All Products
Search

This Product

    Object Storage Service:put-access-point-policy

    Document Center

    Object Storage Service:put-access-point-policy

    Last Updated:Mar 20, 2026

    Use put-access-point-policy to attach a policy to an access point.

    Permissions

    An Alibaba Cloud account can create access point policies by default. A RAM user or Security Token Service (STS) credential requires the oss:PutAccessPointPolicy permission. For more information, see Grant custom permission policies to RAM users.

    Syntax

    ossutil api put-access-point-policy --bucket <value> --access-point-name <value> --body <value> [flags]
    ParameterTypeDescription
    --bucketstringName of the bucket.
    --access-point-namestringName of the access point.
    --bodystringAccess point policy in JSON format.
    put-access-point-policy corresponds to the PutAccessPointPolicy API operation. For supported global flags, see Supported global command line options.

    --body

    Pass the policy as an inline JSON string or a file reference using the file:// prefix.

    The policy JSON has the following structure:

    {
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "oss:PutObject",
        "oss:GetObject"
      ],
      "Effect": "Deny",
      "Principal": [
        "<account-id>"
      ],
      "Resource": [
        "acs:oss:<region>:<owner-account-id>:accesspoint/<access-point-name>",
        "acs:oss:<region>:<owner-account-id>:accesspoint/<access-point-name>/object/*"
      ]
    }
  ]
}
    FieldDescription
    VersionPolicy version. Default value: 1.
    StatementOne or more policy statements, each defining a set of permissions.
    ActionOperations to allow or deny, such as oss:PutObject and oss:GetObject.
    EffectWhether the statement allows or denies access. Valid values: Allow, Deny.
    PrincipalThe entity the policy applies to.
    ResourceThe resources the policy applies to, specified as ACS ARNs.

    Examples

    Attach an access point policy using a file

    The following example attaches a policy to the access point ap-01 in examplebucket. The policy denies oss:PutObject and oss:GetObject for account 27737962156157xxxx on the access point and all its objects.

    1. Create access-point-name.json with the following content:

         {
     "Version": "1",
     "Statement": [
       {
         "Action": [
           "oss:PutObject",
           "oss:GetObject"
         ],
         "Effect": "Deny",
         "Principal": [
           "27737962156157xxxx"
         ],
         "Resource": [
           "acs:oss:cn-hangzhou:111933544165xxxx:accesspoint/ap-01",
           "acs:oss:cn-hangzhou:111933544165xxxx:accesspoint/ap-01/object/*"
         ]
       }
     ]
   }

    2. Run the command:

         ossutil api put-access-point-policy --bucket examplebucket --access-point-name ap-01 --body file://access-point-name.json

    Attach an access point policy using inline JSON

    Pass the policy directly as an inline JSON string:

    ossutil api put-access-point-policy --bucket examplebucket --access-point-name ap-01 --body "{\"Version\":\"1\",\"Statement\":[{\"Action\":[\"oss:PutObject\",\"oss:GetObject\"],\"Effect\":\"Deny\",\"Principal\":[\"27737962156157xxxx\"],\"Resource\":[\"acs:oss:cn-hangzhou:111933544165xxxx:accesspoint/ap-01\",\"acs:oss:cn-hangzhou:111933544165xxxx:accesspoint/ap-01/object/*\"]}]}"

    What's next