This topic describes how to use bucket policies to securely share data across departments or project teams by allowing some users to only download data and preventing them from writing or deleting data in Object Storage Service (OSS).
Background information
In this example, Department A wants to store data in a bucket named example-bucket and allows users in Department B to download the shared data. This example shows how to follow the principle of least privilege to control access to shared data. The following figure shows the expected permissions of the administrators and users in Department A and Department B to access the example-bucket bucket.
Procedure
In this example, the administrator of Department A can use the following steps to configure bucket policies that grant different access permissions on the bucket.
The administrator of Department A creates a bucket named example-bucket to store shared data.
Step 2: Grant permissions to upload shared data
The administrator of Department A configures a bucket policy for example-bucket to allow users in Department A to upload shared data to the bucket.
Step 3: Grant permissions to download but not write or delete shared data
The administrator of Department A configures a bucket policy for example-bucket to allow users in Department B to download but not write or delete shared data.
Perform the following steps to upload data to example-bucket as a user of Department A:
Verify the permissions of the users in Department B to ensure that they can only download but cannot write or delete shared data.
Prerequisites
RAM users for the administrators and users in Department A and Department B are created within the Alibaba Cloud account of the enterprise.
For more information, see Create a RAM user.
The UIDs of the RAM users are obtained. For more information about how to view the basic information about a RAM user such as the UID, see View the information about a RAM user.
Appropriate permissions are granted to the RAM users.
In this example, the administrator of Department A needs to create buckets and configure bucket policies. Therefore, the AliyunOSSFullAccess policy must be attached to the RAM user group of the administrator. For more information, see Grant permissions to RAM users.
Step 1: Create a bucket
Perform the following steps to create a bucket in the China (Hangzhou) region as the administrator of Department A:
Log on to the OSS console as the RAM user of the administrator of Department A.
In the left-side navigation pane, click Buckets. On the Buckets page, click Create Bucket.
In the Create Bucket panel, configure the required parameters.
In this example, the Bucket Name parameter is set to example-bucket. For more information about how to configure parameters to create a bucket, see Create buckets.
Click OK.
Step 2: Grant permissions to upload shared data
Perform the following steps to grant users in Department A permissions to upload data to example-bucket as the administrator of Department A:
Click example-bucket created in Step 1.
In the left-side navigation tree, choose .
On the Add in GUI tab of the page that appears, click Authorize.
In the Authorize panel, configure the following parameters and retain the default settings for other parameters.
Parameter
Description
Applied To
Select Whole Bucket to apply the policy to the whole bucket.
Authorized User
Select RAM User.
From the RAM user drop-down list, select a RAM user to which you want to grant the permissions to upload data to the bucket. You can also enter a username or keyword in the search box to search for specific RAM users. Fuzzy match is supported.
Authorized Operation
Select Basic Settings and click Read/Write.
This option indicates that authorized users can perform read and write operations on the bucket.
Click OK.
Users in Department A are granted permissions to upload data to the bucket.
Step 3: Grant permissions to download but not write or delete shared data
Perform the following steps to grant users in Department B permissions to download shared data from example-bucket as the administrator of Department A:
Click example-bucket created in Step 1.
In the left-side navigation tree, choose .
On the Add in GUI tab of the page that appears, click Authorize.
In the Authorize panel, configure the following parameters and retain the default settings for other parameters.
Parameter
Description
Applied To
Select Whole Bucket to apply the policy to the whole bucket.
Authorized User
Select Other Accounts. Enter the UIDs of the RAM users to which you want to grant permissions to download shared data.
Authorized Operation
Select Basic Settings and click Read-only (including ListObject).
This option indicates that authorized users can only view, list, and download data but cannot write or delete data stored in example-bucket.
Click OK.
Users in Department B are granted permissions to download data from the bucket. They are not allowed to write data to the bucket or delete data from the bucket.
Step 4: Upload data to the bucket
Perform the following steps to upload data to example-bucket as a user of Department A:
Log on to the OSS console as a RAM user in Department A.
Open the object upload page at
https://oss.console.aliyun.com/bucket/hangzhou/example-bucket/object/upload.On the Upload page, configure parameters to upload data.
Select Current Directory for Upload To. For more information about how to configure the ACL and how to upload an object, see Upload objects.
On the Upload Tasks tab of the Task List panel, check the task progress. After the upload is complete, close the panel.
The data is uploaded to example-bucket.
Step 5: Verify permissions
Perform the following steps in the OSS console to verify that users in Department B can download but cannot write or delete shared data:
Log on to the OSS console as a RAM user in Department B.
Open the Objects page at
https://oss.console.aliyun.com/bucket/hangzhou/example-bucket/object.On the Objects page, perform the following permission checks:
Verify download permissions of users in Department B on shared data.
Find an object in the example-bucket bucket and choose
> Download in the Actions column. If the object cannot be downloaded, the download permissions are incorrectly configured.
If the object is downloaded, the download permissions are correctly configured.
Verify upload permissions of users in Department B on shared data.
Follow Step 4 to upload data to example-bucket.
If the upload operation fails, the intended upload permissions are correctly configured.
If the upload operation is successful, the intended upload permissions are incorrectly configured.
Verify deletion permissions of users in Department B on shared data.
Find an object in the example-bucket bucket and choose
> Delete. If the delete operation fails, the intended delete permissions are correctly configured.
If the delete operation is successful, the intended delete permissions are incorrectly configured.