This tutorial shows how to use Resource Access Management (RAM) policies to control access to Object Storage Service (OSS) buckets, directories, and objects in the directories.
Background information
RAM policies are authorization policies configured based on users. You can configure RAM policies to manage users, such as employees, systems, or applications. You can specify which resources are accessible to the users. For example, you can create a RAM policy to grant users only read permissions on a bucket.
RAM policies are in the JSON format. A RAM policy includes the following fields:
- Statement: the authorization statement. A RAM policy can include multiple authorization statements.
- Effect: the effect of the RAM policy. Valid values: Allow and Deny.
Note If a RAM policy includes an Allow statement and a Deny statement at the same time, the Deny statement takes precedence over the Allow statement.
- Action: the authorized actions on resources.
We recommend that you use RAM Policy Editor to generate RAM policies. For more information, see RAM Policy Editor.
Compared with RAM policies, bucket policies can be configured in the OSS console. A bucket owner can grant other users permissions to access OSS resources. For more information, see Configure bucket policies to authorize other users to access OSS resources.
Buckets and directories

OSS is a distributed object storage service in which objects are identified as key-value pairs. You can retrieve the content of an object based on the object name. For example, an object named oss-dg.pdf and the following directories are stored in a bucket named examplebucket: Development, Marketing, and Private.
- When you create the Development directory, an object whose key is
Development/
is created in the OSS console. A forward slash (/
) is included in the key as a delimiter. - When you upload an object named ProjectA.docx to the Development directory, the object is uploaded in the OSS console, and the key of the object is
set to
Development/ProjectA.docx
.In the key,
Development
is the prefix and the forward slash (/
) is the delimiter. You can list all objects that share a common prefix and delimiter in the bucket. In the OSS console, if you click the Development directory, the objects in the directory are listed. The following figure shows the objects in the Development directory.Note To list the objects in the Development directory of the examplebucket bucket, the OSS console sends a request to OSS to list the objects whose names include the specified prefixDevelopment
and a forward slash (/
) as the delimiter. In the preceding example, three objects that have the following keys are stored in the examplebucket bucket:Development/Alibaba Cloud.pdf
,Development/ProjectA.docx
, andDevelopment/ProjectB.docx
.
Before you start this tutorial, you must understand the concept of root-level bucket content. For example, the examplebucket bucket contains the following objects:
- Development/Alibaba Cloud.pdf
- Development/ProjectA.docx
- Development/ProjectB.docx
- Marketing/data2020.xlsx
- Marketing/data2021.xlsx
- Private/2017/images.zip
- Private/2017/promote.pptx
- oss-dg.pdf
The keys of these objects determine a logical hierarchy that has the Development, Marketing, and Private directories as root-level directories and oss-dg.pdf as a root-level object. If you click the bucket name in the OSS console, the common prefix and delimiter that are shared by multiple objects, such as Development/, Marketing/, and Private/, are displayed as root-level directories. The oss-dg.pdf object does not have a prefix. The object is displayed as a root-level object.

Requests and responses
Before you grant permissions to RAM users, you must understand how the OSS console interacts with OSS when you click a bucket name in the OSS console.
- Send a request to access a bucket
When you click the examplebucket bucket in the OSS console, the OSS console sends a GetBucket (ListObjects) request to OSS.
- Sample requests
GET /?prefix=&delimiter=/ HTTP/1.1 Host: examplebucket.oss-cn-hangzhou.aliyuncs.com Date: Fri, 24 Feb 2012 08:43:27 GMT Authorization: OSS qn6qrrqxo2oawuk53otf****:DNrnx7xHk3sgysx7I8U9I9IY****
In the preceding request, the value of the prefix parameter is left empty and the value of the delimiter parameter is a forward slash (/).
