All Products
Search
Document Center

Object Storage Service:Common examples of RAM policies

Last Updated:Apr 25, 2025

You can configure Resource Access Management (RAM) policies to manage the permissions of users, such as employees, systems, or applications, and the resources that can be accessed by these users. For example, you can create a RAM policy to authorize users to list and read objects stored in a specific bucket.

Attach a custom policy to a RAM user

  1. Create a custom policy.

    You can refer to the examples described in this topic based on your actual scenarios and create a custom RAM policy by using scripts. For more information, see Create a custom policy.

    For more information about the version number (Version) and authorization statements (Statement) in RAM policies, along with the effect (Effect), actions (Action), resources (Resource), and conditions (Condition, optional) in authorization statements, see RAM Policy.

    Important

    In Object Storage Service (OSS), you can set the Resource element to an asterisk wildcard character (*) to specify resources of a specific type. The format of Resource is acs:oss:{region}:{bucket_owner}:{bucket_name}/{object_name}. For example, when Resource is set to acs:oss:*:*:mybucket/*, it indicates all resources in the mybucket bucket. When Resource is set to acs:oss:*:*:mybucket/abc*.txt, it indicates all files with the prefix abc and the .txt extension in the mybucket bucket.

  2. Attach the custom policy to a RAM user.

    Attach the RAM policy that you created in Step 1 to a RAM user. For more information, see Grant permissions to a RAM user.

Example 1: Authorize a RAM user to fully control a bucket

The following example shows how to authorize a RAM user to fully control a bucket named mybucket.

Warning

For security reasons, we recommend that you do not grant RAM users full control over a bucket used by mobile apps.

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "oss:*",
            "Resource": [
                "acs:oss:*:*:mybucket",
                "acs:oss:*:*:mybucket/*"
            ]
        }
    ]
}

Example 2: Prohibit a RAM user from deleting multiple objects in a bucket

The following example shows how to prohibit a RAM user from deleting all files with the prefix abc and the .txt extension in a bucket named mybucket.

{
  "Version": "1",
  "Statement": [
        {
         "Effect": "Deny",
         "Action": [
           "oss:DeleteObject"
         ],
         "Resource": [
           "acs:oss:*:*:mybucket/abc*.txt"
         ]
     }
   ]
}

Example 3: Authorize a RAM user to list and read objects in a bucket

  • Authorize a RAM user to list and read objects in a bucket by using OSS SDKs or ossutil

    The following example shows how to authorize a RAM user to list and read all objects in a bucket named mybucket by using OSS SDKs or ossutil.

    Note

    The Resource element for the ListObjects action must specify all resources in the desired bucket.

    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": "oss:ListObjects",
                "Resource": "acs:oss:*:*:mybucket"
            },
            {
                "Effect": "Allow",
                "Action": "oss:GetObject",
                "Resource": "acs:oss:*:*:mybucket/*"
            }
        ]
    }
  • Authorize a RAM user to list and read objects in a bucket by using the OSS console

    The following example shows how to authorize a RAM user to list and read all objects in a bucket named mybucket by using the OSS console.

    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                          "oss:ListBuckets",
                          "oss:GetBucketStat",
                          "oss:GetBucketInfo",
                          "oss:GetBucketTagging",
                          "oss:GetBucketLifecycle",
                          "oss:GetBucketWorm",                      
                          "oss:GetBucketVersioning", 
                          "oss:GetBucketAcl" 
                          ],    
                "Resource": "acs:oss:*:*:*"
            },
            {
                "Effect": "Allow",
                "Action": [
                    "oss:ListObjects",
                    "oss:GetBucketAcl"
                ],
                "Resource": "acs:oss:*:*:mybucket"
            },
            {
                "Effect": "Allow",
                "Action": [
                    "oss:GetObject",
                    "oss:GetObjectAcl"
                ],
                "Resource": "acs:oss:*:*:mybucket/*"
            }
        ]
    }

Example 4: Prohibit a RAM user from deleting a bucket

The following example shows how to prohibit a RAM user from deleting a bucket named mybucket.

