Configure Resource Access Management (RAM) policies to manage the permissions of users, such as employees, systems, or applications, and the resources that can be accessed by the users. For example, you can create a RAM policy to authorize users to read specific resources.
Prerequisites
OSS on CloudBox is supported only in the China (Hangzhou), China (Shanghai), China (Shenzhen), China (Heyuan), China (Beijing), and China (Chengdu) regions.
A cloud box is purchased. For more information, see Purchase a cloud box.
A Virtual Private Cloud (VPC) and a vSwitch are created in the OSS on CloudBox. For more information, see Create a VPC and a vSwitch.
A VPC internal network is set up, and a single tunnel is configured to provide secure connection. To apply for this feature, please contact technical support.
Attach a custom policy to a RAM user
Create a custom policy.
You can refer to the examples described in this topic based on the actual scenarios and create a custom policy by using scripts.
For more information, see Create custom policies.
ImportantIn OSS on CloudBox, you can set the Resource element to an asterisk (*) wildcard character to specify resources of a specific type. The value of the Resource element is in the following format:
acs:oss-cloudbox:{region}:{bucket_owner}:cloudbox/{cloudbox_id}/bucket/{bucket_name}/object/{object_name}.For example, if the Resource element is set to
acs:oss-cloudbox:*:*:cloudbox/cb-f8z7yvzgwfkl9q0h****/bucket/examplebucket/*, all resources in the examplebucket OSS on CloudBox bucket are specified, and the ID of the cloud box to which the OSS on CloudBox bucket belongs iscb-f8z7yvzgwfkl9q0h****.If the Resource element is set to
acs:oss-cloudbox:*:*:cloudbox/cb-f8z7yvzgwfkl9q0h****/bucket/examplebucket/object/abc*.txt, all .txt objects whose names contain the abc prefix in the examplebucket OSS on CloudBox bucket are specified and the ID of the cloud box to which the OSS on CloudBox bucket belongs iscb-f8z7yvzgwfkl9q0h****.
Attach the custom policy to a RAM user.
Attach the RAM policy that is created in Step 1 to the RAM user. For more information, see Grant permissions to a RAM user.
Example 1: Authorize a RAM user to fully control an OSS on CloudBox bucket
The following RAM policy grants a RAM user full control over the examplebucket OSS on CloudBox bucket. The ID of the cloud box to which the OSS on CloudBox bucket belongs is cb-f8z7yvzgwfkl9q0h****.
Granting a RAM user full control over an OSS on CloudBox bucket is a high-risk operation. To ensure data security, we recommend that you do not grant a RAM user full control over an OSS on CloudBox bucket.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": "oss-cloudbox:*",
"Resource": [
"acs:oss-cloudbox:*:*:cloudbox/cb-f8z7yvzgwfkl9q0h****/bucket/examplebucket",
"acs:oss-cloudbox:*:*:cloudbox/cb-f8z7yvzgwfkl9q0h****/bucket/examplebucket/*"
]
}
]
}Example 2: Prohibit a RAM user from deleting multiple objects in an OSS on CloudBox bucket
The following RAM policy prohibits a RAM user from deleting all .txt objects with the prefix 'abc' in examplebucket, which is associated with the cloud box ID cb-f8z7yvzgwfkl9q0h****.
