A bucket policy is an authorization policy for Object Storage Service (OSS) buckets. You can use a bucket policy to grant or deny fine-grained access to specified OSS resources for authenticated visitors, such as Alibaba Cloud accounts, Resource Access Management (RAM) users, and RAM roles, or for anonymous visitors. For example, you can grant read-only permissions on specified OSS resources to a RAM user from another Alibaba Cloud account.
General description
Unlike a RAM policy, a bucket policy includes a Principal element. This element specifies the users who are granted or denied access to specific OSS resources. Bucket policies allow you to manage permissions for multiple users in a centralized way. This avoids the need to configure separate permissions for each user. For example, you can match specific RAM users by entering their UIDs in the Principal element or match all users by entering a wildcard character (*) in the Principal element.
Notes
In a bucket policy statement, if the Principal is a wildcard character (*) and a Condition is included, the statement applies to all visitors, including the bucket owner. A request from the bucket owner is denied if it triggers a deny policy, even though the bucket owner has default full access permissions.
In a bucket policy statement, if the Principal is a wildcard character (*) and no Condition is included, the statement applies only to visitors other than the bucket owner. The bucket owner has default full access permissions. Therefore, their requests are not denied because a deny policy is not triggered.
Example 1: Grant read and write permissions to specified RAM users
If you want to grant specific team members or partners permissions to upload, download, and manage objects in a bucket, you can configure a bucket policy to grant the permissions to their corresponding RAM users. This eliminates the need to configure separate access policies for each RAM user. The following example grants RAM users with the UIDs 27737962156157xxxx and 20214760404935xxxx permissions to read and write to a bucket named examplebucket.
In the following allow policy statement, the specified RAM users are not granted the permission to list buckets. Therefore, the RAM users cannot view all buckets on the Bucket List page in the Alibaba Cloud Management Console, find the target bucket, and then click the bucket name to open it. The specified RAM users can access the target bucket by adding a favorite path, which does not require the permission to list buckets. For more information, see Access paths.
{
"Version":"1",
"Statement":[
{
"Effect":"Allow",
"Action":[
"oss:GetObject",
"oss:PutObject",
"oss:GetObjectAcl",
"oss:PutObjectAcl",
"oss:AbortMultipartUpload",
"oss:ListParts",
"oss:RestoreObject",
"oss:GetVodPlaylist",
"oss:PostVodPlaylist",
"oss:PublishRtmpStream",
"oss:ListObjectVersions",
"oss:GetObjectVersion",
"oss:GetObjectVersionAcl",
"oss:RestoreObjectVersion"
],
"Principal":[
"27737962156157xxxx",
"20214760404935xxxx"
],
"Resource":[
"acs:oss:*:174649585760xxxx:examplebucket/*"
]
},
{
"Effect":"Allow",
"Action":[
"oss:ListObjects"
],
"Principal":[
"27737962156157xxxx",
"20214760404935xxxx"
],
"Resource":[
"acs:oss:*:174649585760xxxx:examplebucket"
],
"Condition":{
"StringLike":{
"oss:Prefix":[
"*"
]
}
}
}
]
}Example 2: Grant read-only permissions on specified directories to a specified RAM user
To protect specific project objects in a bucket from being modified while allowing related project members to read these objects, you can grant read-only permissions to the corresponding RAM users. The following example grants read-only permissions on the specified directories (with prefixes hangzhou/2020 and shanghai/2015) in the target bucket (examplebucket) to a specified RAM user with the UID 20214760404935xxxx.
Because the permission to list buckets is not granted, the specified RAM user cannot view and open the bucket from the Bucket List page in the console. The RAM user can access the target bucket by adding a favorite path, which does not require the permission to list buckets. For more information, see Access paths.
