You can configure Resource Access Management (RAM) policies to manage the permissions of users, such as employees, systems, or applications, and the resources that can be accessed by these users. For example, you can create a RAM policy to authorize users to list and read objects stored in a specific bucket.
Attach a custom policy to a RAM user
Create a custom policy.
You can refer to the examples described in this topic based on your actual scenarios and create a custom RAM policy by using scripts. For more information, see Create a custom policy.
For more information about the version number (Version) and authorization statements (Statement) in RAM policies, along with the effect (Effect), actions (Action), resources (Resource), and conditions (Condition, optional) in authorization statements, see RAM Policy.
ImportantIn Object Storage Service (OSS), you can set the Resource element to an asterisk wildcard character (*) to specify resources of a specific type. The format of Resource is
acs:oss:{region}:{bucket_owner}:{bucket_name}/{object_name}. For example, when Resource is set toacs:oss:*:*:mybucket/*, it indicates all resources in the mybucket bucket. When Resource is set toacs:oss:*:*:mybucket/abc*.txt, it indicates all files with the prefix abc and the .txt extension in the mybucket bucket.Attach the custom policy to a RAM user.
Attach the RAM policy that you created in Step 1 to a RAM user. For more information, see Grant permissions to a RAM user.
Example 1: Authorize a RAM user to fully control a bucket
The following example shows how to authorize a RAM user to fully control a bucket named mybucket.
For security reasons, we recommend that you do not grant RAM users full control over a bucket used by mobile apps.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": "oss:*",
"Resource": [
"acs:oss:*:*:mybucket",
"acs:oss:*:*:mybucket/*"
]
}
]
}Example 2: Prohibit a RAM user from deleting multiple objects in a bucket
The following example shows how to prohibit a RAM user from deleting all files with the prefix abc and the .txt extension in a bucket named mybucket.
{
"Version": "1",
"Statement": [
{
"Effect": "Deny",
"Action": [
"oss:DeleteObject"
],
"Resource": [
"acs:oss:*:*:mybucket/abc*.txt"
]
}
]
}Example 3: Authorize a RAM user to list and read objects in a bucket
Authorize a RAM user to list and read objects in a bucket by using OSS SDKs or ossutil
The following example shows how to authorize a RAM user to list and read all objects in a bucket named
mybucketby using OSS SDKs or ossutil.NoteThe Resource element for the ListObjects action must specify all resources in the desired bucket.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": "oss:ListObjects", "Resource": "acs:oss:*:*:mybucket" }, { "Effect": "Allow", "Action": "oss:GetObject", "Resource": "acs:oss:*:*:mybucket/*" } ] }Authorize a RAM user to list and read objects in a bucket by using the OSS console
The following example shows how to authorize a RAM user to list and read all objects in a bucket named
mybucketby using the OSS console.{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "oss:ListBuckets", "oss:GetBucketStat", "oss:GetBucketInfo", "oss:GetBucketTagging", "oss:GetBucketLifecycle", "oss:GetBucketWorm", "oss:GetBucketVersioning", "oss:GetBucketAcl" ], "Resource": "acs:oss:*:*:*" }, { "Effect": "Allow", "Action": [ "oss:ListObjects", "oss:GetBucketAcl" ], "Resource": "acs:oss:*:*:mybucket" }, { "Effect": "Allow", "Action": [ "oss:GetObject", "oss:GetObjectAcl" ], "Resource": "acs:oss:*:*:mybucket/*" } ] }
Example 4: Prohibit a RAM user from deleting a bucket
The following example shows how to prohibit a RAM user from deleting a bucket named mybucket.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": "oss:*",
"Resource": [
"acs:oss:*:*:mybucket",
"acs:oss:*:*:mybucket/*"
]
},
{
"Effect": "Deny",
"Action": [
"oss:DeleteBucket"
],
"Resource": [
"acs:oss:*:*:mybucket"
]
}
]
}Example 5: Authorize a RAM user to access multiple directories in a bucket
Assume that a bucket named mybucket contains directories that represent the locations where the photos were taken. Each location directory contains subdirectories that represent the years when the photos were taken.
