Tutorial: Use RAM policies to control access to OSS - User Guide| Alibaba Cloud Documentation Center

Background information

RAM policies are configured based on users. You can manage users by configuring RAM policies. For users such as employees, systems, or applications, you can control which resources are accessible. For example, you can create a RAM policy to grant users only read permissions on a bucket.

RAM policies are in the JSON format. A RAM policy includes the following fields:

Statement: the authorization statement. A RAM policy can include multiple authorization statements.
Effect: the effect of the policy. Valid values: Allow and Deny.

Note If a RAM policy includes an Allow statement and a Deny statement at the same time, the Deny statement takes precedence over the Allow statement.
Action: the authorized actions on resources.

If you use RAM policies, we recommend that you use RAM Policy Editor to generate RAM policies. For more information, see RAM Policy Editor.

Compared with RAM policies, bucket policies can be configured in the OSS console. A bucket owner can grant other users permissions to access OSS resources. For more information, see Configure bucket policies to authorize other users to access OSS resources.

Buckets and directories

Alibaba Cloud OSS uses a flat data model structure instead of a hierarchical one. All objects are stored in buckets. Therefore, OSS does not have directories and subdirectories that are used in hierarchical file systems. However, you can simulate a directory hierarchy in the OSS console to group, classify, and manage objects. The following figure shows some sample directories in the OSS console. ram

OSS is a distributed object storage service in which objects are identified as key-value pairs. You can retrieve the content of an object based on the object name. For example, an object named oss-dg.pdf and the following three directories are stored in a bucket named examplebucket: Development, Marketing, and Private.

When you create the Development directory, the OSS console creates an object whose key is Development/. A forward slash (/) is included in the key as a delimiter.
When you upload an object named ProjectA.docx to the Development directory, the OSS console uploads the object and sets its key to Development/ProjectA.docx.
In the key, Development is the prefix and the forward slash (/) is the delimiter. You can retrieve a list of all objects that share a common prefix and delimiter in the bucket. In the console, if you click the Development directory, the objects in the directory are listed. The following figure shows the objects in the Development directory.

Note To list objects in the Development directory of the examplebucket bucket, the console sends a request to OSS to list objects whose names include the specified prefix Development and a forward slash (/) as the delimiter. In the preceding example, three objects with the following keys are stored in the examplebucket bucket: Development/Alibaba Cloud.pdf, Development/ProjectA.docx, and Development/ProjectB.docx.

Before you start this tutorial, you must understand the concept of root-level bucket content. Assume that the examplebucket bucket contains the following objects:

Development/Alibaba Cloud.pdf
Development/ProjectA.docx
Development/ProjectB.docx
Marketing/data2020.xlsx
Marketing/data2021.xlsx
Private/2017/images.zip
Private/2017/promote.pptx
oss-dg.pdf

The keys of these objects determine a logical hierarchy with Development, Marketing, and Private as root-level directories and oss-dg.pdf as a root-level object. When you click the bucket name in the OSS console, the common prefix and delimiter shared by multiple objects (Development/, Marketing/, and Private/) are displayed as root-level directories. The oss-dg.pdf object does not have a prefix. Therefore, it is displayed as a root-level object.

Requests and responses

Before you grant permissions to RAM users, you must understand how the OSS console interacts with OSS when you click a bucket name in the console.

Send a request to access a bucket

When you click the examplebucket bucket in the OSS console, the console sends a GetBucket (ListObjects) request to OSS.

Sample request

GET /?prefix=&delimiter=/ HTTP/1.1
Host: examplebucket.oss-cn-hangzhou.aliyuncs.com
Date: Fri, 24 Feb 2012 08:43:27 GMT
Authorization: OSS qn6qrrqxo2oawuk53otf****:DNrnx7xHk3sgysx7I8U9I9IY****

In the preceding request, the value of the prefix parameter is empty and the value of the delimiter parameter is a forward slash (/).

