A bucket policy allows you to authorize or restrict access of anonymous users or identified users, such as Alibaba Cloud accounts, RAM users, and RAM roles, to specific Object Storage Service (OSS) resources. For example, you can grant read-only permissions on specific OSS resources to a RAM user of another Alibaba Cloud account.
General description
Unlike RAM policies, bucket policies include the Principal element that specifies the entities that are allowed or denied access to resources. You can specify the Principal element to allow or deny access to specific OSS resources from different users in a fine-grained manner. When you do not need to differentiate between users, you can centrally manage permissions to avoid repeated authorization or restriction. For example, you can specify multiple RAM user UIDs in the Principal element to match specific RAM users. You can also specify an asterisk (*) in the Principal element to match all users.
Considerations
If you set the Principal element to an asterisk (*) and specify the Condition element when you configure a bucket policy, the bucket policy takes effect for all users including the bucket owner. In this case, if an access request triggers the Deny statement, the request is denied, even if the request was made by the bucket owner, who has all access permissions on the bucket and objects in it by default.
If you set the Principal element to an asterisk (*) and do not specify the Condition element when you configure a bucket policy, the bucket policy takes effect for all users except the bucket owner. In this case, the Deny statement is not triggered for the bucket owner, who has all access permissions on the bucket and objects in it by default.
Example 1: Grant specific RAM users read and write access to a bucket
If you want to grant specific members of your team or partners the permissions to upload, download, and manage objects in a bucket, you can configure a bucket policy to grant the permissions to the RAM users that correspond to these members. You do not need to configure access policies for each RAM user. The following example shows how to grant specific RAM users (UIDs: 27737962156157xxxx and 20214760404935xxxx) read and write access to a bucket named examplebucket.
In the following Allow statement, the RAM users are not granted the permissions to list buckets. Therefore, the RAM users cannot view all buckets on the Bucket List page of the Alibaba Cloud Management Console, find the target bucket, and click the bucket to access it. The RAM users can access a specific bucket by adding it to the favorite path. The RAM users do not need to have the permissions to list buckets. For more information, see Access path.
{
"Version":"1",
"Statement":[
{
"Effect":"Allow",
"Action":[
"oss:GetObject",
"oss:PutObject",
"oss:GetObjectAcl",
"oss:PutObjectAcl",
"oss:AbortMultipartUpload",
"oss:ListParts",
"oss:RestoreObject",
"oss:GetVodPlaylist",
"oss:PostVodPlaylist",
"oss:PublishRtmpStream",
"oss:ListObjectVersions",
"oss:GetObjectVersion",
"oss:GetObjectVersionAcl",
"oss:RestoreObjectVersion"
],
"Principal":[
"27737962156157xxxx",
"20214760404935xxxx"
],
"Resource":[
"acs:oss:*:174649585760xxxx:examplebucket/*"
]
},
{
"Effect":"Allow",
"Action":[
"oss:ListObjects"
],
"Principal":[
"27737962156157xxxx",
"20214760404935xxxx"
],
"Resource":[
"acs:oss:*:174649585760xxxx:examplebucket"
],
"Condition":{
"StringLike":{
"oss:Prefix":[
"*"
]
}
}
}
]
}Example 2: Grant specific RAM users the permissions to read specific directories of a bucket
If you need to protect specific project files in a bucket from being tampered with but allow project members to read these files, you can grant read-only permissions to the corresponding RAM users. The following example shows how to grant a specific RAM user (UID: 20214760404935xxxx) read-only permissions on specific directories (prefixes: examplebuckethangzhou/2020 and shanghai/2015shanghai/2015) in a bucket named .
Because the permissions to list buckets are not granted, the RAM user cannot view or access buckets on the Bucket List page of the console. The RAM user can access a specific bucket by adding it to the favorite path. The RAM user does not need to have the permissions to list buckets. For more information, see Access path.
