All Products
Search
Document Center

Object Storage Service:Manage bucket ACLs (OSS SDK for Python 1.0)

Last Updated:Jun 10, 2026

Set and get bucket ACLs to control read and write permissions on the objects in a bucket.

Usage notes

  • In this topic, the public endpoint of the China (Hangzhou) region is used. If you want to access OSS from other Alibaba Cloud services in the same region as OSS, use an internal endpoint. For more information about OSS regions and endpoints, see Regions and Endpoints.

  • In this topic, access credentials are obtained from environment variables. For more information about how to configure access credentials, see Configure access credentials using OSS SDK for Python 1.0.

  • This topic demonstrates creating an OSSClient instance with an OSS endpoint. For alternative configurations, such as using a custom domain or authenticating with credentials from Security Token Service (STS), see Initialization.

  • To set the ACL of a bucket, you must have the oss:PutBucketAcl permission. To get the ACL of a bucket, you must have the oss:GetBucketAcl permission. For more information, see Grant a custom policy.

Set the bucket ACL

OSS supports the following bucket ACLs.

ACL

Description

Method

Private

Only the bucket owner and authorized users can read and write objects. Other users have no access.

oss2.BUCKET_ACL_PRIVATE

Public-read

Only the bucket owner and authorized users can read and write objects. Other users can only read objects. Use with caution.

oss2.BUCKET_ACL_PUBLIC_READ

Public-read-write

All users can read and write objects in the bucket. Use with caution.

oss2.BUCKET_ACL_PUBLIC_READ_WRITE

The following code shows how to set the ACL for a bucket:

# -*- coding: utf-8 -*-
import oss2
from oss2.credentials import EnvironmentVariableCredentialsProvider
# Obtain access credentials from the environment variables. Before you run the sample code, make sure that you have configured environment variables OSS_ACCESS_KEY_ID and OSS_ACCESS_KEY_SECRET. 
auth = oss2.ProviderAuthV4(EnvironmentVariableCredentialsProvider())

# Specify the endpoint of the region in which the bucket is located. For example, if the bucket is located in the China (Hangzhou) region, set the endpoint to https://oss-cn-hangzhou.aliyuncs.com. 
endpoint = "https://oss-cn-hangzhou.aliyuncs.com"

# Specify the ID of the region that maps to the endpoint. Example: cn-hangzhou. This parameter is required if you use the signature algorithm V4.
region = "cn-hangzhou"

# Specify the name of your bucket.
bucket = oss2.Bucket(auth, endpoint, "yourBucketName", region=region)

# Set the ACL of the bucket to private. 
bucket.put_bucket_acl(oss2.BUCKET_ACL_PRIVATE)

Query the bucket ACL

The following code gets the bucket ACL:

# -*- coding: utf-8 -*-
import oss2
from oss2.credentials import EnvironmentVariableCredentialsProvider
# Obtain access credentials from the environment variables. Before you run the sample code, make sure that you have configured environment variables OSS_ACCESS_KEY_ID and OSS_ACCESS_KEY_SECRET. 
auth = oss2.ProviderAuthV4(EnvironmentVariableCredentialsProvider())

# Specify the endpoint of the region in which the bucket is located. For example, if the bucket is located in the China (Hangzhou) region, set the endpoint to https://oss-cn-hangzhou.aliyuncs.com. 
endpoint = "https://oss-cn-hangzhou.aliyuncs.com"

# Specify the ID of the region that maps to the endpoint. Example: cn-hangzhou. This parameter is required if you use the signature algorithm V4.
region = "cn-hangzhou"

# Specify the name of your bucket.
bucket = oss2.Bucket(auth, endpoint, "yourBucketName", region=region)

# Query the ACL of the bucket. 
print(bucket.get_bucket_acl().acl)

References

  • Complete sample code for bucket ACL management is available on GitHub.

  • For more information about the API operation for configuring the ACL of a bucket, see PutBucketAcl.

  • For more information about the API operation for querying the ACL of a bucket, see GetBucketAcl.