This topic describes how to manage the access control list (ACL) of an object.

ACL types

The following table describes the ACLs that you can configure for an object.

ACL Description Value
Inherited from the bucket The ACL of the object is the same as the ACL of the bucket in which the object is stored. oss.ACLDefault
Private Only the object owner and authorized users are granted the read and write permissions on the object. oss.ACLPrivate
Public read Only the object owner and authorized users are granted the read and write permissions on the object. Other users are granted only the read permissions on the object. Exercise caution when you set the ACL of the object to this value. oss.ACLPublicRead
Public read/write All users are granted the read and write permissions on the object. Exercise caution when you set the ACL of the object to this value. oss.PublicReadWrite

The ACL of an object takes precedence over the ACL of the bucket in which the object is stored. For example, if the ACL of a bucket is private and the ACL of an object that is stored in the bucket is public read/write, all users are granted the read and write permissions on the object. If the ACL of an object is not configured, the ACL of the object is the same as the ACL of the bucket in which the object is stored.

Sample code

The following code provides an example on how to configure and query the ACL of an object:

package main

import (
    "fmt"
    "os"
    "github.com/aliyun/aliyun-oss-go-sdk/oss"
)

func main() {
    // Create an OSSClient instance. 
    // Specify the endpoint of the region in which the bucket is located. For example, if the bucket is located in the China (Hangzhou) region, set the endpoint to https://oss-cn-hangzhou.aliyuncs.com. Specify your actual endpoint. 
    // The AccessKey pair of an Alibaba Cloud account has permissions on all API operations. Using these credentials to perform operations in OSS is a high-risk operation. We recommend that you use a RAM user to call API operations or perform routine O&M. To create a RAM user, log on to the RAM console. 
    client, err := oss.New("yourEndpoint", "yourAccessKeyId", "yourAccessKeySecret")
    if err != nil {
        fmt.Println("Error:", err)
        os.Exit(-1)
    }

    // Specify the name of the bucket. 
    bucket, err := client.Bucket("yourBucketName")
    if err != nil {
        fmt.Println("Error:", err)
        os.Exit(-1)
    }

    // Configure the ACL of the object. 
    // Set yourObjectName to the full path of the object. The full path cannot contain the bucket name. 
    err = bucket.SetObjectACL("yourObjectName", oss.ACLPublicReadWrite)
    if err != nil {
        fmt.Println("Error:", err)
        os.Exit(-1)
    }

    // Query the ACL of the object. 
    aclRes, err := bucket.GetObjectACL("yourObjectName")
    if err != nil {
        fmt.Println("Error:", err)
        os.Exit(-1)
    }
    fmt.Println("Object ACL:", aclRes.ACL)
}

References

  • For the complete sample code that is used to manage the ACL of an object, visit GitHub.
  • For more information about the API operation that you can call to configure the ACL of an object, see PutObjectACL.
  • For more information about the API operation that you can call to query the ACL of an object, see GetObjectACL.