- Sample responses
HTTP/1.1 200 OK x-oss-request-id: 534B371674E88A4D8906**** Date: Fri, 7 Aug 2020 08:43:27 GMT Content-Type: application/xml Content-Length: 712 Connection: keep-alive Server: AliyunOSS <?xml version="1.0" encoding="UTF-8"?> <ListBucketResult xmlns=¡±http://doc.oss-cn-hangzhou.aliyuncs.com¡±> <Name>examplebucket</Name> <Prefix></Prefix> <Marker></Marker> <MaxKeys>100</MaxKeys> <Delimiter>/</Delimiter> <IsTruncated>false</IsTruncated> <Contents> <Key>oss-dg.pdf</Key> ... </Contents> <CommonPrefixes> <Prefix>Development</Prefix> </CommonPrefixes> <CommonPrefixes> <Prefix>Marketing</Prefix> </CommonPrefixes> <CommonPrefixes> <Prefix>Private</Prefix> </CommonPrefixes> </ListBucketResult>
- Response parsing
The OSS console parses the response that is returned by OSS and displays the root-level objects and directories in the bucket.
- Sample requests
- Send a request to access a directory in the bucket
When you click the Development/ directory of the examplebucket bucket in the OSS console, the OSS console sends a GetBucket (ListObjects) request to OSS. The request includes the prefix and delimiter parameters.
- Sample requests
GET /?prefix=Development/&delimiter=/ HTTP/1.1 Host: examplebucket.oss-cn-hangzhou.aliyuncs.com Date: Fri, 24 Feb 2012 08:43:27 GMT Authorization: OSS qn6qrrqxo2oawuk53otf****:DNrnx7xHk3sgysx7I8U9I9IY****
In the preceding request, the value of the prefix parameter is
Development/
and the value of the delimiter parameter is a forward slash (/). - Sample responses
In the response, OSS returns the objects whose keys include the specified prefix.
HTTP/1.1 200 OK x-oss-request-id: 534B371674E88A4D8906**** Date: Fri, 7 Aug 2020 08:43:27 GMT Content-Type: application/xml Content-Length: 712 Connection: keep-alive Server: AliyunOSS <?xml version="1.0" encoding="UTF-8"?> <ListBucketResult xmlns=¡±http://doc.oss-cn-hangzhou.aliyuncs.com¡±> <Name>examplebucket</Name> <Prefix>Development/</Prefix> <Marker></Marker> <MaxKeys>100</MaxKeys> <Delimiter>/</Delimiter> <IsTruncated>false</IsTruncated> <Contents> <Key>ProjectA.docx</Key> ... </Contents> <Contents> <Key>ProjectB.docx</Key> ... </Contents> <Contents> <Key>Alibaba Cloud.pdf</Key> ... </Contents> </ListBucketResult>
- Response parsing
The OSS console parses the response that is returned by OSS and displays the objects in the Development/ directory.
- Sample requests
Scenarios
For example, you are the owner of the examplebucket
bucket, and the access control list (ACL) of every object and directory in the bucket
is private by default. You want to grant RAM user Anne the read and write permissions
on the Development
directory in the bucket and the subdirectories and objects in the directory. You
want to grant RAM user Leo the read-only permissions on the Marketing
directory and the subdirectories and objects in the directory. You also want to prevent
all RAM users of the current Alibaba Cloud account from accessing the Private
directory.
Step 1: Create a bucket and upload objects to the bucket.
Step 2: Create RAM users Anne and Leo.
Create RAM users Anne and Leo in the RAM console. For more information, see Create a RAM user.
Step 3: Grant RAM user Anne the read and write permissions on the Development directory.
- Attach the AllowAnneToReadAndWriteFolderDevelopment policy to RAM user Anne.
- Attach the AllowAnneToReadAndWriteFolderDevelopment policy to RAM user Anne. For more information, see Grant permissions to a RAM user.
Step 4: Grant RAM user Leo the read-only permissions on the Marketing directory.
{
"Version":"1",
"Statement":[
{
"Effect":"Allow",
"Action":[
"oss:ListObjects"
],
"Resource":[
"acs:oss:*:*:examplebucket"
],
"Condition":{
"StringLike":{
"oss:Prefix":[
"Marketing",
"Marketing/*"
]
}
}
},
{
"Effect":"Allow",
"Action":[
"oss:GetObject",
"oss:GetObjectAcl"
],
"Resource":[
"acs:oss:*:*:examplebucket/Marketing/*"
]
}
]
}