{
  "Version": "1",
  "Statement": [
      {
          "Effect": "Allow",
          "Action": "oss:*",
          "Resource": [
              "acs:oss:*:*:mybucket",
              "acs:oss:*:*:mybucket/*"
          ]
      },
        {
         "Effect": "Deny",
         "Action": [
           "oss:DeleteBucket"
         ],
         "Resource": [
           "acs:oss:*:*:mybucket"
         ]
     }
   ]
}

Example 5: Authorize a RAM user to access multiple directories in a bucket

Assume that a bucket named mybucket contains directories that represent the locations where the photos were taken. Each location directory contains subdirectories that represent the years when the photos were taken.

mybucket[Bucket]
  ├── beijing
  │   ├── 2014
  │   └── 2015
  ├── hangzhou
  │   ├── 2013
  │   ├── 2014
  │   └── 2015 
  └── qingdao
      ├── 2014
      └── 2015

You want to grant a RAM user read-only permissions on the mybucket/hangzhou/2014/ and mybucket/hangzhou/2015/ directories. Directory-level authorization is an advanced feature of RAM policies and requires RAM policies at different complexity levels based on actual scenarios. The following RAM policies are suitable for different scenarios and are provided for reference only.

  • Grant a RAM user permissions to read only the content of files in the mybucket/hangzhou/2014/ and mybucket/hangzhou/2015/ directories

    In this scenario, the RAM user knows the full paths of the objects that can be accessed. We recommend that you configure the RAM policy to authorize the RAM user to access the objects by using the full paths of the objects.

    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "oss:GetObject"
                ],
                "Resource": [
                    "acs:oss:*:*:mybucket/hangzhou/2014/*",
                    "acs:oss:*:*:mybucket/hangzhou/2015/*"
                ]
            }
        ]
    }
  • Grant a RAM user permissions to access the mybucket/hangzhou/2014/ and mybucket/hangzhou/2015/ directories and list files in the directories by using ossutil

    The RAM user does not know which files are contained in the directories. In this case, the RAM user can use ossutil or API operations to obtain directory information. You must add the ListObjects permission.

    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "oss:GetObject"
                ],
                "Resource": [
                    "acs:oss:*:*:mybucket/hangzhou/2014/*",
                    "acs:oss:*:*:mybucket/hangzhou/2015/*"
                ]
            },
            {
                "Effect": "Allow",
                "Action": [
                    "oss:ListObjects"
                ],
                "Resource": [
                    "acs:oss:*:*:mybucket"
                ],
                "Condition":{
                    "StringLike":{
                        "oss:Prefix": [
                            "hangzhou/2014/*",
                            "hangzhou/2015/*"
                         ]
                    }
                }
            }
        ]
    }
  • Grant a RAM user permissions to access directories by using the OSS console

    When a RAM user accesses the mybucket/hangzhou/2014/ and mybucket/hangzhou/2015/ directories by using the OSS console, the RAM user can navigate from the root directory to the target directory level by level.

    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                          "oss:ListBuckets",
                          "oss:GetBucketStat",
                          "oss:GetBucketInfo",
                          "oss:GetBucketTagging",
                          "oss:GetBucketLifecycle",
                          "oss:GetBucketWorm",                      
                          "oss:GetBucketVersioning", 
                          "oss:GetBucketAcl" 
                          ], 
                "Resource": [
                    "acs:oss:*:*:*"
                ]
            },
            {
                "Effect": "Allow",
                "Action": [
                    "oss:GetObject",
                    "oss:GetObjectAcl"
                ],
                "Resource": [
                    "acs:oss:*:*:mybucket/hangzhou/2014/*",
                    "acs:oss:*:*:mybucket/hangzhou/2015/*"
                ]
            },
            {
                "Effect": "Allow",
                "Action": [
                    "oss:ListObjects"
                ],
                "Resource": [
                    "acs:oss:*:*:mybucket"
                ],
                "Condition": {
                    "StringLike": {
                        "oss:Delimiter": "/",
                        "oss:Prefix": [
                            "",
                            "hangzhou/",
                            "hangzhou/2014/*",
                            "hangzhou/2015/*"
                        ]
                    }
                }
            }
        ]
    }

Example 6: Prohibit a RAM user from deleting an object in a bucket

The following example shows how to prohibit a RAM user from deleting any object in a bucket named mybucket.

{
  "Version": "1",
  "Statement": [
        {
         "Effect": "Deny",
         "Action": [
           "oss:DeleteObject"
         ],
         "Resource": [
           "acs:oss:*:*:mybucket/*"
         ]
     }
   ]
}

Example 7: Prohibit a RAM user from accessing objects with specific tags

The following example shows how to add a Deny policy to prohibit a RAM user from accessing objects with the object tag status:ok and key1:value1 in the examplebucket bucket.