Sample response

HTTP/1.1 200 OK
x-oss-request-id: 534B371674E88A4D8906****
Date: Fri, 7 Aug 2020 08:43:27 GMT
Content-Type: application/xml
Content-Length: 712
Connection: keep-alive
Server: AliyunOSS
<?xml version="1.0" encoding="UTF-8"?>
<ListBucketResult xmlns=¡±http://doc.oss-cn-hangzhou.aliyuncs.com¡±>
<Name>examplebucket</Name>
<Prefix></Prefix>
<Marker></Marker>
<MaxKeys>100</MaxKeys>
<Delimiter>/</Delimiter>
    <IsTruncated>false</IsTruncated>
    <Contents>
        <Key>oss-dg.pdf</Key>
        ...
    </Contents>
   <CommonPrefixes>
        <Prefix>Development</Prefix>
   </CommonPrefixes>
      <CommonPrefixes>
        <Prefix>Marketing</Prefix>
   </CommonPrefixes>
      <CommonPrefixes>
        <Prefix>Private</Prefix>
   </CommonPrefixes>
</ListBucketResult>

Response parsing
The console parses the response returned by OSS and displays the root-level objects and directories in the bucket.

Send a request to access a directory stored in the bucket

When you click the Development/ directory of the examplebucket bucket in the console, the console sends a GetBucket (ListObjects) request to OSS. The request includes the prefix and delimiter parameters.

Sample request

GET /?prefix=Development/&delimiter=/ HTTP/1.1
Host: examplebucket.oss-cn-hangzhou.aliyuncs.com
Date: Fri, 24 Feb 2012 08:43:27 GMT
Authorization: OSS qn6qrrqxo2oawuk53otf****:DNrnx7xHk3sgysx7I8U9I9IY****

In the preceding request, the value of the prefix parameter is Development/ and the value of the delimiter parameter is a forward slash (/).

Sample response

In the response, OSS returns objects whose keys include the specified prefix.

HTTP/1.1 200 OK
x-oss-request-id: 534B371674E88A4D8906****
Date: Fri, 7 Aug 2020 08:43:27 GMT
Content-Type: application/xml
Content-Length: 712
Connection: keep-alive
Server: AliyunOSS
<?xml version="1.0" encoding="UTF-8"?>
<ListBucketResult xmlns=¡±http://doc.oss-cn-hangzhou.aliyuncs.com¡±>
<Name>examplebucket</Name>
<Prefix>Development/</Prefix>
<Marker></Marker>
<MaxKeys>100</MaxKeys>
<Delimiter>/</Delimiter>
    <IsTruncated>false</IsTruncated>
    <Contents>
        <Key>ProjectA.docx</Key>
        ...
    </Contents>
    <Contents>
        <Key>ProjectB.docx</Key>
        ...
    </Contents>
    <Contents>
        <Key>Alibaba Cloud.pdf</Key>
        ...
    </Contents>
</ListBucketResult>

Response parsing
The console parses the response returned by OSS and displays the objects in the Development/ directory.

Scenarios

Assume that you are the owner of the examplebucket bucket, and the access control list (ACL) of every object and directory in the bucket is private by default. You want to grant read and write permissions on the Development directory stored in the bucket and its subdirectories and objects to RAM user Anne, read-only permissions on the Marketing directory and its subdirectories and objects to RAM user Leo. In addition, you want to prevent all RAM users within the current Alibaba Cloud account from accessing the Private directory.

Step 1: Create a bucket and upload objects to the bucket.

Create a bucket named examplebucket.
1. Log on to the OSS console by using your Alibaba Cloud account.
2. Create a bucket named examplebucket. For more information, see Create buckets.
Create the following directories in the bucket: Development, Marketing, and Private. For more information, see Create directories.
Upload objects to specified paths based on the following requirements:
- Upload the oss-dg.pdf object to the root directory of the examplebucket bucket.
- Upload the Alibaba Cloud.pdf, ProjectA.docx, and ProjectB.docx objects to the Development directory.
- Upload the data2020.xlsx and data2021.xlsx objects to the Marketing directory.
- Upload the images.zip and promote.pptx objects to the Private directory.
For more information, see Upload objects.

Step 2: Create RAM users Anne and Leo.

