Manage bucket policies with the Node.js SDK - Object Storage Service

Bucket policies control access to Object Storage Service (OSS) buckets and objects. A bucket policy grants or restricts access for Alibaba Cloud accounts, Resource Access Management (RAM) users, RAM roles, and anonymous users to specific OSS resources.

For example, a bucket owner can grant a RAM user from a different Alibaba Cloud account read-only access to objects in the bucket.

Prerequisites

Before you begin, make sure that you have:

The ali-oss SDK installed
The following permissions granted to your RAM user or role: For more information, see Grant custom access policies to a RAM user.
- oss:PutBucketPolicy to set a bucket policy
- oss:GetBucketPolicy to retrieve a bucket policy
- oss:DeleteBucketPolicy to delete a bucket policy
Familiarity with bucket policy concepts. For more information, see Bucket policy.

Usage notes

All examples on this page read AccessKey credentials from the OSS_ACCESS_KEY_ID and OSS_ACCESS_KEY_SECRET environment variables. Set these variables before running the code.

Set a bucket policy

The following example grants a RAM user (UID 20214760404935xxxx) the oss:ListObjects and oss:GetObject permissions on the examplebucket bucket owned by UID 174649585760xxxx:

const OSS = require('ali-oss');

const client = new OSS({
  region: '<your-region>',                           // Example: oss-cn-hangzhou
  accessKeyId: process.env.OSS_ACCESS_KEY_ID,
  accessKeySecret: process.env.OSS_ACCESS_KEY_SECRET,
  authorizationV4: true,
  bucket: '<your-bucket-name>',
});

const policy = {
  Version: '1',
  Statement: [
    {
      Action: ['oss:ListObjects', 'oss:GetObject'],
      Effect: 'Allow',
      Principal: ['20214760404935xxxx'],
      Resource: ['acs:oss:*:174649585760xxxx:examplebucket'],
    },
  ],
};

async function putPolicy() {
  const result = await client.putBucketPolicy('<your-bucket-name>', policy);
  console.log(result);
}

putPolicy();

Policy fields:

Field	Type	Description
`Version`	String	Policy version. Set to `'1'`.
`Statement`	Array	List of policy statements.
`Action`	Array	Allowed OSS actions, such as `oss:GetObject` and `oss:ListObjects`.
`Effect`	String	`Allow` or `Deny`.
`Principal`	Array	UIDs of the authorized Alibaba Cloud accounts or RAM users. Use `["*"]` for anonymous access.
`Resource`	Array	Resource ARNs in the `acs:oss:*:<owner-uid>:<bucket-name>` format.

Get a bucket policy

Retrieve the current bucket policy:

const OSS = require('ali-oss');

const client = new OSS({
  region: '<your-region>',
  accessKeyId: process.env.OSS_ACCESS_KEY_ID,
  accessKeySecret: process.env.OSS_ACCESS_KEY_SECRET,
  authorizationV4: true,
  bucket: '<your-bucket-name>',
});

async function getPolicy() {
  const result = await client.getBucketPolicy('<your-bucket-name>');
  console.log(result.policy);
}

getPolicy();

The result.policy property contains the policy JSON object.

Delete a bucket policy

Remove the bucket policy:

const OSS = require('ali-oss');

const client = new OSS({
  region: '<your-region>',
  accessKeyId: process.env.OSS_ACCESS_KEY_ID,
  accessKeySecret: process.env.OSS_ACCESS_KEY_SECRET,
  authorizationV4: true,
  bucket: '<your-bucket-name>',
});

async function deletePolicy() {
  const result = await client.deleteBucketPolicy('<your-bucket-name>');
  console.log(result);
}

deletePolicy();

References

For complete sample code, see the ali-oss GitHub repository.
API references: