All Products
Search
Document Center

Object Storage Service:Manage file access permissions (Go SDK V1)

Last Updated:Jun 15, 2026

You can set and query access control lists (ACLs) for objects in OSS by using OSS SDK for Go V1.

Usage notes

  • In this topic, the public endpoint of the China (Hangzhou) region is used. If you want to access OSS from other Alibaba Cloud services in the same region as OSS, use an internal endpoint. For more information about OSS regions and endpoints, see Regions and Endpoints.

  • In this topic, access credentials are obtained from environment variables. For more information about how to configure access credentials, see Configure access credentials.

  • This topic demonstrates creating an OSSClient instance with an OSS endpoint. For alternative configurations, such as using a custom domain or authenticating with credentials from Security Token Service (STS), see Configure a client (Go SDK V1).

  • To configure the ACL for an object, you must have the oss:PutObjectAcl permission. To query object ACLs, you must have the oss:GetObjectAcl permission. For more information, see Grant a custom policy.

Read and write permission types

Objects support the following four ACL types:

Access permission

Description

ACL value

Inherit from bucket

The object inherits the ACL of the bucket.

oss.ACLDefault

Private

Only the object owner and authorized users have read and write permissions on the object. Other users cannot access the object.

oss.ACLPrivate

Public-read

The object owner and authorized users have read and write permissions on the object. Other users have only read permissions. Use this permission with caution.

oss.ACLPublicRead

Public-read-write

All users have read and write permissions on the object. Use this permission with caution.

oss.PublicReadWrite

Object ACLs take precedence over bucket ACLs. For example, if a bucket ACL is set to private but an object ACL is set to public-read-write, all users have read and write permissions on the object. If no ACL is configured for an object, the object inherits the bucket ACL.

Sample code

The following sample code shows how to set and query object ACLs:

package main

import (
	"log"

	"github.com/aliyun/aliyun-oss-go-sdk/oss"
)

func main() {
	// Obtain access credentials from environment variables. Before you run this sample code, make sure that the OSS_ACCESS_KEY_ID and OSS_ACCESS_KEY_SECRET environment variables are set.
	provider, err := oss.NewEnvironmentVariableCredentialsProvider()
	if err != nil {
		log.Fatalf("Failed to create credentials provider: %v", err)
	}

	// Create an OSSClient instance.
	// Set yourEndpoint to the Endpoint of the bucket. For example, for the China (Hangzhou) region, set the Endpoint to https://oss-cn-hangzhou.aliyuncs.com. For other regions, set the Endpoint as needed.
	// Set yourRegion to the region where the bucket is located. For example, for the China (Hangzhou) region, set the value to cn-hangzhou. For other regions, set the value as needed.
	clientOptions := []oss.ClientOption{oss.SetCredentialsProvider(&provider)}
	clientOptions = append(clientOptions, oss.Region("yourRegion"))
	// Set the signature version.
	clientOptions = append(clientOptions, oss.AuthVersion(oss.AuthV4))
	client, err := oss.New("yourEndpoint", "", "", clientOptions...)
	if err != nil {
		log.Fatalf("Failed to create OSS client: %v", err)
	}

	// Set yourBucketName to the name of the bucket.
	bucketName := "yourBucketName"
	bucket, err := client.Bucket(bucketName)
	if err != nil {
		log.Fatalf("Failed to get bucket '%s': %v", bucketName, err)
	}

	// Set the ACL of the object.
	// Set yourObjectName to the full path of the object. Do not include the bucket name.
	objectName := "yourObjectName"
	err = bucket.SetObjectACL(objectName, oss.ACLPublicReadWrite)
	if err != nil {
		log.Fatalf("Failed to set object ACL for '%s': %v", objectName, err)
	}

	// Get the ACL of the object.
	aclRes, err := bucket.GetObjectACL(objectName)
	if err != nil {
		log.Fatalf("Failed to get object ACL for '%s': %v", objectName, err)
	}

	log.Printf("Object ACL for '%s': %s", objectName, aclRes.ACL)
}

References

  • For the complete sample code, see GitHub example.

  • For more information about the API operation for setting object ACLs, see SetObjectACL.

  • For more information about the API operation for querying object ACLs, see GetObjectACL.