All Products
Search

This Product

    Object Storage Service:Overview

    Document Center

    Object Storage Service:Overview

    Last Updated:May 25, 2023

    Resource Access Management (RAM) policies are user-based authorization policies. You can configure RAM policies to manage user access to your resources in Object Storage Service (OSS).

    Background information

    • Syntax and structure of RAM policies

      A RAM policy contains a version number and a statement. Each statement contains the following elements: Effect, Action, Resource, and Condition. The Condition element is optional. For more information about the syntax and structure of RAM policies, see Policy syntax and structure.

      You can use the Version element, Statement element, and Effect element in RAM policies for OSS in the same manner as you use the elements in policies for RAM. For more information about how to use the Action element, Resource element, and Condition element in RAM policies for OSS, see the following sections:

    • Common RAM policies for OSS

      • AliyunOSSFullAccess: grants a RAM user the permissions to manage OSS resources.

      • AliyunOSSReadOnlyAccess: grants a RAM user the read-only permissions on OSS resources.

    • Access control

      For more information about access control methods supported by OSS, see Overview.

    Action element in RAM policies for OSS

    RAM policies for OSS support service-level actions, bucket-level actions, and object-level actions.

    • Service-level actions

      API

      Action

      Description

      ListBuckets(GetService)

      oss:ListBuckets

      Lists all buckets owned by the requester.

    • Bucket-level actions

      API

      Action

      Description

      PutBucket

      oss:PutBucket

      Creates a bucket.

      ListObjects (GetBucket)

      oss:ListObjects

      Lists all objects in a bucket.

      GetBucketInfo

      oss:GetBucketInfo

      Queries information about a bucket.

      GetBucketLocation

      oss:GetBucketLocation

      Queries the location information about a bucket.

      PutBucketVersioning

      oss:PutBucketVersioning

      Specifies the versioning status of a bucket.

      GetBucketVersioning

      oss:GetBucketVersioning

      Queries the versioning status of a bucket.

      ListObjectVersions(GetBucketVersions)

      oss:ListObjectVersions

      Lists the versions of all objects including delete markers in a bucket.

      PutBucketAcl

      oss:PutBucketAcl

      Configures or modifies the access control list (ACL) of a bucket.

      GetBucketAcl

      oss:GetBucketAcl

      Obtains the ACL of a bucket.

      DeleteBucket

      oss:DeleteBucket

      Deletes a bucket.

      InitiateBucketWorm

      oss:InitiateBucketWorm

      Creates a retention policy.

      AbortBucketWorm

      oss:AbortBucketWorm

      Deletes an unlocked retention policy.

      CompleteBucketWorm

      oss:CompleteBucketWorm

      Locks a retention policy.

      ExtendBucketWorm

      oss:ExtendBucketWorm

      Extends the retention period (days) of objects in a bucket for which a retention policy is locked.

      GetBucketWorm

      oss:GetBucketWorm

      Queries the retention policy of a bucket.

      PutBucketLogging

      oss:PutBucketLogging

      Enables logging for a bucket.

      GetBucketLogging

      oss:GetBucketLogging

      Queries the logging configurations of a bucket.

      DeleteBucketLogging

      oss:DeleteBucketLogging

      Disables logging for a bucket.

      PutBucketWebsite

      oss:PutBucketWebsite

      Enables static website hosting for a bucket and configures redirection rules for the bucket.

      GetBucketWebsite

      oss:GetBucketWebsite

      Queries the static website hosting status of a bucket and the redirection rules configured for the bucket.

      DeleteBucketWebsite

      oss:DeleteBucketWebsite

      Disables static website hosting for a bucket and deletes the redirection rules configured for the bucket.

      PutBucketReferer

      oss:PutBucketReferer

      Configures hotlink protection for a bucket.

      GetBucketReferer

      oss:GetBucketReferer

      Queries the hotlink protection configurations of a bucket.

      PutBucketLifecycle

      oss:PutBucketLifecycle

      Configures lifecycle rules for a bucket.

      GetBucketLifecycle

      oss:GetBucketLifecycle

      Queries the lifecycle rules that are configured for a bucket.

      DeleteBucketLifecycle

      oss:DeleteBucketLifecycle

      Deletes the lifecycle rules configured for a bucket.

      PutBucketTransferAcceleration

      oss:PutBucketTransferAcceleration

      Configures transfer acceleration for a bucket.

      GetBucketTransferAcceleration

      oss:GetBucketTransferAcceleration

      Queries the transfer acceleration configurations of a bucket.

      ListMultipartUploads

      oss:ListMultipartUploads

      Lists all ongoing multipart upload tasks, which include tasks that have been initiated but are not completed or canceled.