{
"Version":"1",
"Statement":[
{
"Action":[
"oss:GetObject",
"oss:GetObjectAcl",
"oss:GetObjectVersion",
"oss:GetObjectVersionAcl"
],
"Effect":"Allow",
"Principal":[
"20214760404935xxxx"
],
"Resource":[
"acs:oss:*:174649585760xxxx:examplebucket/hangzhou/2020/*",
"acs:oss:*:174649585760xxxx:examplebucket/shanghai/2015/*"
]
},
{
"Action":[
"oss:ListObjects",
"oss:ListObjectVersions"
],
"Condition":{
"StringLike":{
"oss:Prefix":[
"hangzhou/2020/*",
"shanghai/2015/*"
]
}
},
"Effect":"Allow",
"Principal":[
"20214760404935xxxx"
],
"Resource":[
"acs:oss:*:174649585760xxxx:examplebucket"
]
}
]
}Example 3: Grant all users the permissions to only list all objects in a bucket
If your bucket is used for public resource sharing and you want all users to be able to view object names but not object content, you can set the Principal element to an asterisk (*) and grant all users the permissions to list all objects in the bucket. The following example shows how to grant all users the permissions to list all objects in a bucket named examplebucket.
{
"Version":"1",
"Statement":[
{
"Action":[
"oss:ListObjects",
"oss:ListObjectVersions"
],
"Effect":"Allow",
"Principal":[
"*"
],
"Resource":[
"acs:oss:*:174649585760xxxx:examplebucket"
]
}
]
}Example 4: Grant specific RAM users the permissions to view information about a bucket and list all objects in the bucket
If you want specific members of your team or partners to view all information about a bucket and list objects in the bucket, you can configure a bucket policy to grant the permissions to the RAM users that correspond to these members. You do not need to configure access policies for each RAM user. The following example shows how to grant specific RAM users the permissions to view all information about a bucket named examplebucket and list all objects in the bucket.
In the following Allow statement, the RAM users are not granted the permissions to list buckets. Therefore, the RAM users cannot view all buckets on the Bucket List page of the Alibaba Cloud Management Console, find the target bucket, and click the bucket to access it. The RAM users can access a specific bucket by adding it to the favorite path. The RAM users do not need to have the permissions to list buckets. For more information, see Access path.
{
"Version":"1",
"Statement":[
{
"Action":[
"oss:Get*",
"oss:ListObjects",
"oss:ListObjectVersions"
],
"Effect":"Allow",
"Principal":[
"20214760404935xxxx"
],
"Resource":[
"acs:oss:*:174649585760xxxx:examplebucket"
]
}
]
}Example 5: Grant specific RAM roles the permission to read objects in a bucket
If a RAM user or application requires temporary access to objects in your bucket, you can create a RAM role and assign the required permissions to the RAM role. The RAM user or application can assume the RAM role to obtain temporary access credentials that can be used to access objects in your bucket. The following example shows how to grant one RAM role with all sessions and one RAM role with a specific session the permissions to read all objects in a bucket named examplebucket.
When you use a bucket policy to grant permissions to a RAM role, the Principal element must be in the following format: arn:sts::<uid>:assumed-role/<role-name>/<session-name>. The values of <role-name> and <session-name> are case-sensitive.
{
"Version": "1",
"Statement": [
{
"Action": [
"oss:GetObject"
],
"Effect": "Allow",
"Principal": [
"arn:sts::10323xxxxx72056:assumed-role/okrole/sessiontest",
"arn:sts::10323xxxxx72056:assumed-role/secondrole/*"
],
"Resource": [
"acs:oss:*:1032xxxxx672056:examplebucket/*"
]
}
]
}Example 6: Restrict access to a specific VPC
If you want to restrict access to a bucket only from a specific VPC, you can create a Deny statement by using the acs:SourceVpc condition key and add the statement to the bucket policy to block requests from other VPCs or the Internet. Requests from other VPCs or the Internet are denied because they do not match the specified VPC ID condition. The following example shows how to deny all users except those from a specific VPC (ID: t4nlw426y44rd3iq4xxxx) the permissions to read objects in a bucket named examplebucket.
