Resource Access Management (RAM) policies are authorization policies configured based on users. You can configure RAM policies to manage user access to your resources stored in Object Storage Service (OSS).

Background information

  • Syntax and structure of RAM policies

    A RAM policy contains a version number and a statement. Each statement contains the following elements: Effect, Action, Resource, and Condition. The Condition element is optional. For more information about the syntax and structure of RAM policies, see Policy structure and syntax.

    You can use the Version, Statement, and Effect elements in RAM policies for OSS in the same manner as in policies for RAM. For more information about how to use the Action, Resource, and Condition elements in RAM policies for OSS, see the following sections:

  • Common RAM policies for OSS
    • AliyunOSSFullAccess: grants a RAM user the permissions to manage OSS resources.
    • AliyunOSSReadOnlyAccess: grants a RAM user the read-only permissions on OSS resources.
  • Access control methods supported by OSS

    For more information about access control methods supported by OSS, see Overview.

Action element in RAM policies for OSS

RAM policies for OSS support service-related actions, bucket-related actions, and object-related actions.

  • Service-related actions
    API operation Action Description
    GetService (ListBuckets) oss:ListBuckets Lists all buckets owned by the requester.
  • Bucket-related actions
    API operation Action Description
    PutBucket oss:PutBucket Creates a bucket.
    GetBucket (ListObjects) oss:ListObjects Lists all objects in a bucket.
    GetBucketInfo oss:GetBucketInfo Queries the information about a bucket.
    GetBucketLocation oss:GetBucketLocation Queries the location information about a bucket.
    PutBucketVersioning oss:PutBucketVersioning Specifies the versioning status of a bucket.
    GetBucketVersioning oss:GetBucketVersioning Queries the versioning status of a bucket.
    GetBucketVersions(ListObjectVersions) oss:ListObjectVersions Lists the versions of all objects including delete markers in a bucket.
    PutBucketAcl oss:PutBucketAcl Configures or modifies the access control list (ACL) of a bucket.
    GetBucketAcl oss:GetBucketAcl Queries the ACL of a bucket.
    DeleteBucket oss:DeleteBucket Deletes a bucket.
    PutBucketLogging oss:PutBucketLogging Enables logging for a bucket.
    GetBucketLogging oss:GetBucketLogging Queries the logging configurations of a bucket.
    DeleteBucketLogging oss:DeleteBucketLogging Disables logging for a bucket.
    PutBucketWebsite oss:PutBucketWebsite Enables static website hosting for a bucket and configures redirection rules for the bucket.
    GetBucketWebsite oss:GetBucketWebsite Queries the static website hosting status of a bucket and the redirection rules configured for the bucket.
    DeleteBucketWebsite oss:DeleteBucketWebsite Disables static website hosting for a bucket and deletes the redirection rules configured for the bucket.
    PutBucketReferer oss:PutBucketReferer Configures hotlink protection for a bucket.
    GetBucketReferer oss:GetBucketReferer Queries the hotlink protection configurations of a bucket.
    PutBucketLifecycle oss:PutBucketLifecycle Configures lifecycle rules for a bucket.
    GetBucketLifecycle oss:GetBucketLifecycle Queries the lifecycle rules configured for a bucket.
    DeleteBucketLifecycle oss:DeleteBucketLifecycle Deletes the lifecycle rules configured for a bucket.
    ListMultipartUploads oss:ListMultipartUploads Lists all ongoing multipart upload tasks, which include tasks that have been initiated but are not completed or canceled.
    PutBucketCors oss:PutBucketCors Configures cross-origin resource sharing (CORS) rules for a bucket.
    GetBucketCors oss:GetBucketCors Queries the CORS rules configured for a bucket.
    DeleteBucketCors oss:DeleteBucketCors Disables the CORS feature and deletes all CORS rules configured for a bucket.
    PutBucketPolicy oss:PutBucketPolicy Configures policies for a bucket.
    GetBucketPolicy oss:GetBucketPolicy Queries the policies configured for a bucket.
    DeleteBucketPolicy oss:DeleteBucketPolicy Deletes the policies configured for a bucket.
    PutBucketTags oss:PutBucketTagging Adds tags to or modifies the tags of a bucket.
    GetBucketTags oss:GetBucketTagging Queries the tags of a bucket.
    DeleteBucketTags oss:DeleteBucketTagging Deletes the tags of a bucket.
    PutBucketEncryption oss:PutBucketEncryption Configures encryption rules for a bucket.
    GetBucketEncryption oss:GetBucketEncryption Queries the encryption rules of a bucket.
    DeleteBucketEncryption oss:DeleteBucketEncryption Deletes the encryption rules configured for a bucket.
    PutBucketRequestPayment oss:PutBucketRequestPayment Configures the pay-by-requester mode for a bucket.
    GetBucketRequestPayment oss:GetBucketRequestPayment Queries the pay-by-requester configurations of a bucket.
    PutBucketReplication oss:PutBucketReplication Configures data replication rules for a bucket.
    GetBucketReplication oss:GetBucketReplication Queries the data replication rules configured for a bucket.
    DeleteBucketReplication oss:DeleteBucketReplication Stops the data replication tasks of a bucket and deletes the data replication configurations of the bucket.
