Common examples of RAM policies configured for OSS on CloudBox users

Updated at:
Copy as MD

Use Resource Access Management (RAM) policies to control what employees, systems, or applications can do with your OSS on CloudBox resources. A RAM policy grants or denies specific actions on specific resources — for example, allowing read-only access to a single bucket or blocking all delete operations.

Prerequisites

Before you begin, ensure that you have:

  • An active cloud box in one of the supported regions: China (Hangzhou), China (Shanghai), China (Shenzhen), China (Heyuan), China (Beijing), or China (Chengdu)

  • A purchased cloud box. For more information, see Purchase a cloud box

  • A Virtual Private Cloud (VPC) and a vSwitch created in OSS on CloudBox. For more information, see Create a VPC and a vSwitch

  • A VPC internal network set up with a single tunnel configured for secure connection. To apply for this feature, contact technical support

Attach a custom policy to a RAM user

  1. Create a custom policy. Use the examples in this topic as a reference for your scenario and create the policy using the script editor. For more information, see Create custom policies.

    Important

    The Resource element uses the following format for OSS on CloudBox:

    acs:oss-cloudbox:{region}:{bucket_owner}:cloudbox/{cloudbox_id}/bucket/{bucket_name}/object/{object_name}

    Use the asterisk (*) wildcard to match resources of a specific type:

    • acs:oss-cloudbox:*:*:cloudbox/cb-f8z7yvzgwfkl9q0h****/bucket/examplebucket/* — all resources in the examplebucket OSS on CloudBox bucket (cloud box ID: cb-f8z7yvzgwfkl9q0h****)

    • acs:oss-cloudbox:*:*:cloudbox/cb-f8z7yvzgwfkl9q0h****/bucket/examplebucket/object/abc*.txt — all .txt objects whose names start with abc in the same bucket

  2. Attach the custom policy to a RAM user. For more information, see Grant permissions to a RAM user.

Example 1: Authorize a RAM user to fully control an OSS on CloudBox bucket

This policy grants a RAM user full control over examplebucket (cloud box ID: cb-f8z7yvzgwfkl9q0h****). It allows all oss-cloudbox actions on both the bucket itself and all objects inside it.

Warning

Granting full control over an OSS on CloudBox bucket is a high-risk operation. To ensure data security, do not grant a RAM user full control over an OSS on CloudBox bucket unless absolutely necessary.

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "oss-cloudbox:*",
            "Resource": [
                "acs:oss-cloudbox:*:*:cloudbox/cb-f8z7yvzgwfkl9q0h****/bucket/examplebucket",
                "acs:oss-cloudbox:*:*:cloudbox/cb-f8z7yvzgwfkl9q0h****/bucket/examplebucket/*"
            ]
        }
    ]
}

Example 2: Prohibit a RAM user from deleting objects that match a pattern in an OSS on CloudBox bucket

This policy denies DeleteObject on all .txt objects whose names start with abc in examplebucket (cloud box ID: cb-f8z7yvzgwfkl9q0h****). Because Deny takes precedence over any Allow, this restriction applies even if the user has a broader allow policy.

{
  "Version": "1",
  "Statement": [
        {
         "Effect": "Deny",
         "Action": [
           "oss-cloudbox:DeleteObject"
         ],
         "Resource": [
           "acs:oss-cloudbox:*:*:cloudbox/cb-f8z7yvzgwfkl9q0h****/bucket/examplebucket/object/abc*.txt"
         ]
     }
   ]
}

Example 3: Authorize a RAM user to list and read objects in an OSS on CloudBox bucket

The required actions differ depending on whether the user accesses OSS on CloudBox through SDKs/ossutil or through the OSS console. The console makes additional metadata API calls that must be explicitly allowed.

Via OSS SDKs or ossutil

This policy grants ListObjects on the bucket and GetObject on all objects inside examplebucket (cloud box ID: cb-f8z7yvzgwfkl9q0h****).

