Object Storage Service:Manage the ACL of an object

Usage notes

• The sample code in this topic uses the China (Hangzhou) region (cn-hangzhou) and public endpoint by default. To access OSS from other Alibaba Cloud services in the same region, use an internal endpoint. For region-to-endpoint mappings, see OSS regions and endpoints.

• Access credentials are loaded from environment variables. For other methods, see Configure access credentials.

• Setting an object ACL requires the oss:PutObjectAcl permission. Retrieving an object ACL requires the oss:GetObjectAcl permission. For details, see Grant a custom policy to a RAM user.

ACL types

Objects support four ACL types:

An object ACL takes precedence over the bucket ACL. For example, if the bucket ACL is private but the object ACL is public-read-write, all users can read and write the object. If no ACL is set for an object, it inherits the bucket ACL.

Sample code

The following example sets the ACL of an object to private, then retrieves it.

package main

import (
	"context"
	"flag"
	"log"

	"github.com/aliyun/alibabacloud-oss-go-sdk-v2/oss"
	"github.com/aliyun/alibabacloud-oss-go-sdk-v2/oss/credentials"
)

// Define global variables.
var (
	region     string // The region where the bucket is located.
	bucketName string // The name of the bucket.
	objectName string // The name of the object.
)

// The init function is used to initialize command-line parameters.
func init() {
	flag.StringVar(&region, "region", "", "The region in which the bucket is located.")
	flag.StringVar(&bucketName, "bucket", "", "The name of the bucket.")
	flag.StringVar(&objectName, "object", "", "The name of the object.")
}

func main() {
	// Parse command-line parameters.
	flag.Parse()

	// Check whether the region is empty.
	if len(region) == 0 {
		flag.PrintDefaults()
		log.Fatalf("invalid parameters, region required")
	}

	// Check whether the bucket name is empty.
	if len(bucketName) == 0 {
		flag.PrintDefaults()
		log.Fatalf("invalid parameters, bucket name required")
	}

	// Check whether the object name is empty.
	if len(objectName) == 0 {
		flag.PrintDefaults()
		log.Fatalf("invalid parameters, object name required")
	}

	// Load the default configurations and set the credential provider and region.
	cfg := oss.LoadDefaultConfig().
		WithCredentialsProvider(credentials.NewEnvironmentVariableCredentialsProvider()).
		WithRegion(region)

	// Create an OSS client.
	client := oss.NewClient(cfg)

	// Create a request to set the ACL of the object.
	putRequest := &oss.PutObjectAclRequest{
		Bucket: oss.Ptr(bucketName),  // The name of the bucket.
		Key:    oss.Ptr(objectName),  // The name of the object.
		Acl:    oss.ObjectACLPrivate, // Set the ACL of the object to private.
	}

	// Execute the operation to set the ACL of the object.
	putResult, err := client.PutObjectAcl(context.TODO(), putRequest)
	if err != nil {
		log.Fatalf("failed to put object acl %v", err)
	}

	// Print the result of setting the object ACL.
	log.Printf("put object acl result:%#v\n", putResult)

	// Create a request to retrieve the ACL of the object.
	getRequest := &oss.GetObjectAclRequest{
		Bucket: oss.Ptr(bucketName), // The name of the bucket.
		Key:    oss.Ptr(objectName), // The name of the object.
	}

	// Execute the operation to retrieve the ACL of the object.
	getResult, err := client.GetObjectAcl(context.TODO(), getRequest)
	if err != nil {
		log.Fatalf("failed to get object acl %v", err)
	}

	// Print the result of retrieving the object ACL.
	log.Printf("get object acl result:%#v\n", getResult)
}

References

• Complete sample code for setting the object ACL: GitHub sample.

• API documentation for PutObjectAcl: PutObjectAcl.

• Complete sample code for retrieving the object ACL: GitHub sample.

• API documentation for GetObjectAcl: GetObjectAcl.