Control access to OSS by using RAM policies - Object Storage Service

This tutorial uses a business scenario to demonstrate how to configure fine-grained access permissions for OSS buckets, folders, and files. You will learn how the flat storage structure and prefix listing mechanism of OSS affect policy configuration and how to grant folder-level read/write, read-only, and deny access permissions to different Resource Access Management (RAM) users.

Storage structure and authorization

OSS storage model

OSS uses a flat storage model, which stores objects as key-value pairs directly within a bucket. No physical directory hierarchy exists. The folders that you see in the console are simulated using object key prefixes and a separator (/). This lets you group, classify, and manage objects.

For the examplebucket bucket, the folder structure and corresponding Object Keys are displayed in the console as follows:

examplebucket
├── Development/                     # Key: Development/ (folder object)
│   ├── Alibaba Cloud.pdf            # Key: Development/Alibaba Cloud.pdf
│   ├── ProjectA.docx                # Key: Development/ProjectA.docx
│   └── ProjectB.docx                # Key: Development/ProjectB.docx
├── Marketing/                       # Key: Marketing/ (folder object)
│   ├── data2020.xlsx                # Key: Marketing/data2020.xlsx
│   └── data2021.xlsx                # Key: Marketing/data2021.xlsx
├── Private/                         # Key: Private/ (folder object)
│   └── 2017/                        # Key: Private/2017/ (folder object)
│       ├── images.zip               # Key: Private/2017/images.zip
│       └── promote.pptx             # Key: Private/2017/promote.pptx
└── oss-dg.pdf                       # Key: oss-dg.pdf

The key of a folder object ends with /. OSS uses this as a flag to identify the object as a folder. However, all objects, including folder objects, are stored in a flat structure.

Because OSS does not have a real directory hierarchy, when you grant access to a folder, you are actually granting access to all objects that have a specific prefix. For example, granting access to the Development/ folder is equivalent to granting access to all objects whose keys start with Development/.

Differences in requests for buckets, folders, and files

Operations on different targets, such as buckets, folders, and files, correspond to different API requests and Resource configurations. Understanding these differences is key to correctly configuring access policies.

ListObjects request mechanism

Displaying the folder structure in the console's file list relies on two core parameters of the GetBucket (ListObjects) API operation:

Parameter	Function	Example value
`prefix`	Limits the returned objects to those whose keys start with this prefix.	`Development/`
`delimiter`	The character used to group objects. This is usually `/`.	`/`

When a user clicks the Development/ folder in the console, the console sends the following request to OSS:

GET /?prefix=Development/&delimiter=/ HTTP/1.1
Host: examplebucket.oss-cn-hangzhou.aliyuncs.com

OSS returns all objects that start with Development/. Because delimiter=/ is specified, OSS returns subfolders, such as Development/SubFolder/, as CommonPrefixes instead of listing all the files within them.

Resource configurations for different operations

Operation target	Triggered API	Resource configuration	Key points for policy configuration
List the root directory of a bucket	ListObjects, with an empty prefix and `/` as the delimiter	`acs:oss:::examplebucket`	The Resource element points to the bucket itself, not a specific path.
Enter a folder	ListObjects, with prefix set to `foldername/` and delimiter set to `/`	`acs:oss:::examplebucket`	The Resource element points to the bucket itself, not a specific path. The listable range is restricted by the `oss:Prefix` condition.
Read or write file content	GetObject, PutObject	`acs:oss:::examplebucket/foldername/*`	The Resource element can specify a path and supports the wildcard character `*`.

Differences between console and API/SDK access

Accessing OSS through the console requires more permissions than accessing it directly using an API or SDK. This is because a user needs to navigate from the bucket list to the target folder.

Access method	Required permissions
API/SDK	Only permissions for the target resource operation are required, such as `oss:GetObject`.
Console	In addition to permissions on the target resource, auxiliary permissions such as `oss:ListBuckets` (to display the bucket list) and `oss:GetBucketInfo` (to display bucket information) are required.

