Authorize other users to access resources in an OSS on CloudBox bucket by configuring bucket policies
Bucket policies let you grant other accounts, RAM users, or RAM roles access to specific resources in an Object Storage Service (OSS) on CloudBox bucket without modifying RAM policies. The bucket owner writes the policy; the permissions apply only to resources owned by that bucket owner.
How bucket policies work
Key rules:
Permissions are additive. When multiple bucket policies apply to the same user, the effective permissions are the union of all policies.
Deny takes precedence. If any policy explicitly denies an action, the deny overrides any allow, regardless of policy order.
RAM roles cannot use the console. When the authorized principal is a RAM role, the role can access resources only through ossutil, an OSS SDK, or the OSS API — not through the OSS console.
Use cases
Grant a cross-account user or a specific RAM user access to manage an entire bucket or a subset of resources within it.
Grant different permission levels (read-only, read/write, or full access) to different RAM users under the same account.
Prerequisites
Before you begin, ensure that you have:
OSS on CloudBox enabled in your region. Supported regions: China (Hangzhou), China (Shanghai), China (Shenzhen), China (Heyuan), China (Beijing), and China (Chengdu)
A purchased cloud box. For more information, see Purchase a cloud box
A Virtual Private Cloud (VPC) and a vSwitch created in OSS on CloudBox. For more information, see Create a VPC and a vSwitch
A VPC internal network set up with a single tunnel for secure connection. To apply for this feature, contact technical support
Configure a bucket policy
Use the OSS console
Use OSS SDK for Java
Use ossutil
Use the OSS API
What's next
To verify that a bucket policy is working, access the bucket as the authorized user and confirm that the expected operations succeed and unauthorized operations are denied.
To manage existing policies, return to Permission Control > Bucket Policy in the console to edit or delete policy rules.
To learn about RAM-based authorization as an alternative to bucket policies, see RAM policies.