      PutBucketCors

      oss:PutBucketCors

      Configures cross-origin resource sharing (CORS) rules for a bucket.

      GetBucketCors

      oss:GetBucketCors

      Queries the CORS rules configured for a bucket.

      DeleteBucketCors

      oss:DeleteBucketCors

      Disables the CORS feature and deletes all CORS rules configured for a bucket.

      PutBucketPolicy

      oss:PutBucketPolicy

      Configures the bucket policies for a bucket.

      GetBucketPolicy

      oss:GetBucketPolicy

      Queries the policies of a bucket.

      DeleteBucketPolicy

      oss:DeleteBucketPolicy

      Deletes the policies of a bucket.

      PutBucketTags

      oss:PutBucketTagging

      Adds tags to or modifies the tags of a bucket.

      GetBucketTags

      oss:GetBucketTagging

      Queries the tags of a bucket.

      DeleteBucketTags

      oss:DeleteBucketTagging

      Deletes the tags of a bucket.

      PutBucketEncryption

      oss:PutBucketEncryption

      Configures encryption rules for a bucket.

      GetBucketEncryption

      oss:GetBucketEncryption

      Queries the encryption rules of a bucket.

      DeleteBucketEncryption

      oss:DeleteBucketEncryption

      Deletes the encryption rules configured for a bucket.

      PutBucketRequestPayment

      oss:PutBucketRequestPayment

      Configures the pay-by-requester mode for a bucket.

      GetBucketRequestPayment

      oss:GetBucketRequestPayment

      Queries the pay-by-requester configurations of a bucket.

      PutBucketReplication

      oss:PutBucketReplication

      Configures a data replication rule for a bucket.

      PutBucketRTC

      oss:PutBucketRTC

      Enables or disables the Replication Time Control (RTC) feature for existing cross-region replication (CRR) rules.

      GetBucketReplication

      oss:GetBucketReplication

      Queries the data replication rules of a bucket.

      DeleteBucketReplication

      oss:DeleteBucketReplication

      Stops the data replication tasks of a bucket and deletes the data replication configurations of the bucket.

      GetBucketReplicationLocation

      oss:GetBucketReplicationLocation

      Queries the regions in which the destination bucket can be located.

      GetBucketReplicationProgress

      oss:GetBucketReplicationProgress

      Queries the data replication progress of a bucket.

      PutBucketInventory

      oss:PutBucketInventory

      Configures inventories for a bucket.

      GetBucketInventory

      oss:GetBucketInventory

      Queries the specified inventories configured for a bucket.

      ListBucketInventory

      oss:GetBucketInventory

      Queries all inventories of a bucket.

      DeleteBucketInventory

      oss:DeleteBucketInventory

      Deletes an inventory of a bucket.

      PutBucketAccessMonitor

      oss:PutBucketAccessMonitor

      Configures the access tracking status of a bucket.

      GetBucketAccessMonitor

      oss:GetBucketAccessMonitor

      Queries the access tracking status of a bucket.

      OpenMetaQuery

      oss:OpenMetaQuery

      Enables the metadata management feature for a bucket.

      GetMetaQueryStatus

      oss:GetMetaQueryStatus

      Queries the metadata index library of a bucket.

      DoMetaQuery

      oss:DoMetaQuery

      Queries objects that meet specified conditions and lists the object information based on the specified fields and sorting methods.

      CloseMetaQuery

      oss:CloseMetaQuery

      Disables the metadata management feature for a bucket.

      InitUserAntiDDosInfo

      oss:InitUserAntiDDosInfo

      Creates Anti-DDoS Pro or Anti-DDoS Premium instances.

      UpdateUserAntiDDosInfo

      oss:UpdateUserAntiDDosInfo

      Changes the status of an Anti-DDoS Pro or Anti-DDoS Premium instance.

      GetUserAntiDDosInfo

      oss:GetUserAntiDDosInfo

      Queries information about Anti-DDoS Pro or Anti-DDoS Premium instances that belong to a specific Alibaba Cloud account.

      InitBucketAntiDDosInfo

      oss:InitBucketAntiDDosInfo

      Initializes Anti-DDoS Pro or Anti-DDoS Premium instances for a bucket.

      UpdateBucketAntiDDosInfo

      oss:UpdateBucketAntiDDosInfo

      Updates the status of Anti-DDoS Pro or Anti-DDoS Premium instances of a bucket.

      ListBucketAntiDDosInfo

      oss:ListBucketAntiDDosInfo

      Queries the protection list of an Anti-DDoS Pro or Anti-DDoS Premium instance of a bucket.

      PutBucketResourceGroup

      oss:PutBucketResourceGroup

      Configures the resource group to which a bucket belongs.

