Use ossbrowser 2.0 to grant another user read-only or read/write access to a specific file or folder in your bucket — without sharing your own credentials.
You cannot grant file permissions if you log on with an Alibaba Cloud account. To grant permissions, use one of the other logon methods. You cannot grant file permissions if you log on to ossbrowser 2.0 using a CloudBox Endpoint.
Prerequisites
Before you begin, make sure you have:
Access to ossbrowser 2.0 using the AccessKey (AK) of a RAM user — not an Alibaba Cloud account
A RAM user with the following policies attached:
AliyunRAMFullAccess— permissions to manage Resource Access Management (RAM)AliyunSTSAssumeRoleAccess— permissions to call the AssumeRole operation of Security Token Service (STS)
For setup instructions, see Create a RAM user and Grant permissions to a RAM user.
Choose an authorization method
ossbrowser 2.0 provides two authorization methods. Choose based on your account type and how long the access should last.
| Direct Authorization | Role Assumption | |
|---|---|---|
| Who can use it | Alibaba Cloud account holders only | RAM users only |
| Access duration | Long-term (permanent until revoked) | Temporary (expires automatically) |
| What it grants | Read-only or read/write access to a specific bucket or folder | Temporary access to a specific folder |
| How it works | Directly attaches permissions to RAM users, user groups, or roles under your account | Calls the AssumeRole operation to generate a temporary authorization code |
| What the recipient gets | A new RAM user's AK and authorization code | A time-limited authorization code |
Grant access
Step 1: Open the authorization dialog
Log on to ossbrowser 2.0 using an AK.
Click the name of the target bucket.
Select the checkbox next to the file or folder you want to share.
At the top of the page, click More > Authorize.
Step 2: Configure and confirm authorization
Select the method that matches your account type and access requirement, then follow the corresponding steps.
Direct Authorization
Select Direct Authorization.
Configure the parameters as shown in the following figure. In this example, Grantee is set to New RAM User. Alternatively, select RAM User, Role, or User Group.
Click Confirm Authorization.
Copy and save the new RAM user's AK and authorization code.
Click Policy Content to view the generated policy text. Copy this text to use when editing authorization policies for RAM users or roles in the RAM console.
Click the
icon in the lower-left corner to log out.
What the recipient gets: Share the AK and authorization code with the recipient. They can use either credential to log on to ossbrowser 2.0 and access the authorized folder.
Role Assumption
Select Role Assumption.
Configure the parameters as shown in the following figure.
Set the expiry period to the minimum duration the recipient needs. Once the authorization code expires, it becomes invalid and access is revoked automatically.
Click Confirm Authorization.
Click Copy Authorization Code.
Click the
icon in the lower-left corner to log out.
What the recipient gets: Share the authorization code with the recipient. They use it to log on to ossbrowser 2.0 and access the specified folder. The code is invalid after it expires.