{
"Version":"1",
"Statement":[
{
"Action":[
"oss:GetObject",
"oss:GetObjectAcl",
"oss:GetObjectVersion",
"oss:GetObjectVersionAcl"
],
"Effect":"Allow",
"Principal":[
"20214760404935xxxx"
],
"Resource":[
"acs:oss:*:174649585760xxxx:examplebucket/hangzhou/2020/*",
"acs:oss:*:174649585760xxxx:examplebucket/shanghai/2015/*"
]
},
{
"Action":[
"oss:ListObjects",
"oss:ListObjectVersions"
],
"Condition":{
"StringLike":{
"oss:Prefix":[
"hangzhou/2020/*",
"shanghai/2015/*"
]
}
},
"Effect":"Allow",
"Principal":[
"20214760404935xxxx"
],
"Resource":[
"acs:oss:*:174649585760xxxx:examplebucket"
]
}
]
}Example 3: Grant all visitors permissions to list all objects
If your bucket is used for sharing public resources and you want all visitors to be able to view object names but not access the object content, you can set the Principal to a wildcard character (*) and grant them the permission to list all objects. The following example grants all visitors the permission to list all objects in the target bucket examplebucket.
{
"Version":"1",
"Statement":[
{
"Action":[
"oss:ListObjects",
"oss:ListObjectVersions"
],
"Effect":"Allow",
"Principal":[
"*"
],
"Resource":[
"acs:oss:*:174649585760xxxx:examplebucket"
]
}
]
}Example 4: Grant a specified RAM user permissions to view the bucket and list its objects
To allow specified team members or partners to view all information about a bucket and list the objects in it, you can use a bucket policy to grant permissions directly to their corresponding RAM users. This eliminates the need to configure separate access policies. The following example grants a specified RAM user permissions to view all information about the target bucket examplebucket and list the objects in it.
In the following allow policy statement, the specified RAM user is not granted the permission to list buckets. Therefore, the RAM user cannot view all buckets on the Bucket List page in the Alibaba Cloud Management Console, find the target bucket, and then click the bucket name to open it. The specified RAM user can access the target bucket by adding a favorite path, which does not require the permission to list buckets. For more information, see Access paths.
{
"Version":"1",
"Statement":[
{
"Action":[
"oss:Get*",
"oss:ListObjects",
"oss:ListObjectVersions"
],
"Effect":"Allow",
"Principal":[
"20214760404935xxxx"
],
"Resource":[
"acs:oss:*:174649585760xxxx:examplebucket"
]
}
]
}Example 5: Grant a specified RAM role permissions to read objects
To allow a RAM user or an application to temporarily access objects in your bucket, you can create a RAM role and grant the necessary permissions. By assuming the role, the RAM user or application can obtain temporary access credentials to read the objects in your bucket. The following example grants permissions to read all objects in the bucket examplebucket to all sessions of one RAM role and a specified session of another RAM role under an Alibaba Cloud account.
When you grant permissions to a role using a bucket policy, the Principal must follow this format: arn:sts::<uid>:assumed-role/<role-name>/<session-name>. The values for <role-name> and <session-name> are case-sensitive.
{
"Version": "1",
"Statement": [
{
"Action": [
"oss:GetObject"
],
"Effect": "Allow",
"Principal": [
"arn:sts::10323xxxxx72056:assumed-role/okrole/sessiontest",
"arn:sts::10323xxxxx72056:assumed-role/secondrole/*"
],
"Resource": [
"acs:oss:*:1032xxxxx672056:examplebucket/*"
]
}
]
}Example 6: Restrict access to a specified VPC
To restrict bucket access to a specified VPC, you can use the acs:SourceVpc condition key to create a deny policy statement and add it to the bucket policy. This blocks requests from other VPCs and the Internet. Requests from other VPCs or the Internet are denied because they do not meet the specified VPC ID condition. The following example denies all visitors read access to objects in the target bucket (examplebucket) unless the request originates from the specified VPC with the ID t4nlw426y44rd3iq4xxxx.
In the following deny policy statement, the Principal is a wildcard character (*) and a Condition is included. Therefore, the deny policy statement applies to all visitors, including the bucket owner. If the bucket owner does not access the bucket from the specified VPC, their access request is also denied.
The following deny policy statement restricts access but does not grant any access permissions. If the principal has not been granted access permissions, you must add an allow policy statement to grant access.
