All Products
Search
Document Center

Object Storage Service:Overview

Last Updated:May 25, 2023

Resource Access Management (RAM) policies are user-based authorization policies. You can configure RAM policies to manage user access to your resources in Object Storage Service (OSS).

Background information

  • Syntax and structure of RAM policies

    A RAM policy contains a version number and a statement. Each statement contains the following elements: Effect, Action, Resource, and Condition. The Condition element is optional. For more information about the syntax and structure of RAM policies, see Policy syntax and structure.

    You can use the Version element, Statement element, and Effect element in RAM policies for OSS in the same manner as you use the elements in policies for RAM. For more information about how to use the Action element, Resource element, and Condition element in RAM policies for OSS, see the following sections:

  • Common RAM policies for OSS

    • AliyunOSSFullAccess: grants a RAM user the permissions to manage OSS resources.

    • AliyunOSSReadOnlyAccess: grants a RAM user the read-only permissions on OSS resources.

  • Access control

    For more information about access control methods supported by OSS, see Overview.

Action element in RAM policies for OSS

RAM policies for OSS support service-level actions, bucket-level actions, and object-level actions.

  • Service-level actions

    API

    Action

    Description

    ListBuckets(GetService)

    oss:ListBuckets

    Lists all buckets owned by the requester.

  • Bucket-level actions

    API

    Action

    Description

    PutBucket

    oss:PutBucket

    Creates a bucket.

    ListObjects (GetBucket)

    oss:ListObjects

    Lists all objects in a bucket.

    GetBucketInfo

    oss:GetBucketInfo

    Queries information about a bucket.

    GetBucketLocation

    oss:GetBucketLocation

    Queries the location information about a bucket.

    PutBucketVersioning

    oss:PutBucketVersioning

    Specifies the versioning status of a bucket.

    GetBucketVersioning

    oss:GetBucketVersioning

    Queries the versioning status of a bucket.

    ListObjectVersions(GetBucketVersions)

    oss:ListObjectVersions

    Lists the versions of all objects including delete markers in a bucket.

    PutBucketAcl

    oss:PutBucketAcl

    Configures or modifies the access control list (ACL) of a bucket.

    GetBucketAcl

    oss:GetBucketAcl

    Obtains the ACL of a bucket.

    DeleteBucket

    oss:DeleteBucket

    Deletes a bucket.

    InitiateBucketWorm

    oss:InitiateBucketWorm

    Creates a retention policy.

    AbortBucketWorm

    oss:AbortBucketWorm

    Deletes an unlocked retention policy.

    CompleteBucketWorm

    oss:CompleteBucketWorm

    Locks a retention policy.

    ExtendBucketWorm

    oss:ExtendBucketWorm

    Extends the retention period (days) of objects in a bucket for which a retention policy is locked.

    GetBucketWorm

    oss:GetBucketWorm

    Queries the retention policy of a bucket.

    PutBucketLogging

    oss:PutBucketLogging

    Enables logging for a bucket.

    GetBucketLogging

    oss:GetBucketLogging

    Queries the logging configurations of a bucket.

    DeleteBucketLogging

    oss:DeleteBucketLogging

    Disables logging for a bucket.

    PutBucketWebsite

    oss:PutBucketWebsite

    Enables static website hosting for a bucket and configures redirection rules for the bucket.

    GetBucketWebsite

    oss:GetBucketWebsite

    Queries the static website hosting status of a bucket and the redirection rules configured for the bucket.

    DeleteBucketWebsite

    oss:DeleteBucketWebsite

    Disables static website hosting for a bucket and deletes the redirection rules configured for the bucket.

    PutBucketReferer

    oss:PutBucketReferer

    Configures hotlink protection for a bucket.

    GetBucketReferer

    oss:GetBucketReferer

    Queries the hotlink protection configurations of a bucket.

    PutBucketLifecycle

    oss:PutBucketLifecycle

    Configures lifecycle rules for a bucket.

    GetBucketLifecycle

    oss:GetBucketLifecycle

    Queries the lifecycle rules that are configured for a bucket.

    DeleteBucketLifecycle

    oss:DeleteBucketLifecycle

    Deletes the lifecycle rules configured for a bucket.

    PutBucketTransferAcceleration

    oss:PutBucketTransferAcceleration

    Configures transfer acceleration for a bucket.

    GetBucketTransferAcceleration

    oss:GetBucketTransferAcceleration

    Queries the transfer acceleration configurations of a bucket.

    ListMultipartUploads

    oss:ListMultipartUploads

    Lists all ongoing multipart upload tasks, which include tasks that have been initiated but are not completed or canceled.

