All Products
Search

This Product

    Object Storage Service:Block Public Access for OSS (OSS SDK for Go V2)

    Document Center

    Object Storage Service:Block Public Access for OSS (OSS SDK for Go V2)

    Last Updated:Mar 09, 2026

    Block Public Access is an account-level security feature that prevents all OSS resources under your Alibaba Cloud account from being publicly accessible. This topic describes how to use the OSS SDK for Go V2 to enable, query, and delete the Block Public Access configuration.

    How it works

    When enabled, Block Public Access overrides all existing bucket ACLs, bucket policies, and object ACLs that grant public read or public read/write access. No bucket or object under your account can be accessed publicly, regardless of its individual access settings.

    After you delete the configuration, bucket-level access policies take effect again. Buckets and objects with public ACLs or policies become publicly accessible.

    Important

    Before you enable Block Public Access, verify that no applications depend on public access to your OSS resources. Enabling this feature blocks all public access and may disrupt services that rely on it.

    Prerequisites

    Before you begin, make sure that you have:

    • The OSS SDK for Go V2 installed (package path: github.com/aliyun/alibabacloud-oss-go-sdk-v2/oss)

    • Access credentials configured as environment variables. For details, see Configure access credentials

    • RAM permissions for the operations listed below

      OperationRequired permission
      Enable Block Public Accessoss:PutPublicAccessBlock
      Query Block Public Accessoss:GetPublicAccessBlock
      Delete Block Public Accessoss:DeletePublicAccessBlock

    Usage notes

    • These are account-level operations that affect all buckets under your account.

    • The sample code uses the region ID cn-hangzhou (China (Hangzhou)) with a public endpoint. To access OSS from other Alibaba Cloud services in the same region, use an internal endpoint. For supported regions and endpoints, see OSS regions and endpoints.

    • All examples load credentials from environment variables through credentials.NewEnvironmentVariableCredentialsProvider(). For other credential methods, see Configure access credentials.

    Sample code

    All examples share the same client setup: parse the -region flag, load credentials from environment variables, and create an OSS client. The first example shows the complete program. Subsequent examples show only the operation-specific code -- replace the operation block in the first example to run them.

    Enable Block Public Access

    Set BlockPublicAccess to true through PutPublicAccessBlock to block all public access across your account.

    package main

import (
	"context"
	"flag"
	"log"

	"github.com/aliyun/alibabacloud-oss-go-sdk-v2/oss"
	"github.com/aliyun/alibabacloud-oss-go-sdk-v2/oss/credentials"
)

var (
	region string
)

func init() {
	flag.StringVar(&region, "region", "", "The region in which the bucket is located.")
}

func main() {
	flag.Parse()
	if len(region) == 0 {
		flag.PrintDefaults()
		log.Fatalf("invalid parameters, region required")
	}

	// Load default config with environment variable credentials.
	cfg := oss.LoadDefaultConfig().
		WithCredentialsProvider(credentials.NewEnvironmentVariableCredentialsProvider()).
		WithRegion(region)

	client := oss.NewClient(cfg)

	// Enable Block Public Access for the account.
	request := &oss.PutPublicAccessBlockRequest{
		PublicAccessBlockConfiguration: &oss.PublicAccessBlockConfiguration{
			oss.Ptr(true), // true = block all public access
		},
	}
	result, err := client.PutPublicAccessBlock(context.TODO(), request)
	if err != nil {
		log.Fatalf("failed to put public access block: %v", err)
	}

	log.Printf("put public access block result: %#v\n", result)
}

    Run the program:

    go run main.go -region cn-hangzhou

    Query the Block Public Access configuration

    Call GetPublicAccessBlock to check whether Block Public Access is enabled for your account.

    Note

    If no configuration has been set, this call may return an error. Handle this case in your application to distinguish between "not configured" and "disabled."

    Replace the operation block in the Enable example with:

    	// Query Block Public Access status for the account.
	request := &oss.GetPublicAccessBlockRequest{}
	getResult, err := client.GetPublicAccessBlock(context.TODO(), request)
	if err != nil {
		log.Fatalf("failed to get public access block: %v", err)
	}

	log.Printf("get public access block result: %#v\n", getResult)

    Delete the Block Public Access configuration

    Call DeletePublicAccessBlock to remove the configuration from your account. After deletion, bucket-level access policies take effect as configured.

    Replace the operation block in the Enable example with:

    	// Delete Block Public Access configuration for the account.
	request := &oss.DeletePublicAccessBlockRequest{}
	result, err := client.DeletePublicAccessBlock(context.TODO(), request)
	if err != nil {
		log.Fatalf("failed to delete public access block: %v", err)
	}

	log.Printf("delete public access block result: %#v\n", result)

    Error handling

    The sample code uses log.Fatalf for simplicity. In production, check for specific error conditions:

    ScenarioLikely causeRecommendation
    AccessDeniedInsufficient RAM permissionsVerify that your RAM user or role has the required oss:PutPublicAccessBlock, oss:GetPublicAccessBlock, or oss:DeletePublicAccessBlock permissions.
    Error on GetPublicAccessBlockNo configuration exists yetCall PutPublicAccessBlock first, or handle this as a valid "not configured" state.
    Network timeoutConnectivity issueImplement retry logic with exponential backoff.

    References