In the following Deny statement, the Principal element is set to an asterisk (*) and the Condition element is specified. Therefore, the Deny statement takes effect for all users, including the bucket owner. After you add the following Deny statement, if the bucket owner does not access the bucket from the specified VPC, the access requests from the bucket owner are denied.
The following Deny statement is used only to deny access and does not grant access permissions. If the authorization principal has not been granted access permissions, you can add an Allow statement.
{
"Version":"1",
"Statement":[
{
"Effect":"Deny",
"Action":[
"oss:GetObject"
],
"Principal":[
"*"
],
"Resource":[
"acs:oss:*:174649585760xxxx:examplebucket/*"
],
"Condition":{
"StringNotEquals":{
"acs:SourceVpc":[
"vpc-t4nlw426y44rd3iq4xxxx"
]
}
}
}
]
}Example 7: Restrict access to a specific public IP address
If you want to restrict access to a bucket only from a specific public IP address, you can create a Deny statement by using the acs:SourceIp condition key and add the statement to the bucket policy to block requests from other public IP addresses or VPCs. Requests from other public IP addresses or VPCs are identified as not matching the specified IP condition, which triggers the Deny statement. The following example shows how to deny all users except those from a specific public IP address 203.0.113.5 the permissions to read objects in a bucket named examplebucket.
In the following Deny statement, the Principal element is set to an asterisk (*) and the Condition element is specified. Therefore, the Deny statement takes effect for all users, including the bucket owner. Even if the bucket owner does not access the bucket from the specified public IP address, the access requests from the bucket owner are denied.
The following Deny statement is used only to deny access and does not grant access permissions. If the authorization principal has not been granted access permissions, you can add an Allow statement.
{
"Version":"1",
"Statement":[
{
"Effect":"Deny",
"Action":[
"oss:GetObject"
],
"Principal":[
"*"
],
"Resource":[
"acs:oss:*:174649585760xxxx:examplebucket/*"
],
"Condition":{
"NotIpAddress":{
"acs:SourceIp":[
"203.0.113.5"
]
}
}
}
]
}Example 8: Restrict access to a specific CIDR block of a VPC
If you want to restrict access to a bucket only from a specific CIDR block of a VPC, you can create two Deny statements:
Create a Deny statement by using the
acs:SourceVpccondition key to block requests from other VPCs or the Internet. Requests from other public IP addresses or VPCs are identified as not matching the specified IP condition, which triggers the Deny statement.Create a Deny statement by using the
acs:SourceIpcondition key and theacs:SourceVpccondition key to block requests from outside the specified CIDR block of the VPC.
After you add the preceding two Deny statements to the bucket policy, if a request matches either of the conditions, the request is denied. The following example shows how to deny all users except those from a specific CIDR block (192.168.0.0/16) of a specific VPC (ID: t4nlw426y44rd3iq4xxxx) the permissions to read objects in a bucket named examplebucket.
In the following Deny statement, the Principal element is set to an asterisk (*) and the Condition element is specified. Therefore, the Deny statement takes effect for all users, including the bucket owner. If a user does not access the bucket from the specified CIDR block of the specified VPC, the access requests from the user are denied.
The following Deny statement is used only to deny access and does not grant access permissions. If the authorization principal has not been granted access permissions, you can add an Allow statement.
