between the two statements is OR. If one of the preceding conditions is met, the request is rejected. The following sample code provides an example on how to configure a bucket policy to reject requests to read objects in a bucket named examplebucket from users who do not use the 203.0.113.5 public IP address or the t4nlw426y44rd3iq4xxxx VPC.
In the following Deny statement, the Principal element is an asterisk (*) and the Condition element is specified. In this case, the Deny policy statement takes effect on all users, including the bucket owner. If the bucket owner that has full permissions on the bucket initiates a request to read objects in the bucket by using another public IP address or another VPC, the request is rejected.
The following Deny statement is used only to deny access and does not grant access permissions. If the authorization principal has not been granted access permissions, you can add an Allow statement.
{
"Version":"1",
"Statement":[
{
"Effect":"Deny",
"Action":[
"oss:GetObject"
],
"Principal":[
"*"
],
"Resource":[
"acs:oss:*:174649585760xxxx:examplebucket/*"
],
"Condition":{
"StringNotLike":{
"acs:SourceVpc":[
"vpc-*"
]
},
"NotIpAddress":{
"acs:SourceIp":[
"203.0.113.5"
]
}
}
},
{
"Effect":"Deny",
"Action":[
"oss:GetObject"
],
"Principal":[
"*"
],
"Resource":[
"acs:oss:*:174649585760xxxx:examplebucket/*"
],
"Condition":{
"StringLike":{
"acs:SourceVpc":[
"vpc-*"
]
},
"StringNotEquals":{
"acs:SourceVpc":[
"vpc-t4nlw426y44rd3iq4xxxx"
]
}
}
}
]
}References
For more information about the elements of a bucket policy, see Overview.
For more information about how to configure a bucket policy, see Bucket policies.
For more information about how to grant other users specific permissions to access OSS resources, see Authentication.