Resource Access Management (RAM) policies are user-based authorization policies. You can configure RAM policies to manage user access to your resources in Object Storage Service (OSS).
Background information
Syntax and structure of RAM policies
A RAM policy contains a version number and a statement. Each statement contains the following elements: Effect, Action, Resource, and Condition. The Condition element is optional. For more information about the syntax and structure of RAM policies, see Policy syntax and structure.
You can use the Version element, Statement element, and Effect element in RAM policies for OSS in the same manner as you use the elements in policies for RAM. For more information about how to use the Action element, Resource element, and Condition element in RAM policies for OSS, see the following sections:
Common RAM policies for OSS
AliyunOSSFullAccess: grants a RAM user the permissions to manage OSS resources.
AliyunOSSReadOnlyAccess: grants a RAM user the read-only permissions on OSS resources.
Access control
For more information about access control methods supported by OSS, see Overview.
Action element in RAM policies for OSS
RAM policies for OSS support service-level actions, bucket-level actions, and object-level actions.
Service-level actions
API
Action
Description
oss:ListBuckets
Lists all buckets owned by the requester.
Bucket-level actions
API
Action
Description
oss:PutBucket
Creates a bucket.
oss:ListObjects
Lists all objects in a bucket.
oss:GetBucketInfo
Queries information about a bucket.
oss:GetBucketLocation
Queries the location information about a bucket.
oss:PutBucketVersioning
Specifies the versioning status of a bucket.
oss:GetBucketVersioning
Queries the versioning status of a bucket.
oss:ListObjectVersions
Lists the versions of all objects including delete markers in a bucket.
oss:PutBucketAcl
Configures or modifies the access control list (ACL) of a bucket.
oss:GetBucketAcl
Obtains the ACL of a bucket.
oss:DeleteBucket
Deletes a bucket.
oss:InitiateBucketWorm
Creates a retention policy.
oss:AbortBucketWorm
Deletes an unlocked retention policy.
oss:CompleteBucketWorm
Locks a retention policy.
oss:ExtendBucketWorm
Extends the retention period (days) of objects in a bucket for which a retention policy is locked.
oss:GetBucketWorm
Queries the retention policy of a bucket.
oss:PutBucketLogging
Enables logging for a bucket.
oss:GetBucketLogging
Queries the logging configurations of a bucket.
oss:DeleteBucketLogging
Disables logging for a bucket.
oss:PutBucketWebsite
Enables static website hosting for a bucket and configures redirection rules for the bucket.
oss:GetBucketWebsite
Queries the static website hosting status of a bucket and the redirection rules configured for the bucket.
oss:DeleteBucketWebsite
Disables static website hosting for a bucket and deletes the redirection rules configured for the bucket.
oss:PutBucketReferer
Configures hotlink protection for a bucket.
oss:GetBucketReferer
Queries the hotlink protection configurations of a bucket.
oss:PutBucketLifecycle
Configures lifecycle rules for a bucket.
oss:GetBucketLifecycle
Queries the lifecycle rules that are configured for a bucket.
oss:DeleteBucketLifecycle
Deletes the lifecycle rules configured for a bucket.
oss:PutBucketTransferAcceleration
Configures transfer acceleration for a bucket.
oss:GetBucketTransferAcceleration
Queries the transfer acceleration configurations of a bucket.
oss:ListMultipartUploads
Lists all ongoing multipart upload tasks, which include tasks that have been initiated but are not completed or canceled.
oss:PutBucketCors
Configures cross-origin resource sharing (CORS) rules for a bucket.
oss:GetBucketCors
Queries the CORS rules configured for a bucket.
oss:DeleteBucketCors
Disables the CORS feature and deletes all CORS rules configured for a bucket.
oss:PutBucketPolicy
Configures the bucket policies for a bucket.
oss:GetBucketPolicy
Queries the policies of a bucket.
oss:DeleteBucketPolicy
Deletes the policies of a bucket.
oss:PutBucketTagging
Adds tags to or modifies the tags of a bucket.
oss:GetBucketTagging
Queries the tags of a bucket.
oss:DeleteBucketTagging
Deletes the tags of a bucket.
oss:PutBucketEncryption
Configures encryption rules for a bucket.
oss:GetBucketEncryption
Queries the encryption rules of a bucket.
oss:DeleteBucketEncryption
Deletes the encryption rules configured for a bucket.
oss:PutBucketRequestPayment
Configures the pay-by-requester mode for a bucket.
oss:GetBucketRequestPayment
Queries the pay-by-requester configurations of a bucket.
oss:PutBucketReplication
Configures a data replication rule for a bucket.
oss:PutBucketRTC
Enables or disables the Replication Time Control (RTC) feature for existing cross-region replication (CRR) rules.
