All Products
Search

This Product

    Object Storage Service:Bucket policy (PHP SDK V2)

    Document Center

    Object Storage Service:Bucket policy (PHP SDK V2)

    Last Updated:Mar 20, 2026

    A bucket policy grants or restricts access to specific OSS resources for anonymous users or identified users — including Alibaba Cloud accounts, RAM users, and RAM roles. For example, you can grant read-only access to specific OSS resources to a RAM user in another Alibaba Cloud account.

    This topic covers three operations:

    • Configure a bucket policy — PutBucketPolicy

    • Get the current bucket policy — GetBucketPolicy

    • Delete a bucket policy — DeleteBucketPolicy

    All examples use the cn-hangzhou region and a public endpoint. To access bucket resources from another Alibaba Cloud service in the same region, use an internal endpoint. For endpoint mappings, see Regions and endpoints.

    Prerequisites

    Before you begin, make sure you have:

    • Familiarity with bucket policies, including how to write policy statements and supported actions

    • AccessKey ID and AccessKey secret set as environment variables

    • The required permission for the operation you want to perform:

      OperationRequired permission
      Configure a bucket policyoss:PutBucketPolicy
      Get a bucket policyoss:GetBucketPolicy
      Delete a bucket policyoss:DeleteBucketPolicy

      For more information, see Attach a custom policy to a RAM user.

    Configure a bucket policy

    The following example sets a bucket policy that denies oss:PutObject and oss:GetObject for a specific principal on all objects in the bucket.

    <?php

// Load dependent libraries.
require_once __DIR__ . '/../vendor/autoload.php';

use AlibabaCloud\Oss\V2 as Oss;

// Specify command-line parameters.
$optsdesc = [
    "region" => ['help' => 'The region where the bucket is located.', 'required' => True],
    "endpoint" => ['help' => 'The domain name used by other services to access OSS.', 'required' => False],
    "bucket" => ['help' => 'The name of the bucket.', 'required' => True],
];

$longopts = \array_map(function ($key) {
    return "$key:";
}, array_keys($optsdesc));

$options = getopt("", $longopts);

foreach ($optsdesc as $key => $value) {
    if ($value['required'] === True && empty($options[$key])) {
        $help = $value['help'];
        echo "Error: the following arguments are required: --$key, $help";
        exit(1);
    }
}

$region = $options["region"];
$bucket = $options["bucket"];

// Load credentials from environment variables.
$credentialsProvider = new Oss\Credentials\EnvironmentVariableCredentialsProvider();

$cfg = Oss\Config::loadDefault();
$cfg->setCredentialsProvider($credentialsProvider);
$cfg->setRegion($region);

if (isset($options["endpoint"])) {
    $cfg->setEndpoint($options["endpoint"]);
}

$client = new Oss\Client($cfg);

// Define the bucket policy as a JSON document.
// This policy denies PutObject and GetObject for principal 1234567890
// on all objects (Resource: acs:oss:*:1234567890:*/*).
$policy = '{
    "Version":"1",
    "Statement":[
        {
            "Action":[
                "oss:PutObject",
                "oss:GetObject"
            ],
            "Effect":"Deny",
            "Principal":["1234567890"],
            "Resource":["acs:oss:*:1234567890:*/*"]
        }
    ]
}';

$request = new Oss\Models\PutBucketPolicyRequest(bucket: $bucket, policy: $policy);

$result = $client->putBucketPolicy($request);
printf(
    'status code: ' . $result->statusCode . PHP_EOL .
    'request ID: ' . $result->requestId . PHP_EOL
);

    For the complete sample, see PutBucketPolicy.php on GitHub. For API details, see PutBucketPolicy.

    Get a bucket policy

    The following example retrieves the current policy for the specified bucket.

    <?php

// Load dependent libraries.
require_once __DIR__ . '/../vendor/autoload.php';

use AlibabaCloud\Oss\V2 as Oss;

// Specify command-line parameters.
$optsdesc = [
    "region" => ['help' => 'The region where the bucket is located.', 'required' => True],
    "endpoint" => ['help' => 'The domain name used by other services to access OSS.', 'required' => False],
    "bucket" => ['help' => 'The name of the bucket.', 'required' => True],
];

$longopts = \array_map(function ($key) {
    return "$key:";
}, array_keys($optsdesc));

$options = getopt("", $longopts);

foreach ($optsdesc as $key => $value) {
    if ($value['required'] === True && empty($options[$key])) {
        $help = $value['help'];
        echo "Error: the following arguments are required: --$key, $help";
        exit(1);
    }
}

$region = $options["region"];
$bucket = $options["bucket"];

// Load credentials from environment variables.
$credentialsProvider = new Oss\Credentials\EnvironmentVariableCredentialsProvider();

$cfg = Oss\Config::loadDefault();
$cfg->setCredentialsProvider($credentialsProvider);
$cfg->setRegion($region);

if (isset($options["endpoint"])) {
    $cfg->setEndpoint($options["endpoint"]);
}

$client = new Oss\Client($cfg);

$request = new Oss\Models\GetBucketPolicyRequest(bucket: $bucket);

$result = $client->getBucketPolicy($request);
printf(
    'status code: ' . $result->statusCode . PHP_EOL .
    'request ID: ' . $result->requestId . PHP_EOL .
    'policy: ' . $result->body . PHP_EOL
);

    For the complete sample, see GetBucketPolicy.php on GitHub. For API details, see GetBucketPolicy.

    Delete a bucket policy

    The following example deletes the policy attached to the specified bucket.

    <?php

// Load dependent libraries.
require_once __DIR__ . '/../vendor/autoload.php';

use AlibabaCloud\Oss\V2 as Oss;

// Specify command-line parameters.
$optsdesc = [
    "region" => ['help' => 'The region where the bucket is located.', 'required' => True],
    "endpoint" => ['help' => 'The domain name used by other services to access OSS.', 'required' => False],
    "bucket" => ['help' => 'The name of the bucket.', 'required' => True],
];

$longopts = \array_map(function ($key) {
    return "$key:";
}, array_keys($optsdesc));

$options = getopt("", $longopts);

foreach ($optsdesc as $key => $value) {
    if ($value['required'] === True && empty($options[$key])) {
        $help = $value['help'];
        echo "Error: the following arguments are required: --$key, $help";
        exit(1);
    }
}

$region = $options["region"];
$bucket = $options["bucket"];

// Load credentials from environment variables.
$credentialsProvider = new Oss\Credentials\EnvironmentVariableCredentialsProvider();

$cfg = Oss\Config::loadDefault();
$cfg->setCredentialsProvider($credentialsProvider);
$cfg->setRegion($region);

if (isset($options["endpoint"])) {
    $cfg->setEndpoint($options["endpoint"]);
}

$client = new Oss\Client($cfg);

$request = new Oss\Models\DeleteBucketPolicyRequest(bucket: $bucket);

$result = $client->deleteBucketPolicy($request);
printf(
    'status code: ' . $result->statusCode . PHP_EOL .
    'request ID: ' . $result->requestId . PHP_EOL
);

    For the complete sample, see DeleteBucketPolicy.php on GitHub. For API details, see DeleteBucketPolicy.

    What's next