{
"Version": "1",
"Statement": [
{
"Effect": "Deny",
"Action": [
"oss-cloudbox:DeleteObject"
],
"Resource": [
"acs:oss-cloudbox:*:*:cloudbox/cb-f8z7yvzgwfkl9q0h****/bucket/examplebucket/object/abc*.txt"
]
}
]
}Example 3: Authorize a RAM user to list and read objects in an OSS on CloudBox bucket
Authorize a RAM user to list and read objects in an OSS on CloudBox bucket by using OSS SDKs or ossutil
The following RAM policy authorizes a RAM user to list and read all objects in the examplebucket OSS on CloudBox bucket by using OSS SDKs or ossutil. The ID of the cloud box to which the OSS on CloudBox bucket belongs is
cb-f8z7yvzgwfkl9q0h****.{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": "oss-cloudbox:ListObjects", "Resource": "acs:oss-cloudbox:*:*:cloudbox/cb-f8z7yvzgwfkl9q0h****/bucket/examplebucket" }, { "Effect": "Allow", "Action": "oss-cloudbox:GetObject", "Resource": "acs:oss-cloudbox:*:*:cloudbox/cb-f8z7yvzgwfkl9q0h****/bucket/examplebucket/*" } ] }Authorize a RAM user to list and read objects in an OSS on CloudBox bucket by using the OSS console
The following RAM policy authorizes a RAM user to list and read all objects in the examplebucket OSS on CloudBox bucket by using the OSS console. The ID of the cloud box to which the OSS on CloudBox bucket belongs is
cb-f8z7yvzgwfkl9q0h****.{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "oss-cloudbox:ListBuckets", "oss-cloudbox:GetBucketInfo", "oss-cloudbox:GetBucketLifecycle", "oss-cloudbox:GetBucketVersioning", "oss-cloudbox:GetBucketAcl" ], "Resource": "acs:oss-cloudbox:*:*:cloudbox/cb-f8z7yvzgwfkl9q0h****/*" }, { "Effect": "Allow", "Action": [ "oss-cloudbox:ListObjects", "oss-cloudbox:GetBucketAcl" ], "Resource": "acs:oss-cloudbox:*:*:cloudbox/cb-f8z7yvzgwfkl9q0h****/bucket/examplebucket" }, { "Effect": "Allow", "Action": [ "oss-cloudbox:GetObject", "oss-cloudbox:GetObjectAcl" ], "Resource": "acs:oss-cloudbox:*:*:cloudbox/cb-f8z7yvzgwfkl9q0h****/bucket/examplebucket/*" } ] }
Example 4: Prohibit a RAM user from deleting an OSS on CloudBox bucket
The following RAM policy prohibits a RAM user from deleting the examplebucket OSS on CloudBox bucket. The ID of the cloud box to which the OSS on CloudBox bucket belongs is cb-f8z7yvzgwfkl9q0h****.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": "oss-cloudbox:*",
"Resource": [
"acs:oss-cloudbox:*:*:cloudbox/cb-f8z7yvzgwfkl9q0h****/bucket/examplebucket",
"acs:oss-cloudbox:*:*:cloudbox/cb-f8z7yvzgwfkl9q0h****/bucket/examplebucket/*"
]
},
{
"Effect": "Deny",
"Action": [
"oss-cloudbox:DeleteBucket"
],
"Resource": [
"acs:oss-cloudbox:*:*:cloudbox/cb-f8z7yvzgwfkl9q0h****/bucket/examplebucket"
]
}
]
}Example 5: Authorize a RAM user to access multiple directories in an OSS on CloudBox bucket
In this example, an OSS on CloudBox bucket named mybucket is used to store photos. The OSS on CloudBox bucket contains multiple directories that are named based on the locations where the photos were captured. Each directory contains subdirectories that are named based on the years when the photos were captured.
mybucket[Bucket]
├── beijing
│ ├── 2014
│ └── 2015
├── hangzhou
│ ├── 2013
│ ├── 2014
│ └── 2015
└── qingdao
├── 2014
└── 2015For example, you want to grant a RAM user read-only permissions on the mybucket/hangzhou/2014/ and mybucket/hangzhou/2015/ directories. Directory-level authorization is an advanced feature of RAM policies and requires RAM policies at different complexity levels based on actual scenarios. The following RAM policies are suitable for different scenarios and are provided for reference only.