    PutBucketCors

    oss:PutBucketCors

    Configures cross-origin resource sharing (CORS) rules for a bucket.

    GetBucketCors

    oss:GetBucketCors

    Queries the CORS rules configured for a bucket.

    DeleteBucketCors

    oss:DeleteBucketCors

    Disables the CORS feature and deletes all CORS rules configured for a bucket.

    PutBucketPolicy

    oss:PutBucketPolicy

    Configures the bucket policies for a bucket.

    GetBucketPolicy

    oss:GetBucketPolicy

    Queries the policies of a bucket.

    DeleteBucketPolicy

    oss:DeleteBucketPolicy

    Deletes the policies of a bucket.

    PutBucketTags

    oss:PutBucketTagging

    Adds tags to or modifies the tags of a bucket.

    GetBucketTags

    oss:GetBucketTagging

    Queries the tags of a bucket.

    DeleteBucketTags

    oss:DeleteBucketTagging

    Deletes the tags of a bucket.

    PutBucketEncryption

    oss:PutBucketEncryption

    Configures encryption rules for a bucket.

    GetBucketEncryption

    oss:GetBucketEncryption

    Queries the encryption rules of a bucket.

    DeleteBucketEncryption

    oss:DeleteBucketEncryption

    Deletes the encryption rules configured for a bucket.

    PutBucketRequestPayment

    oss:PutBucketRequestPayment

    Configures the pay-by-requester mode for a bucket.

    GetBucketRequestPayment

    oss:GetBucketRequestPayment

    Queries the pay-by-requester configurations of a bucket.

    PutBucketReplication

    oss:PutBucketReplication

    Configures a data replication rule for a bucket.

    PutBucketRTC

    oss:PutBucketRTC

    Enables or disables the Replication Time Control (RTC) feature for existing cross-region replication (CRR) rules.

    GetBucketReplication

    oss:GetBucketReplication

    Queries the data replication rules of a bucket.

    DeleteBucketReplication

    oss:DeleteBucketReplication

    Stops the data replication tasks of a bucket and deletes the data replication configurations of the bucket.

    GetBucketReplicationLocation

    oss:GetBucketReplicationLocation

    Queries the regions in which the destination bucket can be located.

    GetBucketReplicationProgress

    oss:GetBucketReplicationProgress

    Queries the data replication progress of a bucket.

    PutBucketInventory

    oss:PutBucketInventory

    Configures inventories for a bucket.

    GetBucketInventory

    oss:GetBucketInventory

    Queries the specified inventories configured for a bucket.

    ListBucketInventory

    oss:GetBucketInventory

    Queries all inventories of a bucket.

    DeleteBucketInventory

    oss:DeleteBucketInventory

    Deletes an inventory of a bucket.

    PutBucketAccessMonitor

    oss:PutBucketAccessMonitor

    Configures the access tracking status of a bucket.

    GetBucketAccessMonitor

    oss:GetBucketAccessMonitor

    Queries the access tracking status of a bucket.

    OpenMetaQuery

    oss:OpenMetaQuery

    Enables the metadata management feature for a bucket.

    GetMetaQueryStatus

    oss:GetMetaQueryStatus

    Queries the metadata index library of a bucket.

    DoMetaQuery

    oss:DoMetaQuery

    Queries objects that meet specified conditions and lists the object information based on the specified fields and sorting methods.

    CloseMetaQuery

    oss:CloseMetaQuery

    Disables the metadata management feature for a bucket.

    InitUserAntiDDosInfo

    oss:InitUserAntiDDosInfo

    Creates Anti-DDoS Pro or Anti-DDoS Premium instances.

    UpdateUserAntiDDosInfo

    oss:UpdateUserAntiDDosInfo

    Changes the status of an Anti-DDoS Pro or Anti-DDoS Premium instance.

    GetUserAntiDDosInfo

    oss:GetUserAntiDDosInfo

    Queries information about Anti-DDoS Pro or Anti-DDoS Premium instances that belong to a specific Alibaba Cloud account.

    InitBucketAntiDDosInfo

    oss:InitBucketAntiDDosInfo

    Initializes Anti-DDoS Pro or Anti-DDoS Premium instances for a bucket.

    UpdateBucketAntiDDosInfo

    oss:UpdateBucketAntiDDosInfo

    Updates the status of Anti-DDoS Pro or Anti-DDoS Premium instances of a bucket.

    ListBucketAntiDDosInfo

    oss:ListBucketAntiDDosInfo

    Queries the protection list of an Anti-DDoS Pro or Anti-DDoS Premium instance of a bucket.

    PutBucketResourceGroup

    oss:PutBucketResourceGroup

    Configures the resource group to which a bucket belongs.

