All Products
Search
Document Center

Object Storage Service:Common examples of RAM policies

Last Updated:Jul 06, 2023

You can configure Resource Access Management (RAM) policies to manage the permissions of users, such as employees, systems, or applications, and control the resources that can be accessed by users. For example, you can create a RAM policy to authorize users to list and read the objects that are stored in a specific bucket.

Attach a custom policy to a RAM user

  1. Create a custom policy.

    You can create a custom RAM policy by combining your specific business requirements and examples provided in this example. For more information, see Create a custom policy.

    A RAM policy consists of the Version and Statement elements. A Statement element contains the Effect, Action, Resource, and Condition fields, in which the Condition field is optional. For more information, see Overview.

    Important

    In Object Storage Service (OSS), you can set Resource to an asterisk wildcard character (*) to specify resources of a specific type. The value of the Resource parameter follows the acs:oss:{region}:{bucket_owner}:{bucket_name}/{object_name} format. For example, acs:oss:*:*:mybucket/* specifies all objects in mybucket, and acs:oss:*:*:mybucket/abc*.txt specifies all .txt objects whose names are prefixed with abc in mybucket.

  2. Attach the custom policy to a RAM user.

    Attach the RAM policy created in Step 1 to the user. For more information, see Grant permissions to the RAM user.

Example 1: Authorize a RAM user to completely control a bucket

The following RAM policy grants a RAM user full control over the mybucket bucket.

Warning

For security reasons, we recommend that you do not grant RAM users full control over a bucket used by mobile apps.

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "oss:*",
            "Resource": [
                "acs:oss:*:*:mybucket",
                "acs:oss:*:*:mybucket/*"
            ]
        }
    ]
}

Example 2: Prohibit a RAM user from deleting multiple objects in a bucket

The following RAM policy prohibits a RAM user from deleting all .txt objects whose names are prefixed with abc in mybucket:

{
  "Version": "1",
  "Statement": [
        {
         "Effect": "Deny",
         "Action": [
           "oss:DeleteObject"
         ],
         "Resource": [
           "acs:oss:*:*:mybucket/abc*.txt"
         ]
     }
   ]
}

Example 3: Authorize a RAM user to list and read objects in a bucket

  • Authorize a RAM user to list and read objects in a bucket by using OSS SDKs or ossutil

    The following RAM policy authorizes a RAM user to list and read objects in a bucket named mybucket by using OSS SDKs or ossutil:

    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": "oss:ListObjects",
                "Resource": "acs:oss:*:*:mybucket"
            },
            {
                "Effect": "Allow",
                "Action": "oss:GetObject",
                "Resource": "acs:oss:*:*:mybucket/*"
            }
        ]
    }
  • Authorize a RAM user to list and read objects in a bucket by using the OSS console

    The following RAM policy authorizes a RAM user to list and read all objects in a bucket named mybucket by using the OSS console:

    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                          "oss:ListBuckets",
                          "oss:GetBucketStat",
                          "oss:GetBucketInfo",
                          "oss:GetBucketTagging",
                          "oss:GetBucketLifecycle",
                          "oss:GetBucketWorm",                      
                          "oss:GetBucketVersioning", 
                          "oss:GetBucketAcl" 
                          ],    
                "Resource": "acs:oss:*:*:*"
            },
            {
                "Effect": "Allow",
                "Action": [
                    "oss:ListObjects",
                    "oss:GetBucketAcl"
                ],
                "Resource": "acs:oss:*:*:mybucket"
            },
            {
                "Effect": "Allow",
                "Action": [
                    "oss:GetObject",
                    "oss:GetObjectAcl"
                ],
                "Resource": "acs:oss:*:*:mybucket/*"
            }
        ]
    }

Example 4: Prohibit a RAM user from deleting a bucket

The following RAM policy prohibits a RAM user from deleting a bucket named mybucket:

{
  "Version": "1",
  "Statement": [
      {
          "Effect": "Allow",
          "Action": "oss:*",
          "Resource": [
              "acs:oss:*:*:mybucket",
              "acs:oss:*:*:mybucket/*"
          ]
      },
        {
         "Effect": "Deny",
         "Action": [
           "oss:DeleteBucket"
         ],
         "Resource": [
           "acs:oss:*:*:mybucket"
         ]
     }
   ]
}

Example 5: Authorize a RAM user to access multiple directories in a bucket

In this example, a bucket named mybucket is used to store photos. The bucket contains multiple directories that are named based on the locations where the photos were captured. Each directory contains subdirectories that are named based on the years when the photos were captured.

mybucket[Bucket]
  ├── beijing
  │   ├── 2014
  │   └── 2015
  ├── hangzhou
  │   ├── 2013
  │   ├── 2014
  │   └── 2015 
  └── qingdao
      ├── 2014
      └── 2015

For example, you want to grant a RAM user read-only permissions on the mybucket/hangzhou/2014/ and mybucket/hangzhou/2015/ directories. Directory-level authorization is an advanced feature of RAM policies and requires RAM policies at different complexity levels based on actual use cases. The following RAM policies are suitable for different scenarios and are provided for reference only.

