Authorize other users to access resources in an OSS on CloudBox bucket by configuring bucket policies

Updated at:
Copy as MD

Bucket policies let you grant other accounts, RAM users, or RAM roles access to specific resources in an Object Storage Service (OSS) on CloudBox bucket without modifying RAM policies. The bucket owner writes the policy; the permissions apply only to resources owned by that bucket owner.

How bucket policies work

Key rules:

  • Permissions are additive. When multiple bucket policies apply to the same user, the effective permissions are the union of all policies.

  • Deny takes precedence. If any policy explicitly denies an action, the deny overrides any allow, regardless of policy order.

  • RAM roles cannot use the console. When the authorized principal is a RAM role, the role can access resources only through ossutil, an OSS SDK, or the OSS API — not through the OSS console.

Use cases

  • Grant a cross-account user or a specific RAM user access to manage an entire bucket or a subset of resources within it.

  • Grant different permission levels (read-only, read/write, or full access) to different RAM users under the same account.

Prerequisites

Before you begin, ensure that you have:

  • OSS on CloudBox enabled in your region. Supported regions: China (Hangzhou), China (Shanghai), China (Shenzhen), China (Heyuan), China (Beijing), and China (Chengdu)

  • A purchased cloud box. For more information, see Purchase a cloud box

  • A Virtual Private Cloud (VPC) and a vSwitch created in OSS on CloudBox. For more information, see Create a VPC and a vSwitch

  • A VPC internal network set up with a single tunnel for secure connection. To apply for this feature, contact technical support

Configure a bucket policy

Use the OSS console

Method 1: Configure a bucket policy using the GUI

  1. Log on to the OSS console.OSS

  2. In the left-side navigation pane, choose Data Service > OSS on CloudBox Buckets. On the OSS on CloudBox Buckets page, click the target bucket.

  3. In the left-side navigation pane, choose Permission Control > Bucket Policy.

  4. On the Bucket Policy tab, click Add in GUI, and then click Authorize.

  5. In the Authorize panel, configure the parameters described in the following table, and then click OK.

ParameterDescription
Applied toThe scope of the policy. <br>- Whole Bucket: The policy applies to the entire bucket. <br>- Specific Resources: The policy applies only to specified resources. You can add multiple policies for different resources. <br>&nbsp;&nbsp;- To grant access to all objects and subdirectories in a folder, append a wildcard character (*) to the folder name. For example, enter abc/* to grant access to all contents under the abc/ folder. <br>&nbsp;&nbsp;- To grant access to a specific object, enter its full path without the bucket name. For example, enter abc/myphoto.png.
Authorized userThe principal to grant access to. <br>- All Accounts (*): Grants access to all users, including anonymous users. <br>- RAM User: Grants access to a RAM user under the current account. Select the RAM user from the drop-down list, or enter a keyword to search by name. <br>&nbsp;&nbsp;
Important

To view and select RAM users, your account must be an Alibaba Cloud account or a RAM user with both bucket management permissions and the ListUsers permission in the RAM console. For details, see Grant permissions to a RAM user. <br>- Other Account: Grants access to users in other Alibaba Cloud accounts. <br>&nbsp;&nbsp;- For another Alibaba Cloud account or RAM user: enter the UID of the account. <br>&nbsp;&nbsp;- For a RAM role: use the format arn:sts::{RoleOwnerUid}:assumed-role/{RoleName}/{RoleSessionName}. For example: arn:sts::137918634953xxxx:assumed-role/testrole/testsession. To grant access to all RAM roles, use arn:sts::*:*/*/*. For more information, see AssumeRole. <br>&nbsp;&nbsp;

Important

RAM roles cannot access authorized resources through the OSS console. Use ossutil, an OSS SDK, or the OSS API instead. For example, to use ossutil, configure access credentials as described in Access resources using a temporary token.

Authorized operationThe permission level. Choose Basic Settings or Advanced Settings. <br><br>Basic Settings — select one of the following: <br>- Read-Only (excluding ListObject): View and download resources. <br>- Read-Only (including ListObject): View, list, and download resources. <br>- Read/Write: Read and write resources. <br>- Full Access: Read, write, and delete resources. <br>- Deny Access: Deny all operations on the specified resources. <br><br>
Important

<br>- If the bucket has OSS-HDFS enabled, do not set Actions to Deny Access for policies that apply to the .dlsdata/ folder. <br>- If multiple bucket policies apply to a user, the user's effective permissions are the sum of all policies. If any policy includes a deny permission, the deny takes precedence. For example, if you first grant a user read-only permissions and then grant read/write permissions, the user's final permissions are read/write. If you then grant deny access permissions, the user's final permission is deny access. <br>- Read-Only, Read/Write, and Full Access correspond to the Allow effect. Deny Access corresponds to the Deny effect. <br><br>Advanced Settings — configure the following fields: <br>- Effect: Allow or Deny. <br>- Actions: The specific OSS actions the policy covers. For action classifications, see RAM policies.