    GetBucketReplicationLocation oss:GetBucketReplicationLocation Queries the regions in which the destination bucket can be located.
    GetBucketReplicationProgress oss:GetBucketReplicationProgress Queries the data replication progress of a bucket.
    PutBucketInventory oss:PutBucketInventory Configures bucket inventories for a bucket.
    GetBucketInventory oss:GetBucketInventory Queries the specified inventories configured for a bucket.
    ListBucketInventory oss:GetBucketInventory Queries all the inventories configured for a bucket.
    DeleteBucketInventory oss:DeleteBucketInventory Deletes a specified inventory configured for a bucket.
    PutStyle oss:PutStyle Configures image styles.
    GetStyle oss:GetStyle Queries image styles.
    ListStyle oss:ListStyle Lists image styles.
    DeleteStyle oss:DeleteStyle Deletes image styles.
  • Object-related actions
    API operation Action Description
    PutObject oss:PutObject Uploads an object.
    PostObject oss:PutObject Uploads an object to a specified bucket by using HTML form upload.
    AppendObject oss:PutObject Uploads an object by appending the content of the object to an existing object.
    InitiateMultipartUpload oss:PutObject Initiates a multipart upload task.
    UploadPart oss:PutObject Uploads an object by part based on the specified object name and the upload ID.
    CompleteMultipartUpload oss:PutObject Completes a multipart upload task.
    AbortMultipartUpload oss:AbortMultipartUpload Cancels a multipart upload task and deletes uploaded parts.
    PutSymlink oss:PutObject Creates a symbolic link for an object.
    GetObject oss:GetObject Queries an object.
    HeadObject oss:GetObject Queries the metadata of an object.
    GetObjectMeta oss:GetObject Queries the metadata of an object, including the ETag, the object size, and the last modified time.
    SelectObject oss:GetObject Executes SQL statements on an object. After the SQL statements are executed, execution results are returned.
    GetSymlink oss:GetObject Queries the symbolic link of an object.
    DeleteObject oss:DeleteObject Deletes an object.
    DeleteMultipleObjects oss:DeleteObject Deletes multiple objects from a bucket.
    CopyObject oss:GetObject,oss:PutObject Copies objects within the same bucket or across buckets in the same region.
    UploadPartCopy oss:GetObject,oss:PutObject Copies data from an existing object to upload a part by adding the x-oss-copy-source request header to a UploadPart request to call UploadPartCopy.
    ListParts oss:ListParts Lists all parts that are uploaded by using a specified upload ID.
    PutObjectACL oss:PutObjectAcl Modifies the ACL of an object in a bucket.
    GetObjectACL oss:GetObjectAcl Queries the ACL of an object in a bucket.
    RestoreObject oss:RestoreObject Restores an object of the Archive or Cold Archive storage class.
    PutObjectTagging oss:PutObjectTagging Adds tags to or modifies the tags of an object.
    GetObjectTagging oss:GetObjectTagging Queries the tags of an object.
    DeleteObjectTagging oss:DeleteObjectTagging Deletes the tags of an object.
    GetObject (Specify the version ID of an object in the request) oss:GetObjectVersion Downloads a specified version of an object.
    PutObjectACL (Specify the version ID of an object in the request) oss:PutObjectAcl Modifies the ACL of a specified version of an object.
    GetObjectACL (Specify the version ID of an object in the request) oss:GetObjectVersionAcl Queries the ACL of a specified version of an object in a bucket.
    RestoreObject (Specify the version ID of an object in the request) oss:RestoreObjectVersion Restores a specified version of an object of the Archive or Cold Archive storage class.
    DeleteObject (Specify the version ID of an object in the request) oss:DeleteObjectVersion Deletes a specified version of an object.
    PutObjectTagging (Specify the version ID of an object in the request) oss:PutObjectVersionTagging Adds tags to or modifies the tags of a specified version of an object.
    GetObjectTagging (Specify the version ID of an object in the request) oss:GetObjectVersionTagging Queries the tags of a specified version of an object.
    DeleteObjectTagging (Specify the version ID of an object in the request) oss:DeleteObjectVersionTagging Deletes the tags of a specified version of an object.
    PutLiveChannel oss:PutLiveChannel Creates a LiveChannel before you upload audio and video data by using the RTMP protocol.
    ListLiveChannel oss:ListLiveChannel Lists specified LiveChannels.
    DeleteLiveChannel oss:DeleteLiveChannel Deletes a specified LiveChannel.
    PutLiveChannelStatus oss:PutLiveChannelStatus Switches the status between enabled and disabled.
    GetLiveChannelInfo oss:GetLiveChannel Queries the configurations of a specified LiveChannel.
    GetLiveChannelStat oss:GetLiveChannelStat Queries the ingestion status of a specified LiveChannel.
    GetLiveChannelHistory oss:GetLiveChannelHistory Queries the ingestion records of a specified LiveChannel.
    PostVodPlaylist oss:PostVodPlaylist Generates a VOD playlist for a specified LiveChannel.
    GetVodPlaylist oss:GetVodPlaylist Queries the playlist that is generated by the streams ingested to the specified LiveChannel within the specified time range.
    ImgSaveAs oss:PostProcessTask Saves processed images to a specified bucket.