oss:GetBucketReplication
Queries the data replication rules of a bucket.
oss:DeleteBucketReplication
Stops the data replication tasks of a bucket and deletes the data replication configurations of the bucket.
oss:GetBucketReplicationLocation
Queries the regions in which the destination bucket can be located.
oss:GetBucketReplicationProgress
Queries the data replication progress of a bucket.
oss:PutBucketInventory
Configures inventories for a bucket.
oss:GetBucketInventory
Queries the specified inventories configured for a bucket.
oss:GetBucketInventory
Queries all inventories of a bucket.
oss:DeleteBucketInventory
Deletes an inventory of a bucket.
oss:PutBucketAccessMonitor
Configures the access tracking status of a bucket.
oss:GetBucketAccessMonitor
Queries the access tracking status of a bucket.
oss:OpenMetaQuery
Enables the metadata management feature for a bucket.
oss:GetMetaQueryStatus
Queries the metadata index library of a bucket.
oss:DoMetaQuery
Queries objects that meet specified conditions and lists the object information based on the specified fields and sorting methods.
oss:CloseMetaQuery
Disables the metadata management feature for a bucket.
oss:InitUserAntiDDosInfo
Creates Anti-DDoS Pro or Anti-DDoS Premium instances.
oss:UpdateUserAntiDDosInfo
Changes the status of an Anti-DDoS Pro or Anti-DDoS Premium instance.
oss:GetUserAntiDDosInfo
Queries information about Anti-DDoS Pro or Anti-DDoS Premium instances that belong to a specific Alibaba Cloud account.
oss:InitBucketAntiDDosInfo
Initializes Anti-DDoS Pro or Anti-DDoS Premium instances for a bucket.
oss:UpdateBucketAntiDDosInfo
Updates the status of Anti-DDoS Pro or Anti-DDoS Premium instances of a bucket.
oss:ListBucketAntiDDosInfo
Queries the protection list of an Anti-DDoS Pro or Anti-DDoS Premium instance of a bucket.
oss:PutBucketResourceGroup
Configures the resource group to which a bucket belongs.
oss:GetBucketResourceGroup
Queries the ID of the resource group to which a bucket belongs.
oss:CreateCnameToken
Creates a CNAME token used to verify the ownership of a domain name.
oss:GetCnameToken
Queries the created CNAME tokens.
oss:PutCname
Maps a custom domain name to a bucket.
oss:ListCname
Queries all custom domain names that are mapped to a bucket.
oss:DeleteCname
Deletes a CNAME record that maps a custom domain name to a bucket.
oss:PutStyle
Configures image styles.
oss:GetStyle
Queries image styles.
oss:ListStyle
Lists image styles.
oss:DeleteStyle
Deletes image styles.
Object-level actions
API
Action
Description
oss:PutObject
Uploads an object.
oss:PutObject
Uploads an object to a specified bucket by using HTML form upload.
oss:PutObject
Uploads an object by appending the content of the object to an existing object.
oss:PutObject
Initiates a multipart upload task.
oss:PutObject
Uploads an object by part based on the specified object name and the upload ID.
oss:PutObject
Completes a multipart upload task.
oss:AbortMultipartUpload
Cancels a multipart upload task and deletes the uploaded parts.
oss:PutObject
Creates a symbolic link for an object.
oss:GetObject
Queries an object.
oss:GetObject
Queries the metadata of an object.
oss:GetObject
Queries the metadata of an object, including the ETag, the object size, and the last modification time.
oss:GetObject
Executes SQL statements on an object. After the SQL statements are executed, execution results are returned.
oss:GetObject
Queries the symbolic link of an object.
oss:DeleteObject
Deletes an object.
oss:DeleteObject
Deletes multiple objects from a bucket.
oss:GetObject,oss:PutObject
Copies objects to the same bucket or to a different bucket in the same region.
oss:GetObject,oss:PutObject
Copies data from an existing object to upload a part by adding the x-oss-copy-source request header to an UploadPart request to call UploadPartCopy.
oss:ListParts
Lists all parts that are uploaded by using a specified upload ID.
oss:PutObjectAcl
Modifies the ACL of an object in a bucket.
oss:GetObjectAcl
Queries the ACL of an object in a bucket.
oss:RestoreObject
Restores an Archive or a Cold Archive object.
oss:PutObjectTagging
Adds tags to or modifies the tags of an object.
oss:GetObjectTagging
Queries the tags of an object.
oss:DeleteObjectTagging
Deletes the tags of an object.
GetObject (with versionId specified in the request)
oss:GetObjectVersion
Downloads a specified version of an object.
PutObjectACL (with versionId specified in the request)
oss:PutObjectVersionAcl
Modifies the ACL of a specified version of an object.
GetObjectACL (with versionId specified in the request)
oss:GetObjectVersionAcl
Queries the ACL of a specified version of an object in a bucket.