mybucket[Bucket]
├── beijing
│ ├── 2014
│ └── 2015
├── hangzhou
│ ├── 2013
│ ├── 2014
│ └── 2015
└── qingdao
├── 2014
└── 2015You want to grant a RAM user read-only permissions on the mybucket/hangzhou/2014/ and mybucket/hangzhou/2015/ directories. Directory-level authorization is an advanced feature of RAM policies and requires RAM policies at different complexity levels based on actual scenarios. The following RAM policies are suitable for different scenarios and are provided for reference only.
Grant a RAM user permissions to read only the content of files in the
mybucket/hangzhou/2014/andmybucket/hangzhou/2015/directoriesIn this scenario, the RAM user knows the full paths of the objects that can be accessed. We recommend that you configure the RAM policy to authorize the RAM user to access the objects by using the full paths of the objects.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "oss:GetObject" ], "Resource": [ "acs:oss:*:*:mybucket/hangzhou/2014/*", "acs:oss:*:*:mybucket/hangzhou/2015/*" ] } ] }Grant a RAM user permissions to access the
mybucket/hangzhou/2014/andmybucket/hangzhou/2015/directories and list files in the directories by using ossutilThe RAM user does not know which files are contained in the directories. In this case, the RAM user can use ossutil or API operations to obtain directory information. You must add the
ListObjectspermission.{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "oss:GetObject" ], "Resource": [ "acs:oss:*:*:mybucket/hangzhou/2014/*", "acs:oss:*:*:mybucket/hangzhou/2015/*" ] }, { "Effect": "Allow", "Action": [ "oss:ListObjects" ], "Resource": [ "acs:oss:*:*:mybucket" ], "Condition":{ "StringLike":{ "oss:Prefix": [ "hangzhou/2014/*", "hangzhou/2015/*" ] } } } ] }Grant a RAM user permissions to access directories by using the OSS console
When a RAM user accesses the
mybucket/hangzhou/2014/andmybucket/hangzhou/2015/directories by using the OSS console, the RAM user can navigate from the root directory to the target directory level by level.{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "oss:ListBuckets", "oss:GetBucketStat", "oss:GetBucketInfo", "oss:GetBucketTagging", "oss:GetBucketLifecycle", "oss:GetBucketWorm", "oss:GetBucketVersioning", "oss:GetBucketAcl" ], "Resource": [ "acs:oss:*:*:*" ] }, { "Effect": "Allow", "Action": [ "oss:GetObject", "oss:GetObjectAcl" ], "Resource": [ "acs:oss:*:*:mybucket/hangzhou/2014/*", "acs:oss:*:*:mybucket/hangzhou/2015/*" ] }, { "Effect": "Allow", "Action": [ "oss:ListObjects" ], "Resource": [ "acs:oss:*:*:mybucket" ], "Condition": { "StringLike": { "oss:Delimiter": "/", "oss:Prefix": [ "", "hangzhou/", "hangzhou/2014/*", "hangzhou/2015/*" ] } } } ] }
Example 6: Prohibit a RAM user from deleting an object in a bucket
The following example shows how to prohibit a RAM user from deleting any object in a bucket named mybucket.
{
"Version": "1",
"Statement": [
{
"Effect": "Deny",
"Action": [
"oss:DeleteObject"
],
"Resource": [
"acs:oss:*:*:mybucket/*"
]
}
]
}Example 7: Prohibit a RAM user from accessing objects with specific tags
The following example shows how to add a Deny policy to prohibit a RAM user from accessing objects with the object tag status:ok and key1:value1 in the examplebucket bucket.