{
"Version":"1",
"Statement":[
{
"Effect":"Deny",
"Action":[
"oss:GetObject"
],
"Principal":[
"*"
],
"Resource":[
"acs:oss:*:174649585760xxxx:examplebucket/*"
],
"Condition":{
"StringNotEquals":{
"acs:SourceVpc":[
"vpc-t4nlw426y44rd3iq4xxxx"
]
}
}
},
{
"Effect":"Deny",
"Action":[
"oss:GetObject"
],
"Principal":[
"*"
],
"Resource":[
"acs:oss:*:174649585760xxxx:examplebucket/*"
],
"Condition":{
"StringEquals":{
"acs:SourceVpc":[
"vpc-t4nlw426y44rd3iq4xxxx"
]
},
"NotIpAddress":{
"acs:SourceIp":[
"192.168.0.0/16"
]
}
}
}
]
}Example 9: Restrict access to a specific public IP address or VPC
If you want to restrict access to a bucket only from a specific public IP address or a specific VPC, you can create two Deny statements:
Create a Deny statement by using the
acs:SourceIpcondition key to block requests from other public IP addresses. Use theStringNotLikecondition operator and theacs:SourceVpccondition key to exclude requests from the specified VPC.Create a Deny statement by using the
acs:SourceVpccondition key to block requests from other VPCs. Use theStringLikecondition operator and theacs:SourceVpccondition key to exclude requests from the specified public IP address to avoid incorrectly denying requests that do not match the specified VPC ID condition.
After you add the preceding two Deny statements to the bucket policy, if a request matches either of the conditions, the request is denied. The following example shows how to deny all users except those from a specific public IP address (203.0.113.5) or a specific VPC (ID: t4nlw426y44rd3iq4xxxx) the permissions to read objects in a bucket named examplebucket.
In the following Deny statement, the Principal element is set to an asterisk (*) and the Condition element is specified. Therefore, the Deny statement takes effect for all users, including the bucket owner. If a user does not access the bucket from the specified public IP address or the specified VPC, the access requests from the user are denied.
The following Deny statement is used only to deny access and does not grant access permissions. If the authorization principal has not been granted access permissions, you can add an Allow statement.
{
"Version":"1",
"Statement":[
{
"Effect":"Deny",
"Action":[
"oss:GetObject"
],
"Principal":[
"*"
],
"Resource":[
"acs:oss:*:174649585760xxxx:examplebucket/*"
],
"Condition":{
"StringNotLike":{
"acs:SourceVpc":[
"vpc-*"
]
},
"NotIpAddress":{
"acs:SourceIp":[
"203.0.113.5"
]
}
}
},
{
"Effect":"Deny",
"Action":[
"oss:GetObject"
],
"Principal":[
"*"
],
"Resource":[
"acs:oss:*:174649585760xxxx:examplebucket/*"
],
"Condition":{
"StringLike":{
"acs:SourceVpc":[
"vpc-*"
]
},
"StringNotEquals":{
"acs:SourceVpc":[
"vpc-t4nlw426y44rd3iq4xxxx"
]
}
}
}
]
}Example 10: Restrict API calls to use only temporary access credentials
If you want to access resources in a bucket by calling API operations and you want to restrict API calls to use only temporary access credentials, you can create a Deny statement by using the acs:AccessId condition key and add the statement to the bucket policy to block access by using other non-temporary access credentials, such as the long-term AccessKey pairs of Alibaba Cloud accounts or RAM users. Access requests that use non-temporary access credentials trigger the Deny statement. The following example shows how to deny all users except those who use temporary access credentials (starting with TMP. or STS.) the permissions to view information about a bucket named examplebucket and list objects in the bucket.
{
"Version": "1",
"Statement": [
{
"Effect": "Deny",
"Action":[
"oss:Get*",
"oss:ListObjects",
"oss:ListObjectVersions"
],
"Principal":[
"*"
],
"Resource":[
"acs:oss:*:174649585760xxxx:examplebucket/*"
],
"Condition": {
"StringNotLike": {
"acs:AccessId": [
"TMP.*",
"STS.*"
]
}
}
}
]
}References
For more information about the elements of bucket policies, see RAM Policy.
For more information about how to configure bucket policies, see Bucket Policy.
For more information about the authentication process of bucket policies, see OSS authentication.