Scenario

Assume that the access control list (ACL) for all objects in the examplebucket bucket is set to private by default. The bucket structure is as follows:

examplebucket
├── Development/           # Development department folder
│   ├── Alibaba Cloud.pdf
│   ├── ProjectA.docx
│   └── ProjectB.docx
├── Marketing/             # Marketing department folder
│   ├── data2020.xlsx
│   └── data2021.xlsx
├── Private/               # Confidential folder
│   └── 2017/
│       ├── images.zip
│       └── promote.pptx
└── oss-dg.pdf

The access control objectives are as follows:

RAM user/User group	Authorization target	Permission type
RAM user Anne	The `Development/` folder and all its files	Read and write permissions
RAM user Leo	The `Marketing/` folder and all its files	Read-only permissions
All members of a specified user group	The `Private/` folder and all its files	Access denied

Step 1: Create a bucket and upload files

Go to the Bucket list page and click Create Bucket. Name the bucket examplebucket.
In the bucket, click Create Folder to create the Development, Marketing, and Private folders. Then, create a 2017 subfolder in the Private folder.
Click Upload File and upload files to the following paths:
- Root directory: oss-dg.pdf
- Development/ folder: Alibaba Cloud.pdf, ProjectA.docx, ProjectB.docx
- Marketing/ folder: data2020.xlsx, data2021.xlsx
- Private/2017/ folder: images.zip, promote.pptx

Step 2: Create RAM users Anne and Leo

Go to the User List page and click Create User. Create the users Anne and Leo.

Step 3: Grant Anne read and write permissions on the Development folder

Policy design approach

To grant read and write access to the Development/ folder, you need to grant two types of permissions:

List permission: Allows a user to list the objects in the Development/ folder (oss:ListObjects). A Condition restricts the listing to objects that start with the Development prefix.
Read and write permissions: Grants permission to read (oss:GetObject) and upload (oss:PutObject) files in the Development/ folder. The Resource element points to examplebucket/Development/*.

Create and grant the policy

Go to the RAM Policies page and click Create Policy.

Select the Script Editor tab and enter the following policy content:

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "oss:ListObjects",
      "Resource": "acs:oss:*:*:examplebucket",
      "Condition": {
        "StringLike": {
          "oss:Prefix": [
            "Development",
            "Development/*"
          ]
        }
      }
    },
    {
      "Effect": "Allow",
      "Action": [
        "oss:GetObject",
        "oss:PutObject",
        "oss:GetObjectAcl"
      ],
      "Resource": "acs:oss:*:*:examplebucket/Development/*"
    }
  ]
}

Policy analysis:

First Statement: Grants the list permission on the bucket. The Condition with oss:Prefix restricts the listing to content within the Development folder and its subfolders.
Second Statement: Grants read and write permissions. The Resource points to all objects in the Development/* path.

Click OK. Enter a Policy Name, such as AllowAnneAccessDevelopment, and click OK to create the policy.
Go to the User List page. Find the RAM user Anne, click Add Permissions, and select the policy that you just created.

Step 4: Grant Leo read-only permissions on the Marketing folder

Follow the procedure in Step 3 to create and grant a read-only policy for the RAM user Leo. The only difference from the read/write policy is that the Action element includes only read-related operations. The policy content is as follows:

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "oss:ListObjects",
      "Resource": "acs:oss:*:*:examplebucket",
      "Condition": {
        "StringLike": {
          "oss:Prefix": [
            "Marketing",
            "Marketing/*"
          ]
        }
      }
    },
    {
      "Effect": "Allow",
      "Action": [
        "oss:GetObject",
        "oss:GetObjectAcl"
      ],
      "Resource": "acs:oss:*:*:examplebucket/Marketing/*"
    }
  ]
}

The oss:PutObject action is removed. Leo can only read files but cannot upload or modify them.

Step 5: Deny a specified user group access to the Private folder

You can manage permissions centrally using a user group. Add the RAM users who should be denied access to the Private/ folder to the same user group. Then, attach a deny policy to that group.

Note

This method applies only to RAM users who are members of the user group. To deny access for all RAM users in your account, including new ones, you must configure a deny policy on the bucket using a bucket policy.

Create a user group and add members

Go to the RAM User Groups page and click Create User Group. For example, name it DenyPrivateAccessGroup.
Click Add Members and add the RAM users who should be denied access to the Private/ folder to the user group.

Create and grant the deny policy

Go to the RAM Policies page and click Create Policy.