All Products
Search

This Product

    Object Storage Service:put-bucket-policy

    Document Center

    Object Storage Service:put-bucket-policy

    Last Updated:Mar 20, 2026

    The put-bucket-policy command configures a bucket policy, granting access to resources in the bucket for the current Alibaba Cloud account or other Alibaba Cloud accounts, including RAM users and RAM roles.

    Prerequisites

    Before you begin, ensure that you have:

    Syntax

    ossutil api put-bucket-policy --bucket <value> --body <value> [flags]

    Parameters without brackets are required. Parameters in brackets are optional.

    ParameterTypeRequiredDescription
    --bucketstringYesThe name of the bucket to configure the policy for.
    --bodystringYesThe bucket policy as a JSON document.
    This command corresponds to the PutBucketPolicy API operation. For supported global flags, see Supported global command line options.

    Bucket policy structure

    A bucket policy is a JSON document with two top-level fields: Version and Statement.

    {
  "Version": "1",
  "Statement": [
    {
      "Action": ["oss:PutObject", "oss:GetObject"],
      "Effect": "Deny",
      "Principal": ["1234567890"],
      "Resource": ["acs:oss:*:1234567890:*/*"]
    }
  ]
}
    FieldDescription
    VersionThe policy version. Default value: 1.
    StatementAn array of permission statements. Each statement defines one set of access permissions.
    Statement.ActionThe OSS operations to allow or deny, such as oss:PutObject and oss:GetObject.
    Statement.EffectWhether the statement allows or denies access. Valid values: Allow, Deny.
    Statement.PrincipalThe UID of the Alibaba Cloud account, RAM user, or RAM role the policy applies to.
    Statement.ResourceThe OSS resources the policy applies to, in the format acs:oss:*:<account-uid>:<bucket-name>/<object-path>.

    For more policy examples, see Common examples of bucket policies.

    Example

    The following command denies oss:PutObject and oss:GetObject permissions for user 1234567890 on all objects in examplebucket.

    ossutil api put-bucket-policy --bucket examplebucket --body "{\"Version\":\"1\",\"Statement\":[{\"Action\":[\"oss:PutObject\",\"oss:GetObject\"],\"Effect\":\"Deny\",\"Principal\":[\"1234567890\"],\"Resource\":[\"acs:oss:*:1234567890:*/*\"]}]}"