    GetBucketResourceGroup

    oss:GetBucketResourceGroup

    Queries the ID of the resource group to which a bucket belongs.

    CreateCnameToken

    oss:CreateCnameToken

    Creates a CNAME token used to verify the ownership of a domain name.

    GetCnameToken

    oss:GetCnameToken

    Queries the created CNAME tokens.

    PutCname

    oss:PutCname

    Maps a custom domain name to a bucket.

    ListCname

    oss:ListCname

    Queries all custom domain names that are mapped to a bucket.

    DeleteCname

    oss:DeleteCname

    Deletes a CNAME record that maps a custom domain name to a bucket.

    PutStyle

    oss:PutStyle

    Configures image styles.

    GetStyle

    oss:GetStyle

    Queries image styles.

    ListStyle

    oss:ListStyle

    Lists image styles.

    DeleteStyle

    oss:DeleteStyle

    Deletes image styles.

  • Object-level actions

    API

    Action

    Description

    PutObject

    oss:PutObject

    Uploads an object.

    PostObject

    oss:PutObject

    Uploads an object to a specified bucket by using HTML form upload.

    AppendObject

    oss:PutObject

    Uploads an object by appending the content of the object to an existing object.

    InitiateMultipartUpload

    oss:PutObject

    Initiates a multipart upload task.

    UploadPart

    oss:PutObject

    Uploads an object by part based on the specified object name and the upload ID.

    CompleteMultipartUpload

    oss:PutObject

    Completes a multipart upload task.

    AbortMultipartUpload

    oss:AbortMultipartUpload

    Cancels a multipart upload task and deletes the uploaded parts.

    PutSymlink

    oss:PutObject

    Creates a symbolic link for an object.

    GetObject

    oss:GetObject

    Queries an object.

    HeadObject

    oss:GetObject

    Queries the metadata of an object.

    GetObjectMeta

    oss:GetObject

    Queries the metadata of an object, including the ETag, the object size, and the last modification time.

    SelectObject

    oss:GetObject

    Executes SQL statements on an object. After the SQL statements are executed, execution results are returned.

    GetSymlink

    oss:GetObject

    Queries the symbolic link of an object.

    DeleteObject

    oss:DeleteObject

    Deletes an object.

    DeleteMultipleObjects

    oss:DeleteObject

    Deletes multiple objects from a bucket.

    CopyObject

    oss:GetObject,oss:PutObject

    Copies objects to the same bucket or to a different bucket in the same region.

    UploadPartCopy

    oss:GetObject,oss:PutObject

    Copies data from an existing object to upload a part by adding the x-oss-copy-source request header to an UploadPart request to call UploadPartCopy.

    ListParts

    oss:ListParts

    Lists all parts that are uploaded by using a specified upload ID.

    PutObjectACL

    oss:PutObjectAcl

    Modifies the ACL of an object in a bucket.

    GetObjectACL

    oss:GetObjectAcl

    Queries the ACL of an object in a bucket.

    RestoreObject

    oss:RestoreObject

    Restores an Archive or a Cold Archive object.

    PutObjectTagging

    oss:PutObjectTagging

    Adds tags to or modifies the tags of an object.

    GetObjectTagging

    oss:GetObjectTagging

    Queries the tags of an object.

    DeleteObjectTagging

    oss:DeleteObjectTagging

    Deletes the tags of an object.

    GetObject (with versionId specified in the request)

    oss:GetObjectVersion

    Downloads a specified version of an object.

    PutObjectACL (with versionId specified in the request)

    oss:PutObjectVersionAcl

    Modifies the ACL of a specified version of an object.

    GetObjectACL (with versionId specified in the request)

    oss:GetObjectVersionAcl

    Queries the ACL of a specified version of an object in a bucket.

    RestoreObject (with versionId specified in the request)

    oss:RestoreObjectVersion

    Restores a specified version of an Archive or a Cold Archive object.

    DeleteObject (with versionId specified in the request)

    oss:DeleteObjectVersion

    Deletes a specified version of an object.

    PutObjectTagging (with versionId specified in the request)

    oss:PutObjectVersionTagging

    Adds tags to or modifies the tags of a specified version of an object.

    GetObjectTagging (with versionId specified in the request)

    oss:GetObjectVersionTagging

    Queries the tags of a specified version of an object.

    DeleteObjectTagging (with versionId specified in the request)

    oss:DeleteObjectVersionTagging

    Deletes the tags of a specified version of an object.

    PutLiveChannel

    oss:PutLiveChannel

    Creates a LiveChannel. You must call this operation before you upload audio and video data by using the Real-Time Messaging Protocol (RTMP).

