All Products
Search

This Product

    Object Storage Service:Tutorial: Use a RAM policy to allow a user to access OSS resources only over HTTPS

    Document Center

    Object Storage Service:Tutorial: Use a RAM policy to allow a user to access OSS resources only over HTTPS

    Last Updated:Mar 02, 2023

    Object Storage Service (OSS) supports access to resources over HTTPS and HTTP. However, the HTTP protocol is not secure and can expose resources to risks. To protect OSS resources from attacks, we recommend that you allow access to OSS resources over HTTPS and deny access over HTTP. This topic describes how to use a Resource Access Management (RAM) policy to allow a user or a role to access OSS resources only over HTTPS.

    Background information

    You can use a RAM policy in OSS to allow a user or a role to access specified buckets or objects only over HTTPS. RAM policies are user-based access control policies and cannot be used to implement resource-based (bucket-level or object-level) access control. Therefore, you cannot use a RAM policy to block HTTP requests from all users to access a bucket or object.

    Procedure

    1. Log on to the RAM console.

    If you log on to the RAM console as a RAM user, make sure that the AliyunOSSFullAccess, AliyunRAMFullAccess, and AliyunSTSAssumeRoleAccess policies are attached to the RAM user. For more information about how to grant permissions to a RAM user, see Grant permissions to a RAM user.

    1. Configure the Secure Transport parameter in the RAM policy to block a specific user from accessing a bucket over HTTP. For more information about how to create a custom RAM policy, see Create a custom policy. The following sample code provides an example of a RAM policy:

    {
  "Version": "1",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": [
        "oss:*"
      ],
      "Resource": [
        "acs:oss:*:*:*"
      ],
      "Condition": {
        "Bool": {
          "acs:SecureTransport": [
            "false"
          ]
        }
      }
    }
  ]
}
    Note

    If the Secure Transport parameter is configured, conversion from HTTP to HTTPS and from HTTPS to HTTP is disabled. We recommend that you use the Deny effect to block HTTP requests, instead of using the Allow effect to allow HTTPS requests.

    1. Attach the RAM policy to the RAM user.

    For more information about how to grant permissions to a RAM user, see Grant permissions to a RAM user.

    1. Upload a file over HTTP. The following sample code provides an example on how to use OSS SDK for Python to upload a file over HTTP: 

    # -*- coding: utf-8 -*-
import oss2

# The AccessKey pair of an Alibaba Cloud account has permissions on all API operations. Using these credentials to perform operations in OSS is a high-risk operation. We recommend that you use a RAM user to call API operations or perform routine O&M. To create a RAM user, log on to the RAM console. 
auth = oss2.Auth('[$AccessKeyId]', '[$AccessKeySecret]')
# Specify the endpoint of the region in which the bucket is located. For example, if the bucket is located in the China (Hangzhou) region, set the endpoint to https://oss-cn-hangzhou.aliyuncs.com. 
bucket = oss2.Bucket(auth, 'http://oss-cn-hangzhou.aliyuncs.com', 'examplebucket')

# Specify the full paths of the object and the local file. Do not include the bucket name in the full path of the object. 
# By default, if you do not specify the full path of a local file, the local file is uploaded from the path of the project to which the sample program belongs. 
bucket.put_object_from_file('exampleobject.txt', 'D:\\localpath\\examplefile.txt')

    If the following information is returned, the file failed to be uploaded. This indicates that the RAM policy is in effect. 

    oss2.exceptions.AccessDenied: {'status': 403, 'x-oss-request-id': '6V37D53DMF67EBeDF5BDa095', 
'details': {'HostId': 'examplebucket.oss-cn-hangzhou.aliyuncs.com', 
'Message': 'You have no right to access this object because of bucket acl.',
 'Code': 'AccessDenied', 'RequestId': '6V37D53DMF67EBeDF5BDa095'}}

    1. Upload a file over HTTPS. The following sample code provides an example on how to use OSS SDK for Python to upload a file over HTTPS: 

    # -*- coding: utf-8 -*-
import oss2

# The AccessKey pair of an Alibaba Cloud account has permissions on all API operations. Using these credentials to perform operations in OSS is a high-risk operation. We recommend that you use a RAM user to call API operations or perform routine O&M. To create a RAM user, log on to the RAM console. 
auth = oss2.Auth('[$AccessKeyId]', '[$AccessKeySecret]')
# Specify the endpoint of the region in which the bucket is located. For example, if the bucket is located in the China (Hangzhou) region, set the endpoint to https://oss-cn-hangzhou.aliyuncs.com. 
bucket = oss2.Bucket(auth, 'https://oss-cn-hangzhou.aliyuncs.com', 'examplebucket')

# Specify the full paths of the object and the local file. Do not include the bucket name in the full path of the object. 
# By default, if you do not specify the full path of a local file, the local file is uploaded from the path of the project to which the sample program belongs. 
bucket.put_object_from_file('exampleobject.txt', 'D:\\localpath\\examplefile.txt')

    If the following content is returned, the file is uploaded. 

    Put object done, req_id: 6V37D53DMF67EBeDF5BDa095, status_code: 200