By default, access to OSS resources is restricted to the owner. To authorize another user to access your OSS resources, you can grant permissions for the user to access your bucket by adding a bucket policy.
Background information
Example: Company A wants to authorize Company B to access their OSS resources. However, Company A does not want to provide Company B with a RAM user. In this case, Company A can allow Company B to access their bucket by adding a bucket policy. After Company A adds a bucket policy that authorizes Company B to access their bucket, Company B can access the OSS bucket owned by Company A by adding the path of the bucket in the OSS console.
Add the bucket policy
- Use the Alibaba Cloud account of Company B to perform the following steps:
- Log on to the RAM console to create a RAM user (herein referred to as RAM User B).
For more information about how to add a resource group, see Create a RAM user.
- In the left-side navigation pane, click Users.
- Click the username of the created RAM user to view and record the UID of the RAM user.
- Log on to the RAM console to create a RAM user (herein referred to as RAM User B).
- Use the Alibaba Cloud account of Company A to perform the following steps:
- Log on to the OSS console.
- Click Buckets, and then click the name of the target bucket.
- Choose Note You can also choose Configure. The Authorize dialog box appears.. In the Bucket Policy section, click
.
- In the Authorize dialog box that appears, configure the required parameters. Set Accounts to Other Accounts, and enter the UID of RAM User B. For more information about other parameters, see Use bucket policies to authorize other users to access OSS resources.
- Click OK.
Log on to the OSS console as RAM User B and add the access path
After the bucket policy is added, you must log on to the OSS console as RAM User B and add the access path of the bucket of Company A. To add the access path, perform the following steps:
You can also create an AccessKey pair for the RAM user, and log on to ossutil or ossbrowser with the AccessKey pair to access the authorized bucket.