Create RAM users Anne and Leo by using the RAM console. For more information about how to create a RAM user, see Create a RAM user.

Step 3: Grant read and write permissions on the Development directory to RAM user Anne.

Create a custom policy named AllowAnneToReadAndWriteFolderDevelopment and grant RAM user Anne read and write permissions on the Development directory and all objects stored in it.

In the left-side navigation pane, choose Permissions > Policies.
On the Policies page, click Create Policy.

On the Create Custom Policy page, click JSON, and then configure the policy content based on the following configurations. Then, click Next Step. On the page that appears, set Name to AllowAnneToReadAndWriteFolderDevelopment.

{
    "Version":"1",
    "Statement":[
        {
            "Effect":"Allow",
            "Action":[
                "oss:ListObjects"
            ],
            "Resource":[
                "acs:oss:*:*:examplebucket"
            ],
            "Condition":{
                "StringLike":{
                    "oss:Prefix":[
                        "Development",
                        "Development/*"
                    ]
                }
            }
        },
        {
            "Effect":"Allow",
            "Action":[
                "oss:GetObject",
                "oss:PutObject",
                "oss:GetObjectAcl"
            ],
            "Resource":[
                "acs:oss:*:*:examplebucket/Development/*"
            ]
        }
    ]
}

Click OK.

Attach the AllowAnneToReadAndWriteFolderDevelopment policy to RAM user Anne. For more information, see Grant permissions to a RAM user.

Step 4: Grant RAM user Leo read-only permissions on the Marketing directory.

Refer to Step 3 to create a custom policy named AllowLeoToReadAndWriteFolderMarketing and grant RAM user Leo read-only permissions on the Marketing directory and all objects stored in it. The policy content contains the following configurations:

{
    "Version":"1",
    "Statement":[
        {
            "Effect":"Allow",
            "Action":[
                "oss:ListObjects"
            ],
            "Resource":[
                "acs:oss:*:*:examplebucket"
            ],
            "Condition":{
                "StringLike":{
                    "oss:Prefix":[
                        "Marketing",
                        "Marketing/*"
                    ]
                }
            }
        },
        {
            "Effect":"Allow",
            "Action":[
                "oss:GetObject",
                "oss:GetObjectAcl"
            ],
            "Resource":[
                "acs:oss:*:*:examplebucket/Marketing/*"
            ]
        }
    ]
}

Step 5: Deny all RAM users within the current Alibaba Cloud account access to the Private directory.

Create a user group and add members to it.
For more information about how to create a user group, see Create a user group. After you create the user group, add all RAM users within the current Alibaba Cloud account to the group. For more information, see Add a RAM user to a RAM user group.

Create a custom policy named DenyAllRamToAccessFolderPrivate and deny all RAM users within the current Alibaba Cloud account access to the Private directory.

In the left-side navigation pane, choose Permissions > Policies.
On the Policies page, click Create Policy.

On the Create Custom Policy page, click JSON, and then configure the policy content based on the following configurations. Then, click Next Step. On the page that appears, set Policy Name to DenyAllRamToAccessFolderPrivate.

{
    "Version":"1",
    "Statement":[
        {
            "Effect":"Deny",
            "Action":[
                "oss:*"
            ],
            "Resource":[
                "acs:oss:*:*:examplebucket/Private/*"
            ],
            "Condition":{

            }
        },
        {
            "Effect":"Deny",
            "Action":[
                "oss:ListObjects"
            ],
            "Resource":[
                "acs:oss:*:*:*"
            ],
            "Condition":{
                "StringLike":{
                    "oss:Prefix":[
                        "Private/",
                        "Private/*"
                    ]
                }
            }
        }
    ]
}

Click OK.

Attach the DenyAllRamToAccessFolderPrivate policy to the user group. For more information, see Grant permissions to a RAM user group.
After you attach the policy to the user group, the RAM users in the group cannot access the Private directory of the examplebucket bucket. In addition, when the RAM users send a request to list the Private/2017/images.zip and Private/2017/promote.pptx objects in the Private directory, OSS returns an error response.