All Products
Search
Document Center

Object Storage Service:Examples

Last Updated:Oct 31, 2023

You can configure a bucket policy to grant other users the permissions to access specific Storage Service (OSS) resources in a bucket. For example, you can configure bucket policies to grant different permissions, such as read-only or read/write, to RAM users who belong to the same or different Alibaba Cloud accounts.

Introduction

The following examples show how a bucket owner whose UID is 174649585760xxxx configures bucket policies to grant different permissions to RAM users, such as the RAM user whose UID is 27737962156157xxxx. Compared with RAM policies, bucket policies contain the Principal element used to specify the users to whom you want to grant permissions. The syntax of other elements in bucket policies, such as Action and Condition, is the same as the syntax of the elements in RAM policies. For more information about elements, see Overview.

Usage notes

  • If you set the Principal element to an asterisk (*) that specifies all accounts including anonymous accounts and leave the Condition element empty when you configure a bucket policy, the bucket policy takes effect for all users except the bucket owner. For more information, see Example 3.

  • If you set the Principal element to an asterisk (*) that specifies all accounts including anonymous accounts and configure the Condition element when you configure a bucket policy, the bucket policy takes effect for all users including the bucket owner. For more information, see Example 5.

Example 1: Grant specific RAM users the permissions to read and write a bucket

The following code provides an example on how to configure a bucket policy to grant the RAM users whose UIDs are 27737962156157xxxx and 20214760404935xxxx the permissions to read and write a bucket named examplebucket:

{    
    "Version": "1",
    "Statement": [{
        "Effect": "Allow",
        "Action": [
            "oss:GetObject",
            "oss:PutObject",
            "oss:GetObjectAcl",
            "oss:PutObjectAcl",            
            "oss:AbortMultipartUpload",
            "oss:ListParts",
            "oss:RestoreObject",
            "oss:GetVodPlaylist",
            "oss:PostVodPlaylist",
            "oss:PublishRtmpStream",
            "oss:ListObjectVersions",
            "oss:GetObjectVersion",
            "oss:GetObjectVersionAcl",
            "oss:RestoreObjectVersion"
        ],
        "Principal": [
            "27737962156157xxxx",
            "20214760404935xxxx"
        ],
        "Resource": [
            "acs:oss:*:174649585760xxxx:examplebucket/*"
        ]
      }, {
        "Effect": "Allow",
        "Action": [
            "oss:ListObjects"            
        ],
        "Principal": [
            "27737962156157xxxx",
            "20214760404935xxxx"
        ],
        "Resource": [
            "acs:oss:*:174649585760xxxx:examplebucket"
        ],
        "Condition": {
            "StringLike": {
                "oss:Prefix": [
                    "*"
                ]
            }
        }
      }
    ]      
}

Example 2: Grant specific RAM users the permissions to read specific directories of a bucket

The following code provides an example on how to configure a bucket policy to grant a RAM user whose UID is 20214760404935xxxx the permissions to read the hangzhou/2020 and shanghai/2015 directories of a bucket named examplebucket:

{
     "Version": "1",
    "Statement": [
        {
            "Action": [
                "oss:GetObject",
                "oss:GetObjectAcl",
                "oss:GetObjectVersion",
                "oss:GetObjectVersionAcl"
            ],
            "Effect": "Allow",
            "Principal": [
                "20214760404935xxxx"
            ],
            "Resource": [
                "acs:oss:*:174649585760xxxx:examplebucket/hangzhou/2020/*",
                "acs:oss:*:174649585760xxxx:examplebucket/shanghai/2015/*"
            ]
        },
        {
            "Action": [
                "oss:ListObjects",
                "oss:ListObjectVersions"
            ],
            "Condition": {
                "StringLike": {
                    "oss:Prefix": [
                        "hangzhou/2020/*",
                        "shanghai/2015/*"
                    ]
                }
            },
            "Effect": "Allow",
            "Principal": [
                "20214760404935xxxx"
            ],
            "Resource": [
                "acs:oss:*:174649585760xxxx:examplebucket"
            ]
        }
    ]
}

Example 3: Grant all users the permissions to only list all objects in a bucket

The following code provides an example on how to configure a bucket policy to grant all users the permissions to only list all objects in a bucket named examplebucket:

{
    "Version": "1",
    "Statement": [
    {
        "Action": [
            "oss:ListObjects",
            "oss:ListObjectVersions"
        ],
        "Effect": "Allow",
        "Principal": [
            "*"
        ],
        "Resource": [
            "acs:oss:*:174649585760xxxx:examplebucket"
        ]
    }
  ]
}

Example 4: Grant all users the permissions to read all data and configurations of a bucket

The following code provides an example on how to grant all users the permissions to read all data and configurations of a bucket named examplebucket.

