All Products
Search
Document Center

Object Storage Service:Block Public Access for OSS (OSS SDK for Go V2)

Last Updated:Mar 09, 2026

Block Public Access is an account-level security feature that prevents all OSS resources under your Alibaba Cloud account from being publicly accessible. This topic describes how to use the OSS SDK for Go V2 to enable, query, and delete the Block Public Access configuration.

How it works

When enabled, Block Public Access overrides all existing bucket ACLs, bucket policies, and object ACLs that grant public read or public read/write access. No bucket or object under your account can be accessed publicly, regardless of its individual access settings.

After you delete the configuration, bucket-level access policies take effect again. Buckets and objects with public ACLs or policies become publicly accessible.

Important

Before you enable Block Public Access, verify that no applications depend on public access to your OSS resources. Enabling this feature blocks all public access and may disrupt services that rely on it.

Prerequisites

Before you begin, make sure that you have:

  • The OSS SDK for Go V2 installed (package path: github.com/aliyun/alibabacloud-oss-go-sdk-v2/oss)

  • Access credentials configured as environment variables. For details, see Configure access credentials

  • RAM permissions for the operations listed below

    OperationRequired permission
    Enable Block Public Accessoss:PutPublicAccessBlock
    Query Block Public Accessoss:GetPublicAccessBlock
    Delete Block Public Accessoss:DeletePublicAccessBlock

Usage notes

  • These are account-level operations that affect all buckets under your account.

  • The sample code uses the region ID cn-hangzhou (China (Hangzhou)) with a public endpoint. To access OSS from other Alibaba Cloud services in the same region, use an internal endpoint. For supported regions and endpoints, see OSS regions and endpoints.

  • All examples load credentials from environment variables through credentials.NewEnvironmentVariableCredentialsProvider(). For other credential methods, see Configure access credentials.

Sample code

All examples share the same client setup: parse the -region flag, load credentials from environment variables, and create an OSS client. The first example shows the complete program. Subsequent examples show only the operation-specific code -- replace the operation block in the first example to run them.

Enable Block Public Access

Set BlockPublicAccess to true through PutPublicAccessBlock to block all public access across your account.

package main

import (
	"context"
	"flag"
	"log"

	"github.com/aliyun/alibabacloud-oss-go-sdk-v2/oss"
	"github.com/aliyun/alibabacloud-oss-go-sdk-v2/oss/credentials"
)

var (
	region string
)

func init() {
	flag.StringVar(&region, "region", "", "The region in which the bucket is located.")
}

func main() {
	flag.Parse()
	if len(region) == 0 {
		flag.PrintDefaults()
		log.Fatalf("invalid parameters, region required")
	}

	// Load default config with environment variable credentials.
	cfg := oss.LoadDefaultConfig().
		WithCredentialsProvider(credentials.NewEnvironmentVariableCredentialsProvider()).
		WithRegion(region)

	client := oss.NewClient(cfg)

	// Enable Block Public Access for the account.
	request := &oss.PutPublicAccessBlockRequest{
		PublicAccessBlockConfiguration: &oss.PublicAccessBlockConfiguration{
			oss.Ptr(true), // true = block all public access
		},
	}
	result, err := client.PutPublicAccessBlock(context.TODO(), request)
	if err != nil {
		log.Fatalf("failed to put public access block: %v", err)
	}

	log.Printf("put public access block result: %#v\n", result)
}

Run the program:

go run main.go -region cn-hangzhou

Query the Block Public Access configuration

Call GetPublicAccessBlock to check whether Block Public Access is enabled for your account.

Note

If no configuration has been set, this call may return an error. Handle this case in your application to distinguish between "not configured" and "disabled."

Replace the operation block in the Enable example with:

	// Query Block Public Access status for the account.
	request := &oss.GetPublicAccessBlockRequest{}
	getResult, err := client.GetPublicAccessBlock(context.TODO(), request)
	if err != nil {
		log.Fatalf("failed to get public access block: %v", err)
	}

	log.Printf("get public access block result: %#v\n", getResult)

Delete the Block Public Access configuration

Call DeletePublicAccessBlock to remove the configuration from your account. After deletion, bucket-level access policies take effect as configured.

Replace the operation block in the Enable example with:

	// Delete Block Public Access configuration for the account.
	request := &oss.DeletePublicAccessBlockRequest{}
	result, err := client.DeletePublicAccessBlock(context.TODO(), request)
	if err != nil {
		log.Fatalf("failed to delete public access block: %v", err)
	}

	log.Printf("delete public access block result: %#v\n", result)

Error handling

The sample code uses log.Fatalf for simplicity. In production, check for specific error conditions:

ScenarioLikely causeRecommendation
AccessDeniedInsufficient RAM permissionsVerify that your RAM user or role has the required oss:PutPublicAccessBlock, oss:GetPublicAccessBlock, or oss:DeletePublicAccessBlock permissions.
Error on GetPublicAccessBlockNo configuration exists yetCall PutPublicAccessBlock first, or handle this as a valid "not configured" state.
Network timeoutConnectivity issueImplement retry logic with exponential backoff.

References