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": [
                "oss:GetObject"
            ],
            "Resource": [
                "acs:oss:*:174649585760xxxx:examplebucket/*"
            ],
            "Condition": {
                "StringEquals": {
                    "oss:ExistingObjectTag/status":"ok",
                    "oss:ExistingObjectTag/key1":"value1"
                }
            }
        }
    ]
}

Example 8: Authorize a RAM user to access OSS from specific IP addresses

  • Add IP address restrictions to an Allow statement

    The following example shows how to add IP address restrictions to an Allow statement to authorize a RAM user to read all objects in a bucket named mybucket only from the 192.168.0.0/16 and 198.51.100.0/24 CIDR blocks.

    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                          "oss:ListBuckets",
                          "oss:GetBucketStat",
                          "oss:GetBucketInfo",
                          "oss:GetBucketTagging",
                          "oss:GetBucketAcl" 
                          ], 
                "Resource": [
                    "acs:oss:*:*:*"
                ]
            },
            {
                "Effect": "Allow",
                "Action": [
                    "oss:ListObjects",
                    "oss:GetObject"
                ],
                "Resource": [
                    "acs:oss:*:*:mybucket",
                    "acs:oss:*:*:mybucket/*"
                ],
                "Condition":{
                    "IpAddress": {
                        "acs:SourceIp": ["192.168.0.0/16", "198.51.100.0/24"]
                    }
                }
            }
        ]
    }
  • Add IP address restrictions to a Deny statement

    The following example shows how to add IP address restrictions to a Deny statement to prohibit RAM users whose source IP addresses are not in the 192.168.0.0/16 CIDR block from performing operations on OSS.

    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                          "oss:ListBuckets",
                          "oss:GetBucketStat",
                          "oss:GetBucketInfo",
                          "oss:GetBucketTagging",
                          "oss:GetBucketAcl" 
                          ], 
                "Resource": [
                    "acs:oss:*:*:*"
                ]
            },
            {
                "Effect": "Allow",
                "Action": [
                    "oss:ListObjects",
                    "oss:GetObject"
                ],
                "Resource": [
                    "acs:oss:*:*:mybucket",
                    "acs:oss:*:*:mybucket/*"
                ]
            },
            {
                "Effect": "Deny",
                "Action": "oss:*",
                "Resource": [
                    "acs:oss:*:*:*"
                ],
                "Condition":{
                    "NotIpAddress": {
                        "acs:SourceIp": ["192.168.0.0/16"]
                    }
                }
            }
        ]
    }
    Note

    Because the authentication rule of permission policies is Deny First, when a user accesses the content of mybucket from an IP address that is not in the 192.168.0.0/16 CIDR block, OSS returns a message indicating that the user has no permissions.

Example 9: Use RAM or STS to authorize other users to access OSS resources

Use RAM or STS to authorize a user whose IP address is 192.168.0.1 to use a Java SDK client to perform the following operations:

  • List objects whose names contain the prefix foo in the examplebucket bucket.

  • Upload, download, and delete objects whose names start with file in the examplebucket bucket.

The following RAM policy can meet the preceding access management requirements:

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "oss:GetBucketAcl",
                "oss:ListObjects"
            ],
            "Resource": [
                "acs:oss:*:177530505652xxxx:mybucket"
            ],
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "acs:UserAgent": "java-sdk",
                    "oss:Prefix": "foo"
                },
                "IpAddress": {
                    "acs:SourceIp": "192.168.0.1"
                }
            }
        },
        {
            "Action": [
                "oss:PutObject",
                "oss:GetObject",
                "oss:DeleteObject"
            ],
            "Resource": [
                "acs:oss:*:177530505652xxxx:mybucket/file*"
            ],
            "Effect": "Allow",
            "Condition": {
               "StringEquals": {
                    "acs:UserAgent": "java-sdk"
                },
                "IpAddress": {
                    "acs:SourceIp": "192.168.0.1"
                }
            }
        }
    ]
}

Example 10: Use RAM policies to deny uploads of objects whose ACL is public-read or public-read-write

The following RAM policy prohibits users from uploading objects with an ACL of public-read or public-read-write to the examplebucket bucket:

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": [
       "oss:PutObject",
       "oss:PutObjectAcl"
       ],
      "Resource": [
        "acs:oss:*:*:examplebucket",
        "acs:oss:*:*:examplebucket/*"
      ],
      "Condition": {
        "StringEquals": {
          "oss:x-oss-object-acl": [
            "public-read",
            "public-read-write"
          ]
        }
      }
    }
  ]
}

