Use PHP to configure a bucket policy to grant or restrict user access to OSS - Object Storage Service

A bucket policy lets you authorize or restrict access of anonymous users or identified users, such as Alibaba Cloud accounts, RAM users, and RAM roles, to specific Object Storage Service (OSS) resources. For example, you can grant read-only permissions on specific OSS resources to a RAM user of another Alibaba Cloud account.

Usage notes

Before you configure bucket policies, make sure that you are familiar with this feature. For more information, see Bucket policies.
The sample code in this topic uses the region ID cn-hangzhou for the China (Hangzhou) region. By default, a public endpoint is used to access resources in a bucket. If you want to access resources in the bucket using other Alibaba Cloud services in the same region where the bucket is located, you must use an internal endpoint. For more information about the mappings between OSS regions and endpoints, see Regions and endpoints.
To set a bucket policy, you must have the oss:PutBucketPolicy permission. To obtain a bucket policy, you must have the oss:GetBucketPolicy permission. To delete a bucket policy, you must have the oss:DeleteBucketPolicy permission. For more information, see Attach a custom policy to a RAM user.

Examples

Configure a bucket policy

The following sample code provides an example on how to configure a bucket policy:

<?php

// Introduce autoload files to load dependent libraries.
require_once __DIR__ . '/../vendor/autoload.php';

use AlibabaCloud\Oss\V2 as Oss;

// Specify command line parameters.
$optsdesc = [
    "region" => ['help' => The region in which the bucket is located.', 'required' => True], // (Required) Specify the region in which the bucket is located.
    "endpoint" => ['help' => The domain names that other services can use to access OSS', 'required' => False], // (Optional) Specify the endpoint that can be used by other services to access OSS.
    "bucket" => ['help' => The name of the bucket, 'required' => True], // (Required) Specify the name of the bucket.
];

// Generate a long options list to parse the command line parameters.
$longopts = \array_map(function ($key) {
    return "$key:"; // Add a colon (:) to the end of each parameter to indicate that a value is required.
}, array_keys($optsdesc));

// Parse the command line parameters.
$options = getopt("", $longopts); 

// Check whether the required parameters are configured.
foreach ($optsdesc as $key => $value) {
    if ($value['required'] === True && empty($options[$key])) {
        $help = $value['help'];
        echo "Error: the following arguments are required: --$key, $help"; // Specify that the required parameters are not configured.
        exit(1); 
    }
}

// Obtain the values of the command line parameters.
$region = $options["region"]; // The region in which the bucket is located.
$bucket = $options["bucket"]; // The name of the bucket.

// Use environment variables to load the AccessKey ID and AccessKey secret.
$credentialsProvider = new Oss\Credentials\EnvironmentVariableCredentialsProvider();

// Use the default configurations of the SDK.
$cfg = Oss\Config::loadDefault();

// Specify the credential provider.
$cfg->setCredentialsProvider($credentialsProvider);

// Specify the region.
$cfg->setRegion($region);

// Specify the endpoint if an endpoint is provided.
if (isset($options["endpoint"])) {
    $cfg->setEndpoint($options["endpoint"]);
}

// Create an OSSClient instance.
$client = new Oss\Client($cfg);

// Set the format of the bucket policy to JSON.
$policy = '{
    "Version":"1",
    "Statement":[
        {
            "Action":[
                "oss:PutObject",
                "oss:GetObject"
            ],
            "Effect":"Deny",
            "Principal":["1234567890"],
            "Resource":["acs:oss:*:1234567890:*/*"]
        }
    ]
}';

// Create a request to configure the bucket policy and pass the bucket policy.
$request = new Oss\Models\PutBucketPolicyRequest(bucket: $bucket, policy: $policy);

// Use the putBucketPolicy method to specify the bucket policy.
$result = $client->putBucketPolicy($request);

// Display the returned result.
printf(
    'status code:' . $result->statusCode . PHP_EOL . // The HTTP response status code.
    'request id:' . $result-> requestId. PHP_EOL // The unique identifier of the request.
);

Query bucket policies

The following sample code provides an example on how to query bucket policies:

<?php

// Introduce autoload files to load dependent libraries.
require_once __DIR__ . '/../vendor/autoload.php';

use AlibabaCloud\Oss\V2 as Oss;

// Specify command line parameters.
$optsdesc = [
    "region" => ['help' => The region in which the bucket is located.', 'required' => True], // (Required) Specify the region in which the bucket is located.
    "endpoint" => ['help' => The domain names that other services can use to access OSS', 'required' => False], // (Optional) Specify the endpoint that can be used by other services to access OSS.
    "bucket" => ['help' => The name of the bucket, 'required' => True], // (Required) Specify the name of the bucket.
];

// Generate a long options list to parse the command line parameters.
$longopts = \array_map(function ($key) {
    return "$key:"; // Add a colon (:) to the end of each parameter to indicate that a value is required.
}, array_keys($optsdesc));

// Parse the command line parameters.
$options = getopt("", $longopts); 

// Check whether the required parameters are configured.
foreach ($optsdesc as $key => $value) {
    if ($value['required'] === True && empty($options[$key])) {
        $help = $value['help'];
        echo "Error: the following arguments are required: --$key, $help"; // Specify that the required parameters are not configured.
        exit(1); 
    }
}

// Obtain the values of the command line parameters.
$region = $options["region"]; // The region in which the bucket is located.
$bucket = $options["bucket"]; // The name of the bucket.