Condition (optional)Additional access conditions. Available in both Basic Settings and Advanced Settings modes. <br>- Access Method: Restrict access to HTTP only or HTTPS only. By default, both are allowed. HTTPS provides stronger security. To enforce HTTPS for all bucket requests, use policy syntax instead of the GUI — see How do I configure HTTPS requests and certificates?. <br>- IP =: Allow access only from the specified IP addresses or CIDR blocks (comma-separated). <br>- IP ≠: Deny access from the specified IP addresses or CIDR blocks (comma-separated). <br>- VPC=: Allow access only from the specified VPCs. Select from the current account, or click Enter Other VPC Account to enter a VPC ID from another account. <br>- VPC ≠: Deny access from the specified VPCs. <br><br>
Important

If you specify both a VPC condition and an IP condition in the same policy, the two conditions are evaluated with AND logic — a request must satisfy both.

Method 2: Configure a bucket policy using policy syntax

  1. Log on to the OSS console.OSS

  2. In the left-side navigation pane, choose Data Service > OSS on CloudBox Buckets. On the OSS on CloudBox Buckets page, click the target bucket.

  3. In the left-side navigation pane, choose Permission Control > Bucket Policy.

  4. On the Bucket Policy tab, click Add by Syntax.

  5. Click Edit, enter the policy JSON, and save.

The following examples cover common authorization scenarios.

Policy anatomy

Every bucket policy statement for OSS on CloudBox contains these fields:

FieldDescription
EffectAllow or Deny
PrincipalThe user or account the policy applies to (UID, * for all, or a RAM role ARN)
ActionThe OSS on CloudBox actions covered by the policy (e.g., oss-cloudbox:GetObject)
ResourceThe bucket or object ARN the policy applies to
Condition(Optional) Additional conditions, such as IP address or prefix restrictions

The Resource ARN format for OSS on CloudBox:

  • Bucket: acs:oss-cloudbox:*:{UID}:cloudbox/{cloudbox_id}/bucket/{bucket_name}

  • Object: acs:oss-cloudbox:*:{UID}:cloudbox/{cloudbox_id}/bucket/{bucket_name}/object/{object_name}

Example: Grant anonymous read access to all objects

Allow any user to list all objects in the bucket.

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": ["*"],
            "Action": [
                "oss-cloudbox:ListObjects",
                "oss-cloudbox:ListObjectVersions"
            ],
            "Resource": [
                "acs:oss-cloudbox:*:174649585760xxxx:cloudbox/cb-f8z7yvzgwfkl9q0hxxxx/bucket/examplebucket"
            ]
        }
    ]
}

Example: Deny access from outside a CIDR block

Deny all operations on the bucket to anonymous users whose IP addresses fall outside 192.168.0.0/16.

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Deny",
            "Principal": ["*"],
            "Action": "oss-cloudbox:*",
            "Resource": [
                "acs:oss-cloudbox:*:174649585760xxxx:cloudbox/cb-f8z7yvzgwfkl9q0hxxxx/bucket/examplebucket"
            ],
            "Condition": {
                "NotIpAddress": {
                    "acs:SourceIp": ["192.168.0.0/16"]
                }
            }
        }
    ]
}

Example: Grant a RAM user read-only access to specific folders

Allow RAM user 20214760404935xxxx to read objects only in the hangzhou/2020/ and hangzhou/2015/ directories of examplebucket.

This policy uses two statements because the ListObjects action targets the bucket resource, while GetObject targets object resources. The first statement grants GetObject and GetObjectAcl on the specific object paths. The second statement grants ListObjects and ListObjectVersions on the bucket, scoped to the matching prefixes via a StringLike condition — so the user can list only the authorized directories.

