In OSS, you can set access permissions for objects to control how they are accessed.
Usage notes
When you use packaging tools such as Webpack and Browserify, install OSS SDK for Browser.js by running the npm install ali-oss command.
If you want to access an OSS bucket from a browser but no CORS rules are configured for the bucket, the browser rejects the request. Therefore, you must configure CORS rules for a bucket if you want to access the bucket from a browser. For more information, see Installation.
In most cases, OSS SDK for Browser.js is used in browsers. To prevent your AccessKey pair from being exposed, we recommend that you use temporary access credentials obtained from Security Token Service (STS) to access OSS.
The temporary access credentials consist of an AccessKey pair and a security token. The AccessKey pair consists of an AccessKey ID and an AccessKey secret. For more information about how to obtain temporary access credentials, see Use STS for temporary access authorization.
Read/write permission types
Objects have the following four types of access control lists (ACLs):
The access permissions of an object take precedence over the access permissions of its bucket. For example, if a bucket is private but an object in it is public-read, anyone, including anonymous users, can read the object.
Permission type | Description | Permission value |
Inherit from bucket (default) | If an object does not have its own access permissions set, it inherits the ACL of its bucket. The object has the same permissions as the bucket. | default |
Private | Only the object owner can read and write the object. Other users cannot access the object. | private |
Public-read | Only the object owner can write to the object. Anyone, including anonymous users, can read the object. Warning Any user on the Internet can access the object. This may cause data leaks and a surge in fees. Use this permission with caution. | public-read |
Public-read-write | Anyone, including anonymous users, can read and write the object. Warning Any user on the Internet can access the object and write data to it. This may cause data leaks and a surge in fees. If malicious users write illegal information to the object, your legal rights and interests may be harmed. Do not configure public-read-write permissions except for specific scenarios. | public-read-write |
Sample code
When you upload an object, its ACL inherits the ACL of its bucket by default. You can use putACL to modify the object's ACL.
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8" />
<title>Document</title>
</head>
<body>
<script src="https://gosspublic.alicdn.com/aliyun-oss-sdk-6.18.0.min.js"></script>
<script>
const client = new OSS({
// Set region to the region where the bucket is located. For example, if the bucket is in the China (Hangzhou) region, set region to oss-cn-hangzhou.
region: "yourRegion",
authorizationV4: true,
// The temporary AccessKey pair (AccessKey ID and AccessKey secret) obtained from Security Token Service (STS).
accessKeyId: "yourAccessKeyId",
accessKeySecret: "yourAccessKeySecret",
// The security token (SecurityToken) obtained from STS.
stsToken: "yourSecurityToken",
// Specify the bucket name. For example, examplebucket.
bucket: "examplebucket",
});
async function getACL() {
try {
result = await client.getACL("examplefile.txt");
console.log(result.acl);
await client.putACL("examplefile.txt", "public-read");
result = await client.getACL("examplefile.txt");
console.log(result.acl);
} catch (e) {
console.log(e);
}
}
getACL();
</script>
</body>
</html>
References
For complete sample code for object access permissions, see GitHub example.
For more information about the API operation to set object access permissions, see PutObjectACL.
For more information about the API operation to retrieve object access permissions, see GetObjectACL.