{
"Version":"1",
"Statement":[
{
"Effect":"Deny",
"Action":[
"oss:GetObject"
],
"Principal":[
"*"
],
"Resource":[
"acs:oss:*:174649585760xxxx:examplebucket/*"
],
"Condition":{
"StringNotEquals":{
"acs:SourceVpc":[
"vpc-t4nlw426y44rd3iq4xxxx"
]
}
}
}
]
}Example 7: Restrict access to a specified public IP address
To restrict bucket access to a specified public IP address, you can use the acs:SourceIp condition key to create a deny policy statement and add it to the bucket policy. This blocks requests from other public IP addresses or VPCs. Requests from other public IP addresses or VPCs do not meet the specified IP condition and therefore trigger the deny rule. The following example denies read operations on examplebucket for all visitors except those from the specified public IP address 203.0.113.5.
In the following deny policy statement, the Principal is a wildcard character (*) and a Condition is included. Therefore, this deny policy applies to all visitors, including the bucket owner. If the bucket owner accesses the bucket from a public IP address other than the one specified, the request is denied.
The following deny policy statement restricts access but does not grant any access permissions. If the principal has not been granted access permissions, you must add an allow policy statement to grant access.
{
"Version":"1",
"Statement":[
{
"Effect":"Deny",
"Action":[
"oss:GetObject"
],
"Principal":[
"*"
],
"Resource":[
"acs:oss:*:174649585760xxxx:examplebucket/*"
],
"Condition":{
"NotIpAddress":{
"acs:SourceIp":[
"203.0.113.5"
]
}
}
}
]
}Example 8: Restrict access to a specified IP address range within a specified VPC
To restrict bucket access to a specified IP address range within a specified VPC, you can create two deny policy statements:
Use the
acs:SourceVpccondition key to create a deny policy statement that blocks requests from other VPCs or the Internet. Requests from other public IP addresses or VPCs do not meet the specified IP condition and therefore trigger the deny rule.Use the
acs:SourceIpandacs:SourceVpccondition keys to create a deny policy statement that blocks requests from outside the specified VPC network segment.
After you add these two deny policy statements to the bucket policy, access is denied if either condition is met. The following example denies read operations on the target bucket (examplebucket) for all visitors except those from the specified IP address range (192.168.0.0/16) of the specified VPC (ID: t4nlw426y44rd3iq4xxxx).
In the following deny policy statements, the Principal is a wildcard character (*) and a Condition is included. Therefore, they apply to all visitors, including the bucket owner. If the access is not from the specified IP address range of the specified VPC, the access request is denied.
The following deny policy statements restrict access but do not grant any access permissions. If the principal has not been granted access permissions, you must add an allow policy statement to grant access.
{
"Version":"1",
"Statement":[
{
"Effect":"Deny",
"Action":[
"oss:GetObject"
],
"Principal":[
"*"
],
"Resource":[
"acs:oss:*:174649585760xxxx:examplebucket/*"
],
"Condition":{
"StringNotEquals":{
"acs:SourceVpc":[
"vpc-t4nlw426y44rd3iq4xxxx"
]
}
}
},
{
"Effect":"Deny",
"Action":[
"oss:GetObject"
],
"Principal":[
"*"
],
"Resource":[
"acs:oss:*:174649585760xxxx:examplebucket/*"
],
"Condition":{
"StringEquals":{
"acs:SourceVpc":[
"vpc-t4nlw426y44rd3iq4xxxx"
]
},
"NotIpAddress":{
"acs:SourceIp":[
"192.168.0.0/16"
]
}
}
}
]
}Example 9: Restrict access to a specified public IP address or a specified VPC
To restrict bucket access to a specified public IP address or a specified VPC, you can create two deny policy statements:
Use the
acs:SourceIpcondition key to create a deny policy statement that blocks requests from other public IP addresses. At the same time, use theStringNotLikecondition operator and theacs:SourceVpccondition key to exclude requests from the specified VPC.Use the
acs:SourceVpccondition key to create a deny policy statement that blocks requests from other VPCs. At the same time, use theStringLikecondition operator and theacs:SourceVpccondition key to exclude requests from the specified public IP address. This prevents requests from being incorrectly denied for failing to meet the specified VPC ID condition.