      GetBucketResourceGroup

      oss:GetBucketResourceGroup

      Queries the ID of the resource group to which a bucket belongs.

      CreateCnameToken

      oss:CreateCnameToken

      Creates a CNAME token used to verify the ownership of a domain name.

      GetCnameToken

      oss:GetCnameToken

      Queries the created CNAME tokens.

      PutCname

      oss:PutCname

      Maps a custom domain name to a bucket.

      ListCname

      oss:ListCname

      Queries all custom domain names that are mapped to a bucket.

      DeleteCname

      oss:DeleteCname

      Deletes a CNAME record that maps a custom domain name to a bucket.

      PutStyle

      oss:PutStyle

      Configures image styles.

      GetStyle

      oss:GetStyle

      Queries image styles.

      ListStyle

      oss:ListStyle

      Lists image styles.

      DeleteStyle

      oss:DeleteStyle

      Deletes image styles.

    • Object-level actions

      API

      Action

      Description

      PutObject

      oss:PutObject

      Uploads an object.

      PostObject

      oss:PutObject

      Uploads an object to a specified bucket by using HTML form upload.

      AppendObject

      oss:PutObject

      Uploads an object by appending the content of the object to an existing object.

      InitiateMultipartUpload

      oss:PutObject

      Initiates a multipart upload task.

      UploadPart

      oss:PutObject

      Uploads an object by part based on the specified object name and the upload ID.

      CompleteMultipartUpload

      oss:PutObject

      Completes a multipart upload task.

      AbortMultipartUpload

      oss:AbortMultipartUpload

      Cancels a multipart upload task and deletes the uploaded parts.

      PutSymlink

      oss:PutObject

      Creates a symbolic link for an object.

      GetObject

      oss:GetObject

      Queries an object.

      HeadObject

      oss:GetObject

      Queries the metadata of an object.

      GetObjectMeta

      oss:GetObject

      Queries the metadata of an object, including the ETag, the object size, and the last modification time.

      SelectObject

      oss:GetObject

      Executes SQL statements on an object. After the SQL statements are executed, execution results are returned.

      GetSymlink

      oss:GetObject

      Queries the symbolic link of an object.

      DeleteObject

      oss:DeleteObject

      Deletes an object.

      DeleteMultipleObjects

      oss:DeleteObject

      Deletes multiple objects from a bucket.

      CopyObject

      oss:GetObject,oss:PutObject

      Copies objects to the same bucket or to a different bucket in the same region.

      UploadPartCopy

      oss:GetObject,oss:PutObject

      Copies data from an existing object to upload a part by adding the x-oss-copy-source request header to an UploadPart request to call UploadPartCopy.

      ListParts

      oss:ListParts

      Lists all parts that are uploaded by using a specified upload ID.

      PutObjectACL

      oss:PutObjectAcl

      Modifies the ACL of an object in a bucket.

      GetObjectACL

      oss:GetObjectAcl

      Queries the ACL of an object in a bucket.

      RestoreObject

      oss:RestoreObject

      Restores an Archive or a Cold Archive object.

      PutObjectTagging

      oss:PutObjectTagging

      Adds tags to or modifies the tags of an object.

      GetObjectTagging

      oss:GetObjectTagging

      Queries the tags of an object.

      DeleteObjectTagging

      oss:DeleteObjectTagging

      Deletes the tags of an object.

      GetObject (with versionId specified in the request)

      oss:GetObjectVersion

      Downloads a specified version of an object.

      PutObjectACL (with versionId specified in the request)

      oss:PutObjectVersionAcl

      Modifies the ACL of a specified version of an object.

      GetObjectACL (with versionId specified in the request)

      oss:GetObjectVersionAcl

      Queries the ACL of a specified version of an object in a bucket.

      RestoreObject (with versionId specified in the request)

      oss:RestoreObjectVersion

      Restores a specified version of an Archive or a Cold Archive object.

      DeleteObject (with versionId specified in the request)

      oss:DeleteObjectVersion

      Deletes a specified version of an object.

      PutObjectTagging (with versionId specified in the request)

      oss:PutObjectVersionTagging

      Adds tags to or modifies the tags of a specified version of an object.

      GetObjectTagging (with versionId specified in the request)

      oss:GetObjectVersionTagging

      Queries the tags of a specified version of an object.

      DeleteObjectTagging (with versionId specified in the request)

      oss:DeleteObjectVersionTagging

      Deletes the tags of a specified version of an object.

      PutLiveChannel

      oss:PutLiveChannel

      Creates a LiveChannel. You must call this operation before you upload audio and video data by using the Real-Time Messaging Protocol (RTMP).