// Use environment variables to load the AccessKey ID and AccessKey secret.
$credentialsProvider = new Oss\Credentials\EnvironmentVariableCredentialsProvider();

// Use the default configurations of the SDK.
$cfg = Oss\Config::loadDefault();

// Specify the credential provider.
$cfg->setCredentialsProvider($credentialsProvider);

// Specify the region.
$cfg->setRegion($region);

// Specify the endpoint if an endpoint is provided.
if (isset($options["endpoint"])) {
    $cfg->setEndpoint($options["endpoint"]);
}

// Create an OSSClient instance.
$client = new Oss\Client($cfg);

// Create a request to query bucket policies.
$request = new Oss\Models\GetBucketPolicyRequest(bucket: $bucket);

// Use the getBucketPolicy method to query bucket policies.
$result = $client->getBucketPolicy($request);

// Display the returned result.
printf(
    'status code:' . $result->statusCode . PHP_EOL . // The HTTP response status code.
    'request id:' . $result->requestId . PHP_EOL . // The unique identifier of the request.
    'policy:' . $result->body // The content of the bucket policies.
);

Delete a bucket policy

The following sample code provides an example on how to delete a bucket policy:

<?php

// Introduce autoload files to load dependent libraries.
require_once __DIR__ . '/../vendor/autoload.php';

use AlibabaCloud\Oss\V2 as Oss;

// Specify command line parameters.
$optsdesc = [
    "region" => ['help' => The region in which the bucket is located.', 'required' => True], // (Required) Specify the region in which the bucket is located.
    "endpoint" => ['help' => The domain names that other services can use to access OSS', 'required' => False], // (Optional) Specify the endpoint that can be used by other services to access OSS.
    "bucket" => ['help' => The name of the bucket, 'required' => True], // (Required) Specify the name of the bucket.
];

// Generate a long options list to parse the command line parameters.
$longopts = \array_map(function ($key) {
    return "$key:"; // Add a colon (:) to the end of each parameter to indicate that a value is required.
}, array_keys($optsdesc));

// Parse the command line parameters.
$options = getopt("", $longopts); 

// Check whether the required parameters are configured.
foreach ($optsdesc as $key => $value) {
    if ($value['required'] === True && empty($options[$key])) {
        $help = $value['help'];
        echo "Error: the following arguments are required: --$key, $help"; // Specify that the required parameters are not configured.
        exit(1); 
    }
}

// Obtain the values of the command line parameters.
$region = $options["region"]; // The region in which the bucket is located.
$bucket = $options["bucket"]; // The name of the bucket.

// Use environment variables to load the AccessKey ID and AccessKey secret.
$credentialsProvider = new Oss\Credentials\EnvironmentVariableCredentialsProvider();

// Use the default configurations of the SDK.
$cfg = Oss\Config::loadDefault();

// Specify the credential provider.
$cfg->setCredentialsProvider($credentialsProvider);

// Specify the region.
$cfg->setRegion($region);

// Specify the endpoint if an endpoint is provided.
if (isset($options["endpoint"])) {
    $cfg->setEndpoint($options["endpoint"]);
}

// Create an OSSClient instance.
$client = new Oss\Client($cfg);

// Create a request to delete the bucket policy.
$request = new Oss\Models\DeleteBucketPolicyRequest(bucket: $bucket);

// Use the deleteBucketPolicy method to delete the bucket policy.
$result = $client->deleteBucketPolicy($request);

// Display the returned result.
printf(
    'status code:' . $result->statusCode . PHP_EOL . // The HTTP response status code.
    'request id:' . $result-> requestId. PHP_EOL // The unique identifier of the request.
);

References

For the complete sample code that is used to configure a bucket policy, visit GitHub.
For more information about the API operation that you can call to configure a bucket policy, see PutBucketPolicy.
For the complete sample code that is used to query bucket policies, visit GitHub.
For more information about the API operation that you can call to query bucket policies, see GetBucketPolicy.
For the complete sample code that is used to delete a bucket policy, visit GitHub.
For more information about the API operation that you can call to delete a bucket policy, see DeleteBucketPolicy.