All Products
Search

This Product

    Object Storage Service:Manage the ACLs of buckets (Go SDK V2)

    Document Center

    Object Storage Service:Manage the ACLs of buckets (Go SDK V2)

    Last Updated:Mar 20, 2026

    Use Go SDK V2 to set and retrieve the access control list (ACL) of an OSS bucket.

    ACLs control who can read or write objects in a bucket. For more granular access control at the user or role level, use RAM policies instead.

    ACL types

    OSS supports three bucket ACL types:

    ACLAccess grantedGo SDK constant
    PrivateOwner and authorized users: full control. Others: no access.oss.BucketACLPrivate
    Public-readOwner and authorized users: full control. Others: read-only.oss.BucketACLPublicRead
    Public-read-writeOwner: full control. Others: read and write.oss.BucketACLPublicReadWrite
    Warning

    Public-read and Public-read-write make bucket objects accessible to anyone on the internet, including anonymous users. Avoid these settings unless you intentionally serve public content.

    Prerequisites

    Before you begin, ensure that you have:

    • An OSS bucket

    • The oss:PutBucketAcl permission to set a bucket ACL

    • The oss:GetBucketAcl permission to retrieve a bucket ACL

    For information about granting these permissions to RAM users, see Grant custom policy to RAM users.

    Usage notes

    • The sample code uses the region ID cn-hangzhou. Replace it with the region where your bucket is located. For a full list of regions and endpoints, see OSS regions and endpoints.

    • The sample code reads access credentials from environment variables. For other credential options, see Configure access credentials.

    • To access OSS from another Alibaba Cloud service in the same region, use an internal endpoint instead of the default public endpoint.

    Set and retrieve a bucket ACL

    The following example sets the bucket ACL to Private, then retrieves the ACL to confirm the change.

    package main

import (
	"context"
	"flag"
	"log"

	"github.com/aliyun/alibabacloud-oss-go-sdk-v2/oss"
	"github.com/aliyun/alibabacloud-oss-go-sdk-v2/oss/credentials"
)

var (
	region     string
	bucketName string
)

func init() {
	flag.StringVar(&region, "region", "", "The region where the bucket is located.")
	flag.StringVar(&bucketName, "bucket", "", "The name of the bucket.")
}

func main() {
	flag.Parse()

	if len(bucketName) == 0 {
		flag.PrintDefaults()
		log.Fatalf("invalid parameters, bucket name required")
	}

	if len(region) == 0 {
		flag.PrintDefaults()
		log.Fatalf("invalid parameters, region required")
	}

	cfg := oss.LoadDefaultConfig().
		WithCredentialsProvider(credentials.NewEnvironmentVariableCredentialsProvider()).
		WithRegion(region)

	client := oss.NewClient(cfg)

	// Set the bucket ACL to Private.
	putResult, err := client.PutBucketAcl(context.TODO(), &oss.PutBucketAclRequest{
		Bucket: oss.Ptr(bucketName),
		Acl:    oss.BucketACLPrivate,
	})
	if err != nil {
		log.Fatalf("failed to set bucket ACL: %v", err)
	}
	log.Printf("PutBucketAcl result: %#v\n", putResult)

	// Retrieve the bucket ACL.
	getResult, err := client.GetBucketAcl(context.TODO(), &oss.GetBucketAclRequest{
		Bucket: oss.Ptr(bucketName),
	})
	if err != nil {
		log.Fatalf("failed to get bucket ACL: %v", err)
	}
	log.Printf("GetBucketAcl result: %#v\n", getResult)
}

    References