  • Grant a RAM user read-only permissions on objects in the mybucket/hangzhou/2014/ and mybucket/hangzhou/2015/ directories

    In this scenario, the RAM user knows the full paths of the objects that can be accessed. We recommend that you configure the RAM policy to authorize the RAM user to access the object by using the full paths of the objects.

    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "oss:GetObject"
                ],
                "Resource": [
                    "acs:oss:*:*:mybucket/hangzhou/2014/*",
                    "acs:oss:*:*:mybucket/hangzhou/2015/*"
                ]
            }
        ]
    }
  • Grant a RAM user permissions to access the mybucket/hangzhou/2014/ and mybucket/hangzhou/2015/ directories and list the objects in the directories by using ossutil

    In this scenario, the RAM user does not know the objects in the directories and can use ossutil or call API operations to obtain the information about the objects in the directories. In this case, the ListObjects permission must be specified in the policy.

    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "oss:GetObject"
                ],
                "Resource": [
                    "acs:oss:*:*:mybucket/hangzhou/2014/*",
                    "acs:oss:*:*:mybucket/hangzhou/2015/*"
                ]
            },
            {
                "Effect": "Allow",
                "Action": [
                    "oss:ListObjects"
                ],
                "Resource": [
                    "acs:oss:*:*:mybucket"
                ],
                "Condition":{
                    "StringLike":{
                        "oss:Prefix": [
                            "hangzhou/2014/*",
                        "hangzhou/2015/*"
                         ]
                    }
                }
            }
        ]
    }
  • Grant a RAM user permissions to access directories by using the OSS console

    In this scenario, the RAM user can use the OSS console to access the mybucket/hangzhou/2014/ and mybucket/hangzhou/2015/ directories from the root directory by level.

    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                          "oss:ListBuckets",
                          "oss:GetBucketStat",
                          "oss:GetBucketInfo",
                          "oss:GetBucketTagging",
                          "oss:GetBucketLifecycle",
                          "oss:GetBucketWorm",                      
                          "oss:GetBucketVersioning", 
                          "oss:GetBucketAcl" 
                          ], 
                "Resource": [
                    "acs:oss:*:*:*"
                ]
            },
            {
                "Effect": "Allow",
                "Action": [
                    "oss:GetObject",
                    "oss:GetObjectAcl"
                ],
                "Resource": [
                    "acs:oss:*:*:mybucket/hangzhou/2014/*",
                    "acs:oss:*:*:mybucket/hangzhou/2015/*"
                ]
            },
            {
                "Effect": "Allow",
                "Action": [
                    "oss:ListObjects"
                ],
                "Resource": [
                    "acs:oss:*:*:mybucket"
                ],
                "Condition": {
                    "StringLike": {
                        "oss:Delimiter": "/",
                        "oss:Prefix": [
                            "",
                            "hangzhou/",
                            "hangzhou/2014/*",
                            "hangzhou/2015/*"
                        ]
                    }
                }
            }
        ]
    }

Example 6: Prohibit a RAM user from deleting an object in a bucket

The following RAM policy prohibits a RAM user from deleting an object in the mybucket bucket:

{
  "Version": "1",
  "Statement": [
        {
         "Effect": "Deny",
         "Action": [
           "oss:DeleteObject"
         ],
         "Resource": [
           "acs:oss:*:*:mybucket/*"
         ]
     }
   ]
}

Example 7: Prohibit a RAM user from accessing objects with specific tags

The following RAM policy contains a Deny effect to prohibit a RAM user from accessing objects that are stored in the examplebucket bucket and have the status:ok and key1:value1 tags:

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": [
                "oss:GetObject"
            ],
            "Resource": [
                "acs:oss:*:1746495857602745:examplebucket/*"
            ],
            "Condition": {
                "StringEquals": {
                    "oss:ExistingObjectTag/status":"ok",
                    "oss:ExistingObjectTag/key1":"value1"
                }
            }
        }
    ]
}

Example 8: Authorize a RAM user to access OSS from specific IP addresses

  • Allow access from specified IP addresses

    The following RAM policy authorizes a RAM user to read objects in the mybucket bucket from only IP addresses in the 192.168.0.0/16 and 198.51.100.0/24 CIDR blocks that are specified in the Allow statement:

    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                          "oss:ListBuckets",
                          "oss:GetBucketStat",
                          "oss:GetBucketInfo",
                          "oss:GetBucketTagging",
                          "oss:GetBucketAcl" 
                          ], 
                "Resource": [
                    "acs:oss:*:*:*"
                ]
            },
            {
                "Effect": "Allow",
                "Action": [
                    "oss:ListObjects",
                    "oss:GetObject"
                ],
                "Resource": [
                    "acs:oss:*:*:mybucket",
                    "acs:oss:*:*:mybucket/*"
                ],
                "Condition":{
                    "IpAddress": {
                        "acs:SourceIp": ["192.168.0.0/16", "198.51.100.0/24"]
                    }
                }
            }
        ]
    }
  • Deny access from specified IP addresses