      ListLiveChannel

      oss:ListLiveChannel

      Lists specified LiveChannels.

      DeleteLiveChannel

      oss:DeleteLiveChannel

      Deletes a specified LiveChannel.

      PutLiveChannelStatus

      oss:PutLiveChannelStatus

      Switches the status of a specified LiveChannel between enabled and disabled.

      GetLiveChannelInfo

      oss:GetLiveChannel

      Queries the configurations of a specified LiveChannel.

      GetLiveChannelStat

      oss:GetLiveChannelStat

      Queries the stream ingest status of a specified LiveChannel.

      GetLiveChannelHistory

      oss:GetLiveChannelHistory

      Queries the stream ingest records of a specified LiveChannel.

      PostVodPlaylist

      oss:PostVodPlaylist

      Generates a VOD playlist for a specified LiveChannel.

      GetVodPlaylist

      oss:GetVodPlaylist

      Queries the playlist that is generated by the streams ingested to a specified LiveChannel within a specified time range.

      ImgSaveAs

      oss:PostProcessTask

      Saves processed images to a specified bucket.

    Resource element in RAM policies for OSS

    In RAM policies for OSS, the Resource element indicates one or more specific resources. This element supports the asterisk (*) wildcard character. A RAM policy can contain multiple Resource elements.

    Category

    Format

    Example

    Bucket-level resource

    acs:oss:{region}:{bucket_owner}:{bucket_name}

    acs:oss:*:*:mybucket

    Object-level resource

    acs:oss:{region}:{bucket_owner}:{bucket_name}/{object_name}

    acs:oss:*:*:mybucket/abc.txt

    Note

    The region field can be set only to the asterisk (*) wildcard character.

    Condition element in RAM policies for OSS

    The Condition element specifies the conditions that are required for a policy to take effect. Each Condition element consists of conditional operators, condition keys, and condition values. For more information, see the "Condition" section of the Policy elements topic.

    The following tables describe the conditional operator types and condition keys.

    • Condition types

      CategoryConditional operator
      String
      • StringEquals
      • StringNotEquals
      • StringEqualsIgnoreCase
      • StringNotEqualsIgnoreCase
      • StringLike
      • StringNotLike
      Number
      • NumericEquals
      • NumericNotEquals
      • NumericLessThan
      • NumericLessThanEquals
      • NumericGreaterThan
      • NumericGreaterThanEquals
      Date and time
      • DateEquals
      • DateNotEquals
      • DateLessThan
      • DateLessThanEquals
      • DateGreaterThan
      • DateGreaterThanEquals
      BooleanBool
      IP address
      • IpAddress
      • NotIpAddress

    • Condition key

      Condition

      Description

      acs:SourceIp

      The CIDR block from which the requests are sent. This condition supports the asterisk (*) wildcard character.

      acs:UserAgent

      The User-Agent header in the HTTP request.

      Type: string

      acs:CurrentTime

      The point in time when the request is received by the OSS server.

      Standard: ISO 8601.

      acs:SecureTransport

      The protocol of the request. Valid values:

      • true: Only HTTPS requests are allowed.

      • false: Only HTTP requests are allowed.

      If the acs:SecureTransport condition is not specified, HTTPS and HTTP requests are allowed.

      oss:Prefix

      The prefix of the names of the objects that you want to list by calling the ListObjects operation.

      oss:Delimiter

      The character that is used to group the names of objects that you want to list by calling the ListObjects operation.

      acs:AccessId

      The AccessKey ID included in the request.

      oss:BucketTag

      The tag of the bucket.

      A single bucket tag can be used as a condition. To configure multiple BucketTags as multiple conditions, you must add oss:BucketTag/ before each BucketTag.

      acs:MFAPresent

      Specifies whether to enable multi-factor authentication (MFA).

      Valid values:

      • true

      • false

      oss:ExistingObjectTag

      Specifies that the requested object has tags.

      A single object tag can be used as a condition. To configure multiple ObjectTags as multiple conditions, you must add oss:ExistingObjectTag/ before each ObjectTag.

      This condition applies to operations that read objects, such as GetObject and HeadObject, and object tag-related operations, such as PutObjectTagging and GetObjectTagging.

      oss:RequestObjectTag

      The object tags included in the request.

      A single object tag can be used as a condition. To configure multiple ObjectTags as multiple conditions, you must add oss:RequestObjectTag/ before each ObjectTag.

      This condition applies to operations that write objects, such as PutObject and PostObject, and object tag-related operations, such as PutObjectTagging and GetObjectTagging.

    Examples

    You can use RAM policies to grant permissions to users in different scenarios. For more information, see Common examples of RAM policies.