{
"Version": "1",
"Statement": [
{
"Effect": "Deny",
"Action": [
"oss:GetObject"
],
"Resource": [
"acs:oss:*:174649585760xxxx:examplebucket/*"
],
"Condition": {
"StringEquals": {
"oss:ExistingObjectTag/status":"ok",
"oss:ExistingObjectTag/key1":"value1"
}
}
}
]
}Example 8: Authorize a RAM user to access OSS from specific IP addresses
Add IP address restrictions to an
AllowstatementThe following example shows how to add IP address restrictions to an
Allowstatement to authorize a RAM user to read all objects in a bucket namedmybucketonly from the192.168.0.0/16and198.51.100.0/24CIDR blocks.{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "oss:ListBuckets", "oss:GetBucketStat", "oss:GetBucketInfo", "oss:GetBucketTagging", "oss:GetBucketAcl" ], "Resource": [ "acs:oss:*:*:*" ] }, { "Effect": "Allow", "Action": [ "oss:ListObjects", "oss:GetObject" ], "Resource": [ "acs:oss:*:*:mybucket", "acs:oss:*:*:mybucket/*" ], "Condition":{ "IpAddress": { "acs:SourceIp": ["192.168.0.0/16", "198.51.100.0/24"] } } } ] }Add IP address restrictions to a
DenystatementThe following example shows how to add IP address restrictions to a
Denystatement to prohibit RAM users whose source IP addresses are not in the192.168.0.0/16CIDR block from performing operations on OSS.{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "oss:ListBuckets", "oss:GetBucketStat", "oss:GetBucketInfo", "oss:GetBucketTagging", "oss:GetBucketAcl" ], "Resource": [ "acs:oss:*:*:*" ] }, { "Effect": "Allow", "Action": [ "oss:ListObjects", "oss:GetObject" ], "Resource": [ "acs:oss:*:*:mybucket", "acs:oss:*:*:mybucket/*" ] }, { "Effect": "Deny", "Action": "oss:*", "Resource": [ "acs:oss:*:*:*" ], "Condition":{ "NotIpAddress": { "acs:SourceIp": ["192.168.0.0/16"] } } } ] }NoteBecause the authentication rule of permission policies is Deny First, when a user accesses the content of mybucket from an IP address that is not in the
192.168.0.0/16CIDR block, OSS returns a message indicating that the user has no permissions.
Example 9: Use RAM or STS to authorize other users to access OSS resources
Use RAM or STS to authorize a user whose IP address is 192.168.0.1 to use a Java SDK client to perform the following operations:
List objects whose names contain the prefix
fooin the examplebucket bucket.Upload, download, and delete objects whose names start with
filein the examplebucket bucket.
The following RAM policy can meet the preceding access management requirements:
{
"Version": "1",
"Statement": [
{
"Action": [
"oss:GetBucketAcl",
"oss:ListObjects"
],
"Resource": [
"acs:oss:*:177530505652xxxx:mybucket"
],
"Effect": "Allow",
"Condition": {
"StringEquals": {
"acs:UserAgent": "java-sdk",
"oss:Prefix": "foo"
},
"IpAddress": {
"acs:SourceIp": "192.168.0.1"
}
}
},
{
"Action": [
"oss:PutObject",
"oss:GetObject",
"oss:DeleteObject"
],
"Resource": [
"acs:oss:*:177530505652xxxx:mybucket/file*"
],
"Effect": "Allow",
"Condition": {
"StringEquals": {
"acs:UserAgent": "java-sdk"
},
"IpAddress": {
"acs:SourceIp": "192.168.0.1"
}
}
}
]
}Example 10: Use RAM policies to deny uploads of objects whose ACL is public-read or public-read-write
The following RAM policy prohibits users from uploading objects with an ACL of public-read or public-read-write to the examplebucket bucket:
{
"Version": "1",
"Statement": [
{
"Effect": "Deny",
"Action": [
"oss:PutObject",
"oss:PutObjectAcl"
],
"Resource": [
"acs:oss:*:*:examplebucket",
"acs:oss:*:*:examplebucket/*"
],
"Condition": {
"StringEquals": {
"oss:x-oss-object-acl": [
"public-read",
"public-read-write"
]
}
}
}
]
}Example 11: Authorize a RAM user to use IMM
The following RAM policy grants a RAM user the permissions to use Intelligent Media Management (IMM):
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"oss:GetObject",
"oss:PutObject",
"oss:PostProcessTask",
"oss:ProcessImm"
],
"Resource": "*"
},
{
"Action": [
"imm:CreateOfficeConversionTask",
"imm:GetWebofficeURL"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Effect": "Allow",
"Action": "ram:PassRole",
"Resource": "acs:ram:*:*:role/aliyunimmdefaultrole"
}
]
}Example 12: Authorize a RAM user to change the storage redundancy type
Grant a RAM user the permissions to change the storage redundancy type of a bucket.