After you add the preceding two Deny statements to the bucket policy, access is denied if either condition is met. The following example denies all users, except for those from a public IP address of 203.0.113.5 or a VPC with an ID of t4nlw426y44rd3iq4xxxx, from reading files in the target bucket examplebucket.
In the following deny policy statements, the Principal is a wildcard character (*) and a Condition is included. Therefore, they apply to all visitors, including the bucket owner. If the access is not from the specified public IP address or the specified VPC, the access request is denied.
The following deny policy statements restrict access but do not grant any access permissions. If the principal has not been granted access permissions, you must add an allow policy statement to grant access.
{
"Version":"1",
"Statement":[
{
"Effect":"Deny",
"Action":[
"oss:GetObject"
],
"Principal":[
"*"
],
"Resource":[
"acs:oss:*:174649585760xxxx:examplebucket/*"
],
"Condition":{
"StringNotLike":{
"acs:SourceVpc":[
"vpc-*"
]
},
"NotIpAddress":{
"acs:SourceIp":[
"203.0.113.5"
]
}
}
},
{
"Effect":"Deny",
"Action":[
"oss:GetObject"
],
"Principal":[
"*"
],
"Resource":[
"acs:oss:*:174649585760xxxx:examplebucket/*"
],
"Condition":{
"StringLike":{
"acs:SourceVpc":[
"vpc-*"
]
},
"StringNotEquals":{
"acs:SourceVpc":[
"vpc-t4nlw426y44rd3iq4xxxx"
]
}
}
}
]
}Example 10: Restrict API calls to use only temporary access credentials
If you want to access bucket resources by calling an API and need to restrict the API calls to use only temporary access credentials, you can use the acs:AccessId condition key. You can create a deny policy statement and add it to the bucket policy to block access methods that use non-temporary credentials, such as a long-term AccessKey pair of an Alibaba Cloud account or a RAM user. Access requests that use non-temporary credentials trigger the deny rule in the policy. The following example denies all visitors permission to view the target bucket (examplebucket) and list its objects, except for those using temporary access credentials (starting with TMP. or STS.).
{
"Version": "1",
"Statement": [
{
"Effect": "Deny",
"Action":[
"oss:Get*",
"oss:ListObjects",
"oss:ListObjectVersions"
],
"Principal":[
"*"
],
"Resource":[
"acs:oss:*:174649585760xxxx:examplebucket/*"
],
"Condition": {
"StringNotLike": {
"acs:AccessId": [
"TMP.*",
"STS.*"
]
}
}
}
]
}Example 11: Prohibit setting public ACLs for buckets and objects
To ensure OSS data security and prohibit setting the access control lists (ACLs) of buckets and objects to public, you can create two deny policy statements:
Use the
oss:x-oss-aclcondition key to create a deny policy statement that prevents setting the bucket ACL to any permission other thanprivate. Any attempt to set public-read or public-read-write permissions does not meet the private condition and therefore triggers the deny rule.Use the
oss:x-oss-object-aclcondition key to create a deny policy statement that prevents setting the object ACL to any permission other thanprivateanddefault.
After you add these two deny policy statements to the bucket policy, access is denied if either condition is met. The following example denies operations that set public access permissions on the target bucket (examplebucket).
{
"Version": "1",
"Statement": [
{
"Effect": "Deny",
"Action": [
"oss:PutBucketAcl"
],
"Principal": [
"*"
],
"Resource": [
"acs:oss:*:*:examplebucket"
],
"Condition": {
"StringNotEquals": {
"oss:x-oss-acl": "private"
}
}
},
{
"Effect": "Deny",
"Action": [
"oss:PutObjectAcl"
],
"Principal": [
"*"
],
"Resource": [
"acs:oss:*:*:examplebucket/*"
],
"Condition": {
"StringNotEquals": {
"oss:x-oss-object-acl": [
"private",
"default"
]
}
}
}
]
}References
For more information about bucket policy elements, see RAM policies.
For more information about how to configure a bucket policy, see Bucket Policy.
For more information about the bucket policy authentication process, see OSS authentication details.