Object Storage Service (OSS) allows you to set access control lists (ACLs) for objects. This way, you can conveniently control access to your objects.

Object ACLs

The following table describes the ACLs that you can configure for an object.

ACL Description Value
Inherited from the bucket The ACL of the object is the same as the ACL of the bucket in which the object is stored. default
Private Only the object owner and authorized users are granted the read and write permissions on the object. private
Public read Only the object owner and authorized users are granted the read and write permissions on the object. Other users are granted only the read permissions on the object. Exercise caution when you set the ACL of the object to this value. public-read
Public read/write All users are granted the read and write permissions on the object. Exercise caution when you set the ACL of the object to this value. public-read-write

Examples

By default, after you upload an object, the ACL of the object is the same as that of the bucket in which the object is stored.Inherited from the bucket After you upload an object, you can use putACL to set the ACL for the object.

let OSS = require('ali-oss')

let client = new OSS({
// Specify the region in which the bucket is located. For example, if the bucket is located in the China (Hangzhou) region, set the region to oss-cn-hangzhou. 
region: 'yourRegion',
// Specify the temporary AccessKey pair obtained from Security Token Service (STS). The AccessKey pair consists of an AccessKey ID and an AccessKey secret. 
accessKeyId: 'yourAccessKeyId',
accessKeySecret: 'yourAccessKeySecret',
// Specify the name of the bucket. Example: examplebucket. 
bucket: "examplebucket"
});

async function getACL () {
  try {
    let result = await client.getACL('my-object');
    console.log(result.acl); // default

    await client.putACL('my-object', 'public-read');
    let result = await client.getACL('my-object');
    console.log(result.acl); // public-read
  } catch (e) {
    console.log(e);
  }
}

getACL();
Notice
  • If you do not set an ACL for an object when you upload the object, the ACL of the object is the same as that of the bucket where the object is stored.
  • If the ACL of an object is not Default, the object ACL takes precedence over the bucket ACL when you access the object.
  • If the ACL of an object is Public Read or Public Read/Write, you can access the object by entering the object URL in a browser. Example: http://bucket-name.oss-cn-hangzhou.aliyuncs.com/object.jpg.

References

  • For more information about the complete sample code that is used to manage the ACL of an object, visit GitHub.
  • For more information about the API operation that you can call to configure the ACL of an object, see PutObjectACL.
  • For more information about the API operation that you can call to query the ACL of an object, see GetObjectACL.