RestoreObject (with versionId specified in the request)
oss:RestoreObjectVersion
Restores a specified version of an Archive or a Cold Archive object.
DeleteObject (with versionId specified in the request)
oss:DeleteObjectVersion
Deletes a specified version of an object.
PutObjectTagging (with versionId specified in the request)
oss:PutObjectVersionTagging
Adds tags to or modifies the tags of a specified version of an object.
GetObjectTagging (with versionId specified in the request)
oss:GetObjectVersionTagging
Queries the tags of a specified version of an object.
DeleteObjectTagging (with versionId specified in the request)
oss:DeleteObjectVersionTagging
Deletes the tags of a specified version of an object.
oss:PutLiveChannel
Creates a LiveChannel. You must call this operation before you upload audio and video data by using the Real-Time Messaging Protocol (RTMP).
oss:ListLiveChannel
Lists specified LiveChannels.
oss:DeleteLiveChannel
Deletes a specified LiveChannel.
oss:PutLiveChannelStatus
Switches the status of a specified LiveChannel between enabled and disabled.
oss:GetLiveChannel
Queries the configurations of a specified LiveChannel.
oss:GetLiveChannelStat
Queries the stream ingest status of a specified LiveChannel.
oss:GetLiveChannelHistory
Queries the stream ingest records of a specified LiveChannel.
oss:PostVodPlaylist
Generates a VOD playlist for a specified LiveChannel.
oss:GetVodPlaylist
Queries the playlist that is generated by the streams ingested to a specified LiveChannel within a specified time range.
oss:PostProcessTask
Saves processed images to a specified bucket.
Resource element in RAM policies for OSS
In RAM policies for OSS, the Resource element indicates one or more specific resources. This element supports the asterisk (*) wildcard character. A RAM policy can contain multiple Resource elements.
Category | Format | Example |
Bucket-level resource |
|
|
Object-level resource |
|
|
The region field can be set only to the asterisk (*) wildcard character.
Condition element in RAM policies for OSS
The Condition element specifies the conditions that are required for a policy to take effect. Each Condition element consists of conditional operators, condition keys, and condition values. For more information, see the "Condition" section of the Policy elements topic.
The following tables describe the conditional operator types and condition keys.
Condition types
Category Conditional operator String - StringEquals
- StringNotEquals
- StringEqualsIgnoreCase
- StringNotEqualsIgnoreCase
- StringLike
- StringNotLike
Number - NumericEquals
- NumericNotEquals
- NumericLessThan
- NumericLessThanEquals
- NumericGreaterThan
- NumericGreaterThanEquals
Date and time - DateEquals
- DateNotEquals
- DateLessThan
- DateLessThanEquals
- DateGreaterThan
- DateGreaterThanEquals
Boolean Bool IP address - IpAddress
- NotIpAddress
Condition key
Condition
Description
acs:SourceIp
The CIDR block from which the requests are sent. This condition supports the asterisk (*) wildcard character.
acs:UserAgent
The User-Agent header in the HTTP request.
Type: string
acs:CurrentTime
The point in time when the request is received by the OSS server.
Standard: ISO 8601.
acs:SecureTransport
The protocol of the request. Valid values:
true: Only HTTPS requests are allowed.
false: Only HTTP requests are allowed.
If the
acs:SecureTransport
condition is not specified, HTTPS and HTTP requests are allowed.oss:Prefix
The prefix of the names of the objects that you want to list by calling the ListObjects operation.
oss:Delimiter
The character that is used to group the names of objects that you want to list by calling the ListObjects operation.
acs:AccessId
The AccessKey ID included in the request.
oss:BucketTag
The tag of the bucket.
A single bucket tag can be used as a condition. To configure multiple BucketTags as multiple conditions, you must add
oss:BucketTag/
before each BucketTag.acs:MFAPresent
Specifies whether to enable multi-factor authentication (MFA).
Valid values:
true
false
oss:ExistingObjectTag
Specifies that the requested object has tags.
A single object tag can be used as a condition. To configure multiple ObjectTags as multiple conditions, you must add
oss:ExistingObjectTag/
before each ObjectTag.This condition applies to operations that read objects, such as GetObject and HeadObject, and object tag-related operations, such as PutObjectTagging and GetObjectTagging.
oss:RequestObjectTag
The object tags included in the request.
A single object tag can be used as a condition. To configure multiple ObjectTags as multiple conditions, you must add
oss:RequestObjectTag/
before each ObjectTag.This condition applies to operations that write objects, such as PutObject and PostObject, and object tag-related operations, such as PutObjectTagging and GetObjectTagging.
Examples
You can use RAM policies to grant permissions to users in different scenarios. For more information, see Common examples of RAM policies.