Resource element in RAM policies for OSS

In RAM policies for OSS, the Resource element indicates one or more specific resources. This element supports the asterisk (*) wildcard character. A RAM policy can contain multiple Resource elements.

The Resource element is specified in the following format: acs:oss:{region}:{bucket_owner}:{bucket_name}/{object_name}.

When you specify the Resource element in a RAM policy for a bucket, you do not need to add a forward slash (/) or {object_name} after {bucket_name}. In this case, you can specify the Resource element in the following format: acs:oss:{region}:{bucket_owner}:{bucket_name}. The region field can be set only to the asterisk (*) wildcard character.

Condition element in RAM policies for OSS

In RAM policies for OSS, the Condition element indicates the conditions for the RAM policies. The following table describes the conditions supported by OSS.

Condition Description
acs:SourceIp The CIDR block from which the requests originate. This condition supports the asterisk (*) wildcard character.
acs:UserAgent The User-Agent header in the HTTP request.

Type: string.

acs:CurrentTime The time when the request arrives at the OSS server.

Standard: ISO 8601.

acs:SecureTransport The protocol of the request. If the protocol of the request is HTTP, set the value to HTTP. If the protocol of the request is HTTPS, set the value to HTTPS.
oss:Prefix The prefix of the names of the objects that you want to list by calling the ListObjects operation.
oss:Delimiter The character that is used to group the names of objects that you want to list by calling the ListObjects operation.
acs:AccessId The AccessKey ID included in the request.
oss:BucketTag The tag of the bucket.

A single bucket tag can be used as a condition. To configure multiple bucket tags as multiple conditions, you must add oss:BucketTag/ before each bucket tag.

acs:MFAPresent Specifies whether multi-factor authentication (MFA) is enabled.
Valid values:
  • true: MFA is enabled.
  • false: MFA is disabled.
oss:ExistingObjectTag Specifies that the requested object has tags.

A single object tag can be used as a condition. To configure multiple object tags as multiple conditions, you must add oss:ExistingObjectTag/ before each object tag.

This condition applies to operations that are called to read objects, such as GetObject and HeadObject, and operations related to object tags, such as PutObjectTagging and GetObjectTagging.

oss:RequestObjectTag The object tags included in the request.

A single object tag can be used as a condition. To configure multiple object tags as multiple conditions, you must add oss:RequestObjectTag/ before each object tag.

This condition applies to operations that are called to write objects, such as PutObject and PostObject, and operations related to object tags, such as PutObjectTagging and GetObjectTagging.

Examples

You can use RAM policies to grant permissions to users in different scenarios. For more information, see Common examples of RAM policies.