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "oss-cloudbox:ListObjects",
            "Resource": "acs:oss-cloudbox:*:*:cloudbox/cb-f8z7yvzgwfkl9q0h****/bucket/examplebucket"
        },
        {
            "Effect": "Allow",
            "Action": "oss-cloudbox:GetObject",
            "Resource": "acs:oss-cloudbox:*:*:cloudbox/cb-f8z7yvzgwfkl9q0h****/bucket/examplebucket/*"
        }
    ]
}

Via the OSS console

The OSS console requires additional bucket metadata actions to render the bucket list and object view. This policy grants those actions alongside ListObjects and GetObject on examplebucket (cloud box ID: cb-f8z7yvzgwfkl9q0h****).

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                      "oss-cloudbox:ListBuckets",
                      "oss-cloudbox:GetBucketInfo",
                      "oss-cloudbox:GetBucketLifecycle",
                      "oss-cloudbox:GetBucketVersioning",
                      "oss-cloudbox:GetBucketAcl"
                      ],
            "Resource": "acs:oss-cloudbox:*:*:cloudbox/cb-f8z7yvzgwfkl9q0h****/*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "oss-cloudbox:ListObjects",
                "oss-cloudbox:GetBucketAcl"
            ],
            "Resource": "acs:oss-cloudbox:*:*:cloudbox/cb-f8z7yvzgwfkl9q0h****/bucket/examplebucket"
        },
        {
            "Effect": "Allow",
            "Action": [
                "oss-cloudbox:GetObject",
                "oss-cloudbox:GetObjectAcl"
            ],
            "Resource": "acs:oss-cloudbox:*:*:cloudbox/cb-f8z7yvzgwfkl9q0h****/bucket/examplebucket/*"
        }
    ]
}

Example 4: Prohibit a RAM user from deleting an OSS on CloudBox bucket

This policy combines a broad Allow for all actions with a Deny specifically for DeleteBucket. Because Deny takes precedence, the RAM user can perform any operation on examplebucket (cloud box ID: cb-f8z7yvzgwfkl9q0h****) except delete the bucket itself.

{
  "Version": "1",
  "Statement": [
      {
          "Effect": "Allow",
          "Action": "oss-cloudbox:*",
          "Resource": [
              "acs:oss-cloudbox:*:*:cloudbox/cb-f8z7yvzgwfkl9q0h****/bucket/examplebucket",
              "acs:oss-cloudbox:*:*:cloudbox/cb-f8z7yvzgwfkl9q0h****/bucket/examplebucket/*"
          ]
      },
        {
         "Effect": "Deny",
         "Action": [
           "oss-cloudbox:DeleteBucket"
         ],
         "Resource": [
           "acs:oss-cloudbox:*:*:cloudbox/cb-f8z7yvzgwfkl9q0h****/bucket/examplebucket"
         ]
     }
   ]
}

Example 5: Authorize a RAM user to access multiple directories in an OSS on CloudBox bucket

This example uses mybucket, which stores photos organized by location and year:

mybucket[Bucket]
  ├── beijing
  │   ├── 2014
  │   └── 2015
  ├── hangzhou
  │   ├── 2013
  │   ├── 2014
  │   └── 2015
  └── qingdao
      ├── 2014
      └── 2015

The goal is to grant a RAM user read-only access to mybucket/hangzhou/2014/ and mybucket/hangzhou/2015/. Three variants cover different access patterns, from simplest to most permissive.

Grant read-only access by full object path

Use this variant when the RAM user knows the exact paths of the objects to access. GetObject is granted on the two target directory prefixes in examplebucket (cloud box ID: cb-f8z7yvzgwfkl9q0h****). No ListObjects permission is needed.