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": ["20214760404935xxxx"],
            "Action": [
                "oss-cloudbox:GetObject",
                "oss-cloudbox:GetObjectAcl"
            ],
            "Resource": [
                "acs:oss-cloudbox:*:174649585760xxxx:cloudbox/cb-f8z7yvzgwfkl9q0hxxxx/bucket/examplebucket/object/hangzhou/2020/*",
                "acs:oss-cloudbox:*:174649585760xxxx:cloudbox/cb-f8z7yvzgwfkl9q0hxxxx/bucket/examplebucket/object/hangzhou/2015/*"
            ]
        },
        {
            "Effect": "Allow",
            "Principal": ["20214760404935xxxx"],
            "Action": [
                "oss-cloudbox:ListObjects",
                "oss-cloudbox:ListObjectVersions"
            ],
            "Resource": [
                "acs:oss-cloudbox:*:174649585760xxxx:cloudbox/cb-f8z7yvzgwfkl9q0hxxxx/bucket/examplebucket"
            ],
            "Condition": {
                "StringLike": {
                    "oss-cloudbox:Prefix": [
                        "hangzhou/2020/*",
                        "hangzhou/2015/*"
                    ]
                }
            }
        }
    ]
}

Use OSS SDK for Java

Bucket policies can be configured programmatically only with OSS SDK for Java version 3.15.0 or later.

import com.aliyun.oss.ClientException;
import com.aliyun.oss.OSS;
import com.aliyun.oss.OSSClientBuilder;
import com.aliyun.oss.OSSException;
import com.aliyun.oss.common.auth.CredentialsProviderFactory;
import com.aliyun.oss.common.auth.EnvironmentVariableCredentialsProvider;
import com.aliyun.oss.ClientBuilderConfiguration;
import com.aliyun.oss.common.auth.DefaultCredentialProvider;
import com.aliyun.oss.common.comm.SignVersion;

public class Demo {

    public static void main(String[] args) throws Exception {
        // The data endpoint of the OSS on CloudBox bucket
        String endpoint = "https://cb-f8z7yvzgwfkl9q0h****.cn-hangzhou.oss-cloudbox.aliyuncs.com";
        // Load access credentials from environment variables.
        // Set OSS_ACCESS_KEY_ID and OSS_ACCESS_KEY_SECRET before running this code.
        EnvironmentVariableCredentialsProvider credentialsProvider =
            CredentialsProviderFactory.newEnvironmentVariableCredentialsProvider();
        // The name of the OSS on CloudBox bucket
        String bucketName = "examplebucket";
        // The region where the bucket is located
        String region = "cn-hangzhou";
        // The ID of the cloud box
        String cloudBoxId = "cb-f8z7yvzgwfkl9q0h****";

        // Create an OSSClient instance. Call shutdown() when done to release resources.
        ClientBuilderConfiguration conf = new ClientBuilderConfiguration();
        conf.setSignatureVersion(SignVersion.V4);
        OSS ossClient = OSSClientBuilder.create()
                .endpoint(endpoint)
                .credentialsProvider(new DefaultCredentialProvider(credentialsProvider.getCredentials()))
                .clientConfiguration(conf)
                .region(region)
                .cloudBoxId(cloudBoxId)
                .build();

        try {
            // The bucket policy in JSON format
            String policyText = "{\"Statement\": [{\"Effect\": \"Allow\", \"Action\": [\"oss-cloudbox::ListObjectVersions\", \"oss-cloudbox::ListObjects\"], \"Resource\": [\"acs:oss-cloudbox:{region}:{bucket_owner}:cloudbox/{cloudbox_id}/bucket/{bucket_name}/object/{object_name}\"]}], \"Version\": \"1\"}";

            // Apply the bucket policy
            ossClient.setBucketPolicy(bucketName, policyText);
        } catch (OSSException oe) {
            System.out.println("Caught an OSSException, which means your request made it to OSS, "
                    + "but was rejected with an error response for some reason.");
            System.out.println("Error Message:" + oe.getErrorMessage());
            System.out.println("Error Code:" + oe.getErrorCode());
            System.out.println("Request ID:" + oe.getRequestId());
            System.out.println("Host ID:" + oe.getHostId());
        } catch (ClientException ce) {
            System.out.println("Caught a ClientException, which means the client encountered "
                    + "a serious internal problem while trying to communicate with OSS, "
                    + "such as not being able to access the network.");
            System.out.println("Error Message:" + ce.getMessage());
        } finally {
            if (ossClient != null) {
                ossClient.shutdown();
            }
        }
    }
}

Use ossutil

Use the put-bucket-policy command to configure or update a bucket policy. For more information, see put-bucket-policy.

Use the OSS API

For custom integrations, call the PutBucketPolicy API directly. Your code must handle signature calculation. For more information, see PutBucketPolicy.

What's next

  • To verify that a bucket policy is working, access the bucket as the authorized user and confirm that the expected operations succeed and unauthorized operations are denied.

  • To manage existing policies, return to Permission Control > Bucket Policy in the console to edit or delete policy rules.

  • To learn about RAM-based authorization as an alternative to bucket policies, see RAM policies.