All Products
Search

This Product

    Object Storage Service:Bucket policy (Go SDK V1)

    Document Center

    Object Storage Service:Bucket policy (Go SDK V1)

    Last Updated:Nov 29, 2025

    A bucket policy is an authorization policy for Object Storage Service (OSS) buckets. You can use a bucket policy to grant or deny fine-grained access to specified OSS resources for authenticated visitors, such as Alibaba Cloud accounts, Resource Access Management (RAM) users, and RAM roles, or for anonymous visitors. For example, you can grant a RAM user that belongs to another Alibaba Cloud account read-only permissions on specified OSS resources.

    Usage notes

    • Before you configure a bucket policy, make sure that you understand this feature. For more information, see Bucket policy.

    • In this topic, the public endpoint of the China (Hangzhou) region is used. If you want to access OSS from other Alibaba Cloud services in the same region as OSS, use an internal endpoint. For more information about OSS regions and endpoints, see Regions and endpoints.

    • In this topic, access credentials are obtained from environment variables. For more information about how to configure access credentials, see Configure access credentials.

    • In this topic, an OSSClient instance is created by using an OSS endpoint. If you want to create an OSSClient instance by using custom domain names or Security Token Service (STS), see Configure OSSClient instances.

    • To set a bucket policy, you must have the oss:PutBucketPolicy permission. To get a bucket policy, you must have the oss:GetBucketPolicy permission. To delete a bucket policy, you must have the oss:DeleteBucketPolicy permission. For more information, see Attach a custom policy to a RAM user.

    Sample code

    Set a bucket policy

    The following code shows how to set a bucket policy:

    package main

import (
	"log"

	"github.com/aliyun/aliyun-oss-go-sdk/oss"
)

func main() {
	// Obtain access credentials from environment variables. Before you run this sample code, make sure that the OSS_ACCESS_KEY_ID and OSS_ACCESS_KEY_SECRET environment variables are set.
	provider, err := oss.NewEnvironmentVariableCredentialsProvider()
	if err != nil {
		log.Fatalf("Failed to create credentials provider: %v", err)
	}

	// Create an OSSClient instance.
	// Set yourEndpoint to the Endpoint of the bucket. For example, for a bucket in the China (Hangzhou) region, set the Endpoint to https://oss-cn-hangzhou.aliyuncs.com. For other regions, set the Endpoint as needed.
	// Set yourRegion to the region where the bucket is located. For example, for a bucket in the China (Hangzhou) region, set the region to cn-hangzhou. For other regions, set the region as needed.
	clientOptions := []oss.ClientOption{oss.SetCredentialsProvider(&provider)}
	clientOptions = append(clientOptions, oss.Region("yourRegion"))
	// Set the signature version.
	clientOptions = append(clientOptions, oss.AuthVersion(oss.AuthV4))
	client, err := oss.New("yourEndpoint", "", "", clientOptions...)
	if err != nil {
		log.Fatalf("Failed to create OSS client: %v", err)
	}

	// The following example shows how a resource owner (the bucket owner with UID 174649585760xxxx) uses a bucket policy to grant a specified user (the RAM user with UID 20214760404935xxxx) permissions to list all files in the examplebucket.
	policyConfig := `
    {
        "Statement": [
            {
                "Action": [
                    "oss:GetObject",
                    "oss:ListObjects"
                ],
                "Principal": [
                    "20214760404935xxxx"           
                ],
                "Effect" : "Allow",
                "Resource" : ["acs:oss:*:174649585760xxxx:examplebucket/*"]
            }
        ],
        "Version": "1"
    }`

	// Set the bucket policy.
	bucketName := "examplebucket"
	err = client.SetBucketPolicy(bucketName, policyConfig)
	if err != nil {
		log.Fatalf("Failed to set bucket policy for '%s': %v", bucketName, err)
	}

	log.Println("SetBucketPolicy success")
}

    Get a bucket policy

    The following code shows how to retrieve a bucket policy:

    package main

import (
	"log"

	"github.com/aliyun/aliyun-oss-go-sdk/oss"
)

func main() {
	// Obtain access credentials from environment variables. Before you run this sample code, make sure that the OSS_ACCESS_KEY_ID and OSS_ACCESS_KEY_SECRET environment variables are set.
	provider, err := oss.NewEnvironmentVariableCredentialsProvider()
	if err != nil {
		log.Fatalf("Failed to create credentials provider: %v", err)
	}

	// Create an OSSClient instance.
	// Set yourEndpoint to the Endpoint of the bucket. For example, for a bucket in the China (Hangzhou) region, set the Endpoint to https://oss-cn-hangzhou.aliyuncs.com. For other regions, set the Endpoint as needed.
	// Set yourRegion to the region where the bucket is located. For example, for a bucket in the China (Hangzhou) region, set the region to cn-hangzhou. For other regions, set the region as needed.
	clientOptions := []oss.ClientOption{oss.SetCredentialsProvider(&provider)}
	clientOptions = append(clientOptions, oss.Region("yourRegion"))
	// Set the signature version.
	clientOptions = append(clientOptions, oss.AuthVersion(oss.AuthV4))
	client, err := oss.New("yourEndpoint", "", "", clientOptions...)
	if err != nil {
		log.Fatalf("Failed to create OSS client: %v", err)
	}

	// Get the bucket policy configuration.
	bucketName := "yourBucketName"
	strPolicy, err := client.GetBucketPolicy(bucketName)
	if err != nil {
		log.Fatalf("Failed to get bucket policy for '%s': %v", bucketName, err)
	}

	log.Printf("Bucket policy for '%s': %s", bucketName, strPolicy)
}

    Delete a bucket policy

    The following code shows how to delete a bucket policy:

    package main

import (
	"log"

	"github.com/aliyun/aliyun-oss-go-sdk/oss"
)

func main() {
	// Obtain access credentials from environment variables. Before you run this sample code, make sure that the OSS_ACCESS_KEY_ID and OSS_ACCESS_KEY_SECRET environment variables are set.
	provider, err := oss.NewEnvironmentVariableCredentialsProvider()
	if err != nil {
		log.Fatalf("Failed to create credentials provider: %v", err)
	}

	// Create an OSSClient instance.
	// Set yourEndpoint to the Endpoint of the bucket. For example, for a bucket in the China (Hangzhou) region, set the Endpoint to https://oss-cn-hangzhou.aliyuncs.com. For other regions, set the Endpoint as needed.
	// Set yourRegion to the region where the bucket is located. For example, for a bucket in the China (Hangzhou) region, set the region to cn-hangzhou. For other regions, set the region as needed.
	clientOptions := []oss.ClientOption{oss.SetCredentialsProvider(&provider)}
	clientOptions = append(clientOptions, oss.Region("yourRegion"))
	// Set the signature version.
	clientOptions = append(clientOptions, oss.AuthVersion(oss.AuthV4))
	client, err := oss.New("yourEndpoint", "", "", clientOptions...)
	if err != nil {
		log.Fatalf("Failed to create OSS client: %v", err)
	}

	// Delete the bucket policy.
	bucketName := "yourBucketName"
	err = client.DeleteBucketPolicy(bucketName)
	if err != nil {
		log.Fatalf("Failed to delete bucket policy for '%s': %v", bucketName, err)
	}

	log.Println("DeleteBucketPolicy success")
}

    References

    • For more information about the API operation to set a bucket policy, see SetBucketPolicy.

    • For more information about the API operation to retrieve a bucket policy, see GetBucketPolicy.

    • For more information about the API operation to delete a bucket policy, see DeleteBucketPolicy.