All Products
Search

This Product

    Object Storage Service:Block Public Access for OSS (OSS SDK for Go V2)

    Document Center

    Object Storage Service:Block Public Access for OSS (OSS SDK for Go V2)

    Last Updated:Mar 17, 2026

    Block Public Access is an account-level control that prevents any OSS resource in your Alibaba Cloud account from being accessed by anonymous requests. It is a single boolean switch — there are no sub-settings to configure individually. When enabled, it overrides all bucket ACLs, bucket policies, and object ACLs that would otherwise grant public-read or public-read-write access.

    Use this feature when you want a single, hard stop on all public access across your entire OSS account, regardless of how individual buckets or objects are configured.

    Important

    Before you enable Block Public Access, review your access logs for anonymous requests. Use OSS real-time log query to identify applications or services that depend on public access. Enabling the block immediately cuts off all public access and may disrupt dependent workloads.

    How it works

    "Public access" refers to any request from an anonymous or unauthenticated caller.

    When Block Public Access is enabled, OSS enforces the following restrictions regardless of existing permissions:

    • Public-read and public-read-write bucket ACLs are overridden. Buckets behave as if set to private.

    • Bucket policies that grant anonymous access are ignored at request time.

    • Public-read and public-read-write object ACLs are overridden. Objects behave as if set to private.

    Authenticated requests (signed with valid credentials) are not affected.

    After you delete the Block Public Access configuration, individual bucket-level ACLs and policies take effect again. Any bucket or object with a public ACL or policy becomes publicly accessible.

    Account-level and bucket-level settings interact as follows:

    Account-level Block Public Access Bucket ACL or policy grants public access Result
    Enabled Yes No public access. Account-level setting overrides.
    Enabled No No public access.
    Not configured Yes Public access allowed per bucket-level settings.
    Not configured No No public access.

    Prerequisites

    Before you begin, make sure you have:

    • The OSS SDK for Go V2 installed (package: github.com/aliyun/alibabacloud-oss-go-sdk-v2/oss)

    • Access credentials configured as environment variables. The SDK reads OSS_ACCESS_KEY_ID and OSS_ACCESS_KEY_SECRET through credentials.NewEnvironmentVariableCredentialsProvider(). See Configure access credentials for setup instructions.

    • The required RAM permissions for each operation:

    Operation Required permission
    Enable Block Public Access oss:PutPublicAccessBlock
    Query Block Public Access status oss:GetPublicAccessBlock
    Delete Block Public Access configuration oss:DeletePublicAccessBlock

    Before you begin

    Keep the following in mind before calling any of the three operations:

    • Block Public Access operates at the account level. No account ID or bucket name is required in the API call. The setting applies to all buckets under the credentials used.

    • The examples use cn-hangzhou (China (Hangzhou)) as the region. Replace this with your actual region. For a list of regions and endpoints, see Regions and endpoints.

    • To access OSS from another Alibaba Cloud service in the same region, use the internal endpoint.

    • Credentials are loaded from environment variables. Avoid hardcoding credentials in your source code.

    Enable Block Public Access

    Call PutPublicAccessBlock with BlockPublicAccess set to true to block all public access for your account.

    All three operations (enable, query, delete) share the same program structure. The complete program below runs the enable operation. For the query and delete operations, replace the operation block (from the request := line through the final log.Printf) with the corresponding code shown in the sections below, then run with the same command.

    package main

import (
	"context"
	"flag"
	"log"

	"github.com/aliyun/alibabacloud-oss-go-sdk-v2/oss"
	"github.com/aliyun/alibabacloud-oss-go-sdk-v2/oss/credentials"
)

var (
	region string
)

func init() {
	flag.StringVar(&region, "region", "", "The region in which the bucket is located.")
}

func main() {
	flag.Parse()
	if len(region) == 0 {
		flag.PrintDefaults()
		log.Fatalf("invalid parameters, region required")
	}

	// Load default config with environment variable credentials.
	cfg := oss.LoadDefaultConfig().
		WithCredentialsProvider(credentials.NewEnvironmentVariableCredentialsProvider()).
		WithRegion(region)

	client := oss.NewClient(cfg)

	// Enable Block Public Access for the account.
	// No account ID or bucket name required -- applies to all buckets
	// under the current credentials.
	request := &oss.PutPublicAccessBlockRequest{
		PublicAccessBlockConfiguration: &oss.PublicAccessBlockConfiguration{
			oss.Ptr(true), // true = block all public access
		},
	}
	result, err := client.PutPublicAccessBlock(context.TODO(), request)
	if err != nil {
		log.Fatalf("failed to put public access block: %v", err)
	}

	log.Printf("put public access block result: %#v\n", result)
}

    Run the program:

    go run main.go -region cn-hangzhou

    Query Block Public Access status

    Call GetPublicAccessBlock to check whether Block Public Access is currently enabled for your account.

    Replace the operation block in the enable example (from the request := line through the final log.Printf) with the following code, then run with the same command.

    	// Query Block Public Access status for the account.
	request := &oss.GetPublicAccessBlockRequest{}
	getResult, err := client.GetPublicAccessBlock(context.TODO(), request)
	if err != nil {
		log.Fatalf("failed to get public access block: %v", err)
	}

	log.Printf("get public access block result: %#v\n", getResult)
    Note

    If no Block Public Access configuration has been set for the account, GetPublicAccessBlock returns an error. Treat this as a "not configured" state rather than an API failure. See the Error handling section for details.

    Delete Block Public Access configuration

    Call DeletePublicAccessBlock to remove the Block Public Access configuration. After deletion, bucket-level ACLs and policies take effect again. Any bucket or object with a public ACL or policy becomes publicly accessible.

    Replace the operation block in the enable example (from the request := line through the final log.Printf) with the following code, then run with the same command.

    	// Delete Block Public Access configuration for the account.
	request := &oss.DeletePublicAccessBlockRequest{}
	result, err := client.DeletePublicAccessBlock(context.TODO(), request)
	if err != nil {
		log.Fatalf("failed to delete public access block: %v", err)
	}

	log.Printf("delete public access block result: %#v\n", result)

    Error handling

    Scenario Likely cause Recommended action
    AccessDenied on any operation The RAM user or role does not have the required permission (oss:PutPublicAccessBlock, oss:GetPublicAccessBlock, or oss:DeletePublicAccessBlock) Verify the RAM policy attached to your user or role includes the required permission for the operation you are calling.
    Error on GetPublicAccessBlock No Block Public Access configuration has been set for the account This is a valid "not configured" state. Either call PutPublicAccessBlock first to create a configuration, or handle this error in your code as meaning Block Public Access is not enabled.
    Network timeout on any operation Transient network disruption between your client and the OSS endpoint Add retry logic with exponential backoff.

    To help diagnose issues, enable OSS real-time log query to inspect request logs.

    References