By default, access to Object Storage Service (OSS) resources is restricted to the owner. To a RAM user of another Alibaba Cloud account to access your OSS resources, you can grant the RAM user the permissions to access your bucket by adding a bucket policy.

Background information

Example: Company A wants to authorize Company B to access the OSS resources of Company A. However, Company A does not want to provide Company B with the credentials of a RAM user. In this case, Company A can authorize Company B to access the OSS resources of Company A by adding a bucket policy. After Company A adds a bucket policy that authorizes Company B to access their bucket, Company B can access the OSS bucket of Company A by adding the path of the bucket in the OSS console.

Add a bucket policy

Company A can perform the following steps to authorize Company B to access the bucket by adding a bucket policy:

  1. Obtain the UID of the RAM user of the Alibaba Cloud account of Company B.
    1. Log on to the RAM console.
    2. In the left-side navigation pane, choose Identities > Users.
    3. On the Users page, click Create User.
    4. On the Create User page, configure the Logon Name and Display Name parameters in the User Account Information section, select Console Access in the Access Mode section, and then click OK.
    5. On the User page, click the username of the RAM user to view and record the UID of the RAM user in the User Information section.
  2. The Alibaba Cloud account of Company A grants the RAM user of the Alibaba Cloud account of Company B the permissions to access authorized resources.
    1. Log on to the OSS console.
    2. In the left-side navigation pane, click Buckets. On the Buckets page, click the name of the desired bucket.
    3. In the left-side navigation tree, choose Permission Control > Bucket Policy.
    4. On the page that appears, click Add in GUI and click Authorize.
    5. In the Authorize panel, configure the parameters. Set Accounts to Other Accounts, and enter the UID of the RAM user of Company B. For more information about how to configure other parameters, see Configure bucket policies to authorize other users to access OSS resources.
    6. Click OK.

Log on to the OSS console as the RAM user of Company B and add the access path

After the bucket policy is added, you must log on to the OSS console as the RAM user of Company B and add the access path of the bucket of Company A. To add the access path, perform the following steps:

  1. Log on to the OSS console as the RAM user of Company B by using the RAM User logon link.
  2. Log on to the OSS console.
  3. In the left-side navigation pane, click the plus sign (+) on the right of Favorite Paths.
  4. In the Add Favorite Paths dialog box, configure the parameters. The following table describes the parameters.
    Parameter Description
    Adding Method Select Add from other authorized buckets and add an authorized bucket that belongs to the current Alibaba Cloud account to the favorite path.
    Region Select the region of the bucket of Company A from the drop-down list.
    File Path Specify the path of the objects in the bucket of Company A that you are authorized to access. For example, if you are authorized to access only objects or subdirectories in the examplefolder directory of a bucket named examplebucket that belongs to Company A, enter oss://examplebucket/examplefolder/.
    Pay-by-requester If pay-by-requester is enabled for the bucket that you are authorized to access, and you are not the owner of the bucket, select I understand and agree. Otherwise, the AccessDenied error is returned when you access the resources specified by Favorite Paths. If you select Pay-by-requester, you are charged for the traffic and requests that are generated when you access the resources specified by Favorite Paths.

    For more information, see Pay-by-requester.

  5. Click OK.

You can also Obtain an AccessKey pair for the RAM user, and log on to ossutil or ossbrowser by using the AccessKey pair to access the authorized bucket.