Example 11: Authorize a RAM user to use IMM

The following RAM policy grants a RAM user the permissions to use Intelligent Media Management (IMM):

{
  "Version": "1",
  "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "oss:GetObject",
                "oss:PutObject",
                "oss:PostProcessTask",
                "oss:ProcessImm"
            ],
            "Resource": "*"
        },
        {
            "Action": [
                "imm:CreateOfficeConversionTask",
                "imm:GetWebofficeURL"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Effect": "Allow",
            "Action": "ram:PassRole",
            "Resource": "acs:ram:*:*:role/aliyunimmdefaultrole"
        }
   ]
}

Example 12: Authorize a RAM user to change the storage redundancy type

  • Grant a RAM user the permissions to change the storage redundancy type of a bucket.

    The following RAM policy grants a RAM user the permissions to change the storage redundancy type of the mybucket bucket:

    {
      "Version": "1",
      "Statement": [
            {
             "Effect": "Allow",
             "Action": [
               "oss:CreateBucketDataRedundancyTransition",
               "oss:GetBucketDataRedundancyTransition",
               "oss:ListBucketDataRedundancyTransition",
               "oss:DeleteBucketDataRedundancyTransition"
             ],
             "Resource": "acs:oss:*:*:mybucket"
         }
       ]
    }
  • Grant a RAM user the permissions to change the storage redundancy types of all buckets.

    Important

    The following RAM policy grants a RAM user the permissions to change the storage redundancy type of all buckets in the Alibaba Cloud account. Exercise caution when you grant these permissions to a RAM user.

    {
      "Version": "1",
      "Statement": [
            {
             "Effect": "Allow",
             "Action": [
               "oss:CreateBucketDataRedundancyTransition",
               "oss:GetBucketDataRedundancyTransition",
               "oss:ListBucketDataRedundancyTransition",
               "oss:DeleteBucketDataRedundancyTransition"
             ],
             "Resource": "acs:oss:*:*:*"
         }
       ]
    }

Example 13: Authorize a RAM user to create orders for OSS resource plans

The following RAM policy grants a RAM user the permissions to create orders for OSS resource plans.

Warning

After a RAM user creates an order for an OSS resource plan, the RAM user can contact the owner of the Alibaba Cloud account to pay for the order. If you want to authorize a RAM user to pay for OSS resource plan orders, you must grant the bss:PayOrder permission to the RAM user. bss:PayOrder is a high-risk permission that involves financial operations. We recommend that you do not grant this permission to RAM users unless necessary.

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "oss:CreateOrder",
      "Resource": "acs:oss:*:*:*"
    }
  ]
}

Example 14: Authorize a RAM user to activate OSS

The following RAM policy grants a RAM user the permissions to activate OSS:

{
  "Version": "1",
  "Statement": [
        {
         "Effect": "Allow",
         "Action": "oss:ActivateProduct",
         "Resource": "acs:oss:*:*:*"
     }
   ]
}

Example 15: Authorize a RAM user to read and write data in buckets with specific tags

The following RAM policy grants a RAM user the permissions to read and write data in buckets with the tag key1 and the tag value value1.

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "oss:ListBuckets",
                "oss:GetBucketStat",
                "oss:GetBucketInfo",
                "oss:GetBucketAcl",
                "oss:ListObjects",
                "oss:PutObject",
                "oss:GetObject"
            ],
            "Resource": [
                "acs:oss:*:*:*"
            ],
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "oss:BucketTag/key1": "value1"
                }
            }
        }
    ]
}
Note

After the authorization is complete, this policy allows users to perform specified operations on OSS buckets with the tag key1=value1.

  • When you use OSS SDKs or ossutil to send a ListBuckets request, you need to add tag parameters (such as tag-key=key1,tag-value=value1) to filter the results. If the policy is configured correctly, the returned results will only include buckets with the specified tag.

  • When you verify the ListBuckets request through the OSS console, the request will fail due to insufficient permissions because the console cannot attach tag parameters, which does not meet the condition restriction (oss:BucketTag/key1=value1) in the policy.

  • Other operations (such as PutObject, GetObject, etc.) are also subject to this tag condition restriction. You need to ensure that the target bucket meets the tag requirement of key1=value1.