By default, access to Object Storage Service (OSS) resources is restricted to the owner. To a RAM user of another Alibaba Cloud account to access your OSS resources, you can grant the RAM user the permissions to access your bucket by adding a bucket policy.
Background information
Example: Company A wants to authorize Company B to access the OSS resources of Company A. However, Company A does not want to provide Company B with the credentials of a RAM user. In this case, Company A can authorize Company B to access the OSS resources of Company A by adding a bucket policy. After Company A adds a bucket policy that authorizes Company B to access their bucket, Company B can access the OSS bucket of Company A by adding the path of the bucket in the OSS console.
Add a bucket policy
Company A can perform the following steps to authorize Company B to access the bucket by adding a bucket policy:
- Obtain the UID of the RAM user of the Alibaba Cloud account of Company B.
- Log on to the RAM console.
- In the left-side navigation pane, choose .
- On the Users page, click Create User.
- On the Create User page, configure the Logon Name and Display Name parameters in the User Account Information section, select Console Access in the Access Mode section, and then click OK.
- On the User page, click the username of the RAM user to view and record the UID of the RAM user in the User Information section.
- The Alibaba Cloud account of Company A grants the RAM user of the Alibaba Cloud account
of Company B the permissions to access authorized resources.
- Log on to the OSS console.
- In the left-side navigation pane, click Buckets. On the Buckets page, click the name of the desired bucket.
- In the left-side navigation tree, choose .
- On the page that appears, click Add in GUI and click Authorize.
- In the Authorize panel, configure the parameters. Set Accounts to Other Accounts, and enter the UID of the RAM user of Company B. For more information about how to configure other parameters, see Configure bucket policies to authorize other users to access OSS resources.
- Click OK.
Log on to the OSS console as the RAM user of Company B and add the access path
After the bucket policy is added, you must log on to the OSS console as the RAM user of Company B and add the access path of the bucket of Company A. To add the access path, perform the following steps:
You can also Obtain an AccessKey pair for the RAM user, and log on to ossutil or ossbrowser by using the AccessKey pair to access the authorized bucket.