Grant a RAM user the read-only permissions on objects in the
examplebucket/hangzhou/2014/andexamplebucket/hangzhou/2015/directoriesIn this scenario, the RAM user knows the full paths of the objects that can be accessed. We recommend that you configure the RAM policy to authorize the RAM user to access the objects by using the full paths of the objects.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "oss-cloudbox:GetObject" ], "Resource": [ "acs:oss-cloudbox:*:*:cloudbox/cb-f8z7yvzgwfkl9q0h****/bucket/examplebucket/object/hangzhou/2014/*", "acs:oss-cloudbox:*:*:cloudbox/cb-f8z7yvzgwfkl9q0h****/bucket/examplebucket/object/hangzhou/2015/*" ] } ] }Grant a RAM user the permissions to access the
examplebucket/hangzhou/2014/andexamplebucket/hangzhou/2015/directories and list the objects in the directories by using ossutilIn this scenario, the RAM user does not know the objects in the directories and can use ossutil or call API operations to obtain information about the objects in the directories. In this case, the
ListObjectspermission must be specified in the policy.{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "oss-cloudbox:GetObject" ], "Resource": [ "acs:oss-cloudbox:*:*:cloudbox/cb-f8z7yvzgwfkl9q0h****/bucket/examplebucket/object/hangzhou/2014/*", "acs:oss-cloudbox:*:*:cloudbox/cb-f8z7yvzgwfkl9q0h****/bucket/examplebucket/object/hangzhou/2015/*" ] }, { "Effect": "Allow", "Action": [ "oss-cloudbox:ListObjects" ], "Resource": [ "acs:oss-cloudbox:*:*:cloudbox/cb-f8z7yvzgwfkl9q0h****/bucket/examplebucket" ], "Condition":{ "StringLike":{ "oss-cloudbox:Prefix": [ "hangzhou/2014/*", "hangzhou/2015/*" ] } } } ] }Grant a RAM user the permissions to access directories by using the OSS console
In this scenario, the RAM user can use the OSS console to access the
mybucket/hangzhou/2014/andmybucket/hangzhou/2015/directories from the root directory by level.{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "oss-cloudbox:ListBuckets", "oss-cloudbox:GetBucketInfo", "oss-cloudbox:GetBucketLifecycle", "oss-cloudbox:GetBucketVersioning", "oss-cloudbox:GetBucketAcl" ], "Resource": [ "acs:oss-cloudbox:*:*:cloudbox/cb-f8z7yvzgwfkl9q0h****/*" ] }, { "Effect": "Allow", "Action": [ "oss-cloudbox:GetObject", "oss-cloudbox:GetObjectAcl" ], "Resource": [ "acs:oss-cloudbox:*:*:cloudbox/cb-f8z7yvzgwfkl9q0h****/bucket/examplebucket/object/hangzhou/2014/*", "acs:oss-cloudbox:*:*:cloudbox/cb-f8z7yvzgwfkl9q0h****/bucket/examplebucket/object/hangzhou/2015/*" ] }, { "Effect": "Allow", "Action": [ "oss-cloudbox:ListObjects" ], "Resource": [ "acs:oss-cloudbox:*:*:cloudbox/cb-f8z7yvzgwfkl9q0h****/bucket/examplebucket" ], "Condition": { "StringLike": { "oss-cloudbox:Delimiter": "/", "oss-cloudbox:Prefix": [ "", "hangzhou/", "hangzhou/2014/*", "hangzhou/2015/*" ] } } } ] }
Example 6: Prohibit a RAM user from deleting an object from an OSS on CloudBox bucket
The following RAM policy prohibits a RAM user from deleting an object from the examplebucket OSS on CloudBox bucket. The ID of the cloud box to which the OSS on CloudBox bucket belongs is cb-f8z7yvzgwfkl9q0h****.
{
"Version": "1",
"Statement": [
{
"Effect": "Deny",
"Action": [
"oss-cloudbox:DeleteObject"
],
"Resource": [
"acs:oss-cloudbox:*:*:cloudbox/cb-f8z7yvzgwfkl9q0h****/bucket/examplebucket/*"
]
}
]
}Example 7: Prohibit a RAM user from accessing objects that have specific tags
The following RAM policy contains a Deny statement that prohibits a RAM user from accessing objects that are stored in the examplebucket OSS on CloudBox bucket and have the status:ok and key1:value1 tags. The ID of the cloud box to which the OSS on CloudBox bucket belongs is cb-f8z7yvzgwfkl9q0h****.