The following RAM policy grants a RAM user the permissions to change the storage redundancy type of the mybucket bucket:
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "oss:CreateBucketDataRedundancyTransition", "oss:GetBucketDataRedundancyTransition", "oss:ListBucketDataRedundancyTransition", "oss:DeleteBucketDataRedundancyTransition" ], "Resource": "acs:oss:*:*:mybucket" } ] }Grant a RAM user the permissions to change the storage redundancy types of all buckets.
ImportantThe following RAM policy grants a RAM user the permissions to change the storage redundancy type of all buckets in the Alibaba Cloud account. Exercise caution when you grant these permissions to a RAM user.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "oss:CreateBucketDataRedundancyTransition", "oss:GetBucketDataRedundancyTransition", "oss:ListBucketDataRedundancyTransition", "oss:DeleteBucketDataRedundancyTransition" ], "Resource": "acs:oss:*:*:*" } ] }
Example 13: Authorize a RAM user to create orders for OSS resource plans
The following RAM policy grants a RAM user the permissions to create orders for OSS resource plans.
After a RAM user creates an order for an OSS resource plan, the RAM user can contact the owner of the Alibaba Cloud account to pay for the order. If you want to authorize a RAM user to pay for OSS resource plan orders, you must grant the bss:PayOrder permission to the RAM user. bss:PayOrder is a high-risk permission that involves financial operations. We recommend that you do not grant this permission to RAM users unless necessary.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": "oss:CreateOrder",
"Resource": "acs:oss:*:*:*"
}
]
}Example 14: Authorize a RAM user to activate OSS
The following RAM policy grants a RAM user the permissions to activate OSS:
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": "oss:ActivateProduct",
"Resource": "acs:oss:*:*:*"
}
]
}Example 15: Authorize a RAM user to read and write data in buckets with specific tags
The following RAM policy grants a RAM user the permissions to read and write data in buckets with the tag key1 and the tag value value1.
{
"Version": "1",
"Statement": [
{
"Action": [
"oss:ListBuckets",
"oss:GetBucketStat",
"oss:GetBucketInfo",
"oss:GetBucketAcl",
"oss:ListObjects",
"oss:PutObject",
"oss:GetObject"
],
"Resource": [
"acs:oss:*:*:*"
],
"Effect": "Allow",
"Condition": {
"StringEquals": {
"oss:BucketTag/key1": "value1"
}
}
}
]
}After the authorization is complete, this policy allows users to perform specified operations on OSS buckets with the tag key1=value1.
When you use OSS SDKs or ossutil to send a
ListBucketsrequest, you need to add tag parameters (such astag-key=key1,tag-value=value1) to filter the results. If the policy is configured correctly, the returned results will only include buckets with the specified tag.When you verify the
ListBucketsrequest through the OSS console, the request will fail due to insufficient permissions because the console cannot attach tag parameters, which does not meet the condition restriction (oss:BucketTag/key1=value1) in the policy.Other operations (such as
PutObject,GetObject, etc.) are also subject to this tag condition restriction. You need to ensure that the target bucket meets the tag requirement ofkey1=value1.