{
    "Version": "1",
    "Statement": [
    {
        "Action": [
            "oss:Get*"
            "oss:ListObjects",
            "oss:ListObjectVersions"
        ],
        "Effect": "Allow",
        "Principal": [
            "*"
        ],
        "Resource": [
            "acs:oss:*:174649585760xxxx:examplebucket"
        ]
    }
  ]
}

Example 5: Reject requests sent by users who do not use the specified VPC ID and internal CIDR block

The following code provides an example on how to configure a bucket policy to reject requests to access a bucket named examplebucket from users who do not use the t4nlw426y44rd3iq4**** VPC ID and the 192.168.0.0/16 CIDR block at the same time. In this example, only requests sent by users who use the specified CIDR block in the specified VPC are allowed to access examplebucket when the requests meet other authentication conditions. Requests from other sources are not allowed to access the bucket. This example is mainly used to show how to restrict access sources.

{
    "Version": "1",
        "Statement": [
        {
            "Effect": "Deny",
            "Action": [
                "oss:GetObject"
                ],
            "Principal": [
                "*"
            ],
            "Resource": [
                "acs:oss:*:174649585760xxxx:examplebucket/*"
                ],
            "Condition": {
                "StringNotEquals": {
                    "acs:SourceVpc": [
                        "vpc-t4nlw426y44rd3iq4****"
                        ]
                }
            }
        },
        {
            "Effect": "Deny",
            "Action": [
                "oss:GetObject"
                ],
            "Principal": [
                "*"
            ],
            "Resource": [
                "acs:oss:*:174649585760xxxx:examplebucket/*"
                ],
            "Condition": {
                "StringEquals": {
                    "acs:SourceVpc": [
                        "vpc-t4nlw426y44rd3iq4****"
                        ]
                },
                "NotIpAddress": {
                    "acs:SourceIp": [
                        "192.168.0.0/16"
                        ]
                }
            }
        }
    ]
}

Example 6: Reject requests sent by users who do not use the specified VPC ID and public IP address

The following code provides an example on how to configure a bucket policy to reject requests to access a bucket named examplebucket from users who do not use the t4nlw426y44rd3iq4**** VPC ID and the 192.0.2.0 public IP address at the same time. In this example, only requests sent by users who use the t4nlw426y44rd3iq4**** VPC ID or the 192.0.2.0 public IP address are allowed to access examplebucket when the requests meet other authentication conditions. Requests from any other sources are not allowed to access the bucket. This example is mainly used to show how to restrict access sources.

{
    "Version": "1",
        "Statement": [
        {
            "Effect": "Deny",
            "Action": [
                "oss:GetObject"
                ],
            "Principal": [
                "*"
            ],
            "Resource": [
                "acs:oss:*:174649585760xxxx:examplebucket/*"
                ],
            "Condition": {
                "StringNotLike": {
                    "acs:SourceVpc": [
                        "vpc-*"
                        ]
                },
                "NotIpAddress": {
                    "acs:SourceIp": [
                        "192.0.2.0"
                        ]
                }
            }
        },
        {
            "Effect": "Deny",
            "Action": [
                "oss:GetObject"
                ],
            "Principal": [
                "*"
            ],
            "Resource": [
                "acs:oss:*:174649585760xxxx:examplebucket/*"
                ],
            "Condition": {
                "StringLike": {
                    "acs:SourceVpc": [
                        "vpc-*"
                        ]
                },
                "StringNotEquals": {
                    "acs:SourceVpc": [
                        "vpc-t4nlw426y44rd3iq4****"
                        ]
                }
            }
        }
    ]
}

Example 7: Reject requests sent by users who do not use the specified VPC ID

The following code provides an example on how to configure a bucket policy to reject requests to access a bucket named examplebucket from users who do not use the t4nlw426y44rd3iq4**** VPC ID:

{
    "Version": "1",
        "Statement": [
        {
            "Effect": "Deny",
            "Action": [
                "oss:GetObject"
                ],
            "Principal": [
                "*"
            ],
            "Resource": [
                "acs:oss:*:174649585760xxxx:examplebucket/*"
                ],
            "Condition": {
                "StringNotEquals": {
                    "acs:SourceVpc": [
                        "vpc-t4nlw426y44rd3iq4****"
                        ]
                }
            }
        }
    ]
}

Example 8: Reject requests sent by users who do not use the specified public IP address

The following code provides an example on how to configure a bucket policy to reject requests to access a bucket named examplebucket from users who do not use the 192.0.2.0 public IP address:

{
    "Version": "1",
        "Statement": [
        {
            "Effect": "Deny",
            "Action": [
                "oss:GetObject"
                ],
            "Principal": [
                "*"
            ],
            "Resource": [
                "acs:oss:*:174649585760xxxx:examplebucket/*"
                ],
            "Condition": {
                "StringNotLike": {
                    "acs:SourceVpc": [
                        "vpc-*"
                        ]
                },
                "NotIpAddress": {
                    "acs:SourceIp": [
                        "192.0.2.0"
                        ]
                }
            }
        },
        {
            "Effect": "Deny",
            "Action": [
                "oss:GetObject"
                ],
            "Principal": [
                "*"
            ],
            "Resource": [
                "acs:oss:*:174649585760xxxx:examplebucket/*"
                ],
            "Condition": {
                "StringLike": {
                    "acs:SourceVpc": [
                        "vpc-*"
                        ]
                }
            }
        }
    ]
}