    ListLiveChannel

    oss:ListLiveChannel

    Lists specified LiveChannels.

    DeleteLiveChannel

    oss:DeleteLiveChannel

    Deletes a specified LiveChannel.

    PutLiveChannelStatus

    oss:PutLiveChannelStatus

    Switches the status of a specified LiveChannel between enabled and disabled.

    GetLiveChannelInfo

    oss:GetLiveChannel

    Queries the configurations of a specified LiveChannel.

    GetLiveChannelStat

    oss:GetLiveChannelStat

    Queries the stream ingest status of a specified LiveChannel.

    GetLiveChannelHistory

    oss:GetLiveChannelHistory

    Queries the stream ingest records of a specified LiveChannel.

    PostVodPlaylist

    oss:PostVodPlaylist

    Generates a VOD playlist for a specified LiveChannel.

    GetVodPlaylist

    oss:GetVodPlaylist

    Queries the playlist that is generated by the streams ingested to a specified LiveChannel within a specified time range.

    ImgSaveAs

    oss:PostProcessTask

    Saves processed images to a specified bucket.

Resource element in RAM policies for OSS

In RAM policies for OSS, the Resource element indicates one or more specific resources. This element supports the asterisk (*) wildcard character. A RAM policy can contain multiple Resource elements.

Category

Format

Example

Bucket-level resource

acs:oss:{region}:{bucket_owner}:{bucket_name}

acs:oss:*:*:mybucket

Object-level resource

acs:oss:{region}:{bucket_owner}:{bucket_name}/{object_name}

acs:oss:*:*:mybucket/abc.txt

Note

The region field can be set only to the asterisk (*) wildcard character.

Condition element in RAM policies for OSS

The Condition element specifies the conditions that are required for a policy to take effect. Each Condition element consists of conditional operators, condition keys, and condition values. For more information, see the "Condition" section of the Policy elements topic.

The following tables describe the conditional operator types and condition keys.

  • Condition types

    CategoryConditional operator
    String
    • StringEquals
    • StringNotEquals
    • StringEqualsIgnoreCase
    • StringNotEqualsIgnoreCase
    • StringLike
    • StringNotLike
    Number
    • NumericEquals
    • NumericNotEquals
    • NumericLessThan
    • NumericLessThanEquals
    • NumericGreaterThan
    • NumericGreaterThanEquals
    Date and time
    • DateEquals
    • DateNotEquals
    • DateLessThan
    • DateLessThanEquals
    • DateGreaterThan
    • DateGreaterThanEquals
    BooleanBool
    IP address
    • IpAddress
    • NotIpAddress
  • Condition key

    Condition

    Description

    acs:SourceIp

    The CIDR block from which the requests are sent. This condition supports the asterisk (*) wildcard character.

    acs:UserAgent

    The User-Agent header in the HTTP request.

    Type: string

    acs:CurrentTime

    The point in time when the request is received by the OSS server.

    Standard: ISO 8601.

    acs:SecureTransport

    The protocol of the request. Valid values:

    • true: Only HTTPS requests are allowed.

    • false: Only HTTP requests are allowed.

    If the acs:SecureTransport condition is not specified, HTTPS and HTTP requests are allowed.

    oss:Prefix

    The prefix of the names of the objects that you want to list by calling the ListObjects operation.

    oss:Delimiter

    The character that is used to group the names of objects that you want to list by calling the ListObjects operation.

    acs:AccessId

    The AccessKey ID included in the request.

    oss:BucketTag

    The tag of the bucket.

    A single bucket tag can be used as a condition. To configure multiple BucketTags as multiple conditions, you must add oss:BucketTag/ before each BucketTag.

    acs:MFAPresent

    Specifies whether to enable multi-factor authentication (MFA).

    Valid values:

    • true

    • false

    oss:ExistingObjectTag

    Specifies that the requested object has tags.

    A single object tag can be used as a condition. To configure multiple ObjectTags as multiple conditions, you must add oss:ExistingObjectTag/ before each ObjectTag.

    This condition applies to operations that read objects, such as GetObject and HeadObject, and object tag-related operations, such as PutObjectTagging and GetObjectTagging.

    oss:RequestObjectTag

    The object tags included in the request.

    A single object tag can be used as a condition. To configure multiple ObjectTags as multiple conditions, you must add oss:RequestObjectTag/ before each ObjectTag.

    This condition applies to operations that write objects, such as PutObject and PostObject, and object tag-related operations, such as PutObjectTagging and GetObjectTagging.

Examples

You can use RAM policies to grant permissions to users in different scenarios. For more information, see Common examples of RAM policies.