    The following RAM policy prohibits a RAM user from accessing OSS resources from IP addresses that are not in the 192.168.0.0/16 CIDR block that is specified in the Deny statement:

    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                          "oss:ListBuckets",
                          "oss:GetBucketStat",
                          "oss:GetBucketInfo",
                          "oss:GetBucketTagging",
                          "oss:GetBucketAcl" 
                          ], 
                "Resource": [
                    "acs:oss:*:*:*"
                ]
            },
            {
                "Effect": "Allow",
                "Action": [
                    "oss:ListObjects",
                    "oss:GetObject"
                ],
                "Resource": [
                    "acs:oss:*:*:mybucket",
                    "acs:oss:*:*:mybucket/*"
                ]
            },
            {
                "Effect": "Deny",
                "Action": "oss:*",
                "Resource": [
                    "acs:oss:*:*:*"
                ],
                "Condition":{
                    "NotIpAddress": {
                        "acs:SourceIp": ["192.168.0.0/16"]
                    }
                }
            }
        ]
    }
    Note

    In a RAM policy, a Deny statement takes precedence over an Allow statement. Therefore, when a RAM user attempts to read data in the mybucket bucket from an IP address that is not in the 192.168.0.0/16 CIDR block, a no permission error is returned.

Example 9: Use RAM or STS to authorize users to access OSS resources

For example, you want to use RAM or Security Token Service (STS) to create a RAM policy to meet the following access management requirements:

  • Grant specific users permissions to access the bucket named mybucket and the objects whose names are prefixed with mybucket/file.

  • Authorize the users to call the following operations: GetBucketAcl, GetBucket, PutObject, GetObject, and DeleteObject.

  • In the Condition field, set UserAgent to java-sdk and the source IP address to 192.168.0.1. Only users that meet these conditions can access specified OSS resources.

  • Authorize the users to list only objects whose names are prefixed with foo.

The following RAM policy can meet the preceding access management requirements:

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "oss:GetBucketAcl",
                "oss:ListObjects"
            ],
            "Resource": [
                "acs:oss:*:177530505652XXXX:mybucket"
            ],
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "acs:UserAgent": "java-sdk",
                    "oss:Prefix": "foo"
                },
                "IpAddress": {
                    "acs:SourceIp": "192.168.0.1"
                }
            }
        },
        {
            "Action": [
                "oss:PutObject",
                "oss:GetObject",
                "oss:DeleteObject"
            ],
            "Resource": [
                "acs:oss:*:177530505652XXXX:mybucket/file*"
            ],
            "Effect": "Allow",
            "Condition": {
               "StringEquals": {
                    "acs:UserAgent": "java-sdk"
                },
                "IpAddress": {
                    "acs:SourceIp": "192.168.0.1"
                }
            }
        }
    ]
}

Example 10: Use RAM policies to deny uploads of objects whose access control list (ACL) is public-read or public-read-write

The following RAM policy prohibits users from uploading objects with an ACL of public-read or public-read-write to the examplebucket bucket:

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": [
       "oss:PutObject",
       "oss:PutObjectAcl"
       ],
      "Resource": [
        "acs:oss:*:*:examplebucket",
        "acs:oss:*:*:examplebucket/*"
      ],
      "Condition": {
        "StringEquals": {
          "oss:x-oss-object-acl": [
            "public-read",
            "public-read-write"
          ]
        }
      }
    }
  ]
}

Example 11: Authorize a RAM user to use Intelligent Media Management (IMM) features

The following RAM policy grants a RAM user the permissions to use IMM features:

{
  "Version": "1",
  "Statement": [
        {
         "Effect": "Allow",
         "Action": [
           "oss:ProcessImm",
           "oss:ram:GetRole"
         ],
         "Resource": "*"
     }
   ]
}

Example 12: Authorize a RAM user to change the storage redundancy type

  • Grant the permissions to change the storage redundancy type of a bucket

    The following RAM policy grants a RAM user the permissions to change the storage redundancy type of the mybucket bucket:

    {
      "Version": "1",
      "Statement": [
            {
             "Effect": "Allow",
             "Action": [
               "oss:CreateBucketDataRedundancyTransition",
               "oss:GetBucketDataRedundancyTransition",
               "oss:ListBucketDataRedundancyTransition",
               "oss:DeleteBucketDataRedundancyTransition"
             ],
             "Resource": "acs:oss:*:*:mybucket"
         }
       ]
    }
  • Grant the permissions to change the storage redundancy types of all buckets

    Important

    The following RAM policy grants a RAM user to change the storage redundancy types of all buckets in the Alibaba Cloud account. We recommend that you exercise caution when you grant these permissions.

    {
      "Version": "1",
      "Statement": [
            {
             "Effect": "Allow",
             "Action": [
               "oss:CreateBucketDataRedundancyTransition",
               "oss:GetBucketDataRedundancyTransition",
               "oss:ListBucketDataRedundancyTransition",
               "oss:DeleteBucketDataRedundancyTransition"
             ],
             "Resource": "acs:oss:*:*:*"
         }
       ]
    }