{
"Version": "1",
"Statement": [
{
"Effect": "Deny",
"Action": [
"oss-cloudbox:GetObject"
],
"Resource": [
"acs:oss-cloudbox:*:174649585760****:cloudbox/cb-f8z7yvzgwfkl9q0h****/bucket/examplebucket/*"
],
"Condition": {
"StringEquals": {
"oss-cloudbox:ExistingObjectTag/status":"ok",
"oss-cloudbox:ExistingObjectTag/key1":"value1"
}
}
}
]
}Example 8: Authorize a RAM user to access OSS on CloudBox from specific IP addresses
Allow access from specific IP addresses
The following RAM policy authorizes a RAM user to read all objects in the
examplebucketOSS on CloudBox bucket from only IP addresses in the192.168.0.0/16and198.51.100.0/24CIDR blocks that are specified in theAllowstatement. The ID of the cloud box to which the OSS on CloudBox bucket belongs iscb-f8z7yvzgwfkl9q0h****.{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "oss-cloudbox:ListBuckets", "oss-cloudbox:GetBucketInfo", "oss-cloudbox:GetBucketAcl" ], "Resource": [ "acs:oss-cloudbox:*:*:cloudbox/cb-f8z7yvzgwfkl9q0h****/*" ] }, { "Effect": "Allow", "Action": [ "oss-cloudbox:ListObjects", "oss-cloudbox:GetObject" ], "Resource": [ "acs:oss-cloudbox:*:*:cloudbox/cb-f8z7yvzgwfkl9q0h****/bucket/examplebucket", "acs:oss-cloudbox:*:*:cloudbox/cb-f8z7yvzgwfkl9q0h****/bucket/examplebucket/*" ], "Condition":{ "IpAddress": { "acs:SourceIp": ["192.168.0.0/16", "198.51.100.0/24"] } } } ] }Deny access from specific IP addresses
The following RAM policy prohibits a RAM user from accessing objects in the
examplebucketOSS on CloudBox bucket from IP addresses that are not in the192.168.0.0/16CIDR block that is specified in theDenystatement. The ID of the cloud box to which the OSS on CloudBox bucket belongs iscb-f8z7yvzgwfkl9q0h****.{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "oss-cloudbox:ListBuckets", "oss-cloudbox:GetBucketInfo", "oss-cloudbox:GetBucketAcl" ], "Resource": [ "acs:oss-cloudbox:*:*:cloudbox/cb-f8z7yvzgwfkl9q0h****/*" ] }, { "Effect": "Allow", "Action": [ "oss-cloudbox:ListObjects", "oss-cloudbox:GetObject" ], "Resource": [ "acs:oss-cloudbox:*:*:cloudbox/cb-f8z7yvzgwfkl9q0h****/bucket/examplebucket", "acs:oss-cloudbox:*:*:cloudbox/cb-f8z7yvzgwfkl9q0h****/bucket/examplebucket/*" ] }, { "Effect": "Deny", "Action": "oss-cloudbox:*", "Resource": [ "acs:oss-cloudbox:*:*:cloudbox/cb-f8z7yvzgwfkl9q0h****/*" ], "Condition":{ "NotIpAddress": { "acs:SourceIp": ["192.168.0.0/16"] } } } ] }
Example 9: Use RAM or STS to authorize users to access OSS resources
Use RAM or Security Token Service (STS) to authorize a user whose IP address is 192.168.0.1 to perform the following operations from the client of OSS SDK for Java:
List objects whose names contain the
fooprefix in the examplebucket OSS on CloudBox bucketGrant the user the permissions to perform the upload, download, and delete operations on objects whose names contain the
fileprefix in the examplebucket OSS on CloudBox bucket
The following RAM policy can meet the preceding access management requirements:
{
"Version": "1",
"Statement": [
{
"Action": [
"oss-cloudbox:GetBucketAcl",
"oss-cloudbox:ListObjects"
],
"Resource": [
"acs:oss-cloudbox:*:177530505652XXXX:cloudbox/cb-f8z7yvzgwfkl9q0h****/bucket/examplebucket"
],
"Effect": "Allow",
"Condition": {
"StringEquals": {
"acs:UserAgent": "java-sdk",
"oss-cloudbox:Prefix": "foo"
},
"IpAddress": {
"acs:SourceIp": "192.168.0.1"
}
}
},
{
"Action": [
"oss-cloudbox:PutObject",
"oss-cloudbox:GetObject",
"oss-cloudbox:DeleteObject"
],
"Resource": [
"acs:oss-cloudbox:*:177530505652XXXX:cloudbox/cb-f8z7yvzgwfkl9q0h****/bucket/examplebucket/object/file*"
],
"Effect": "Allow",
"Condition": {
"StringEquals": {
"acs:UserAgent": "java-sdk"
},
"IpAddress": {
"acs:SourceIp": "192.168.0.1"
}
}
}
]
}