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "oss-cloudbox:GetObject"
            ],
            "Resource": [
                "acs:oss-cloudbox:*:*:cloudbox/cb-f8z7yvzgwfkl9q0h****/bucket/examplebucket/object/hangzhou/2014/*",
                "acs:oss-cloudbox:*:*:cloudbox/cb-f8z7yvzgwfkl9q0h****/bucket/examplebucket/object/hangzhou/2015/*"
            ]
        }
    ]
}

Grant access to directories via ossutil

Use this variant when the RAM user needs to discover objects within the directories using ossutil or API calls. ListObjects is added with a StringLike prefix condition that restricts listing to the two target directories only.

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "oss-cloudbox:GetObject"
            ],
            "Resource": [
                "acs:oss-cloudbox:*:*:cloudbox/cb-f8z7yvzgwfkl9q0h****/bucket/examplebucket/object/hangzhou/2014/*",
                "acs:oss-cloudbox:*:*:cloudbox/cb-f8z7yvzgwfkl9q0h****/bucket/examplebucket/object/hangzhou/2015/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "oss-cloudbox:ListObjects"
            ],
            "Resource": [
                "acs:oss-cloudbox:*:*:cloudbox/cb-f8z7yvzgwfkl9q0h****/bucket/examplebucket"
            ],
            "Condition":{
                "StringLike":{
                    "oss-cloudbox:Prefix": [
                        "hangzhou/2014/*",
                        "hangzhou/2015/*"
                     ]
                }
            }
        }
    ]
}

Grant access to directories via the OSS console

Use this variant when the RAM user needs to navigate from the root directory level by level through the OSS console. This requires additional bucket metadata actions, and the ListObjects condition is expanded to allow intermediate path segments ("", "hangzhou/") so the console can traverse the directory hierarchy.

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                          "oss-cloudbox:ListBuckets",
                          "oss-cloudbox:GetBucketInfo",
                          "oss-cloudbox:GetBucketLifecycle",
                          "oss-cloudbox:GetBucketVersioning",
                          "oss-cloudbox:GetBucketAcl"
                          ],
            "Resource": [
                "acs:oss-cloudbox:*:*:cloudbox/cb-f8z7yvzgwfkl9q0h****/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "oss-cloudbox:GetObject",
                "oss-cloudbox:GetObjectAcl"
            ],
            "Resource": [
                "acs:oss-cloudbox:*:*:cloudbox/cb-f8z7yvzgwfkl9q0h****/bucket/examplebucket/object/hangzhou/2014/*",
                "acs:oss-cloudbox:*:*:cloudbox/cb-f8z7yvzgwfkl9q0h****/bucket/examplebucket/object/hangzhou/2015/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "oss-cloudbox:ListObjects"
            ],
            "Resource": [
                "acs:oss-cloudbox:*:*:cloudbox/cb-f8z7yvzgwfkl9q0h****/bucket/examplebucket"
            ],
            "Condition": {
                "StringLike": {
                    "oss-cloudbox:Delimiter": "/",
                    "oss-cloudbox:Prefix": [
                        "",
                        "hangzhou/",
                        "hangzhou/2014/*",
                        "hangzhou/2015/*"
                    ]
                }
            }
        }
    ]
}

Example 6: Prohibit a RAM user from deleting an object from an OSS on CloudBox bucket

This policy denies DeleteObject on all objects in examplebucket (cloud box ID: cb-f8z7yvzgwfkl9q0h****).

{
  "Version": "1",
  "Statement": [
        {
         "Effect": "Deny",
         "Action": [
           "oss-cloudbox:DeleteObject"
         ],
         "Resource": [
           "acs:oss-cloudbox:*:*:cloudbox/cb-f8z7yvzgwfkl9q0h****/bucket/examplebucket/*"
         ]
     }
   ]
}

Example 7: Prohibit a RAM user from accessing objects that have specific tags

This policy denies GetObject on all objects in examplebucket (account ID: 174649585760**�PH1�**) that have both the status:ok and key1:value1 tags. Both tag conditions must match simultaneously (AND relationship).

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": [
                "oss-cloudbox:GetObject"
            ],
            "Resource": [
                "acs:oss-cloudbox:*:174649585760****:cloudbox/cb-f8z7yvzgwfkl9q0h****/bucket/examplebucket/*"
            ],
            "Condition": {
                "StringEquals": {
                    "oss-cloudbox:ExistingObjectTag/status":"ok",
                    "oss-cloudbox:ExistingObjectTag/key1":"value1"
                }
            }
        }
    ]
}

Example 8: Authorize a RAM user to access OSS on CloudBox from specific IP addresses

Allow access from specific IP addresses

This policy allows ListObjects and GetObject on examplebucket (cloud box ID: cb-f8z7yvzgwfkl9q0h****) only from IP addresses in the 192.168.0.0/16 and 198.51.100.0/24 CIDR blocks.

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                          "oss-cloudbox:ListBuckets",
                          "oss-cloudbox:GetBucketInfo",
                          "oss-cloudbox:GetBucketAcl"
                          ],
            "Resource": [
                "acs:oss-cloudbox:*:*:cloudbox/cb-f8z7yvzgwfkl9q0h****/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "oss-cloudbox:ListObjects",
                "oss-cloudbox:GetObject"
            ],
            "Resource": [
                "acs:oss-cloudbox:*:*:cloudbox/cb-f8z7yvzgwfkl9q0h****/bucket/examplebucket",
                "acs:oss-cloudbox:*:*:cloudbox/cb-f8z7yvzgwfkl9q0h****/bucket/examplebucket/*"
            ],
            "Condition":{
                "IpAddress": {
                    "acs:SourceIp": ["192.168.0.0/16", "198.51.100.0/24"]
                }
            }
        }
    ]
}

Deny access from IP addresses outside a specific range

This policy allows ListObjects and GetObject on examplebucket but explicitly denies all oss-cloudbox actions from any IP address outside 192.168.0.0/16. Because Deny takes precedence, requests from outside that CIDR block are rejected even if an Allow would otherwise apply.

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                          "oss-cloudbox:ListBuckets",
                          "oss-cloudbox:GetBucketInfo",
                          "oss-cloudbox:GetBucketAcl"
                          ],
            "Resource": [
                "acs:oss-cloudbox:*:*:cloudbox/cb-f8z7yvzgwfkl9q0h****/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "oss-cloudbox:ListObjects",
                "oss-cloudbox:GetObject"
            ],
            "Resource": [
                "acs:oss-cloudbox:*:*:cloudbox/cb-f8z7yvzgwfkl9q0h****/bucket/examplebucket",
                "acs:oss-cloudbox:*:*:cloudbox/cb-f8z7yvzgwfkl9q0h****/bucket/examplebucket/*"
            ]
        },
        {
            "Effect": "Deny",
            "Action": "oss-cloudbox:*",
            "Resource": [
                "acs:oss-cloudbox:*:*:cloudbox/cb-f8z7yvzgwfkl9q0h****/*"
            ],
            "Condition":{
                "NotIpAddress": {
                    "acs:SourceIp": ["192.168.0.0/16"]
                }
            }
        }
    ]
}

Example 9: Use RAM or STS to authorize users with multiple conditions

This policy uses RAM or Security Token Service (STS) to grant a user at IP address 192.168.0.1, using OSS SDK for Java, two sets of permissions on examplebucket (account ID: 177530505652XXXX, cloud box ID: cb-f8z7yvzgwfkl9q0h****):

  • GetBucketAcl and ListObjects on the bucket, scoped to objects with the foo prefix

  • PutObject, GetObject, and DeleteObject on objects with the file prefix

All statements require both a matching acs:UserAgent (java-sdk) and a matching acs:SourceIp (192.168.0.1).

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "oss-cloudbox:GetBucketAcl",
                "oss-cloudbox:ListObjects"
            ],
            "Resource": [
                "acs:oss-cloudbox:*:177530505652XXXX:cloudbox/cb-f8z7yvzgwfkl9q0h****/bucket/examplebucket"
            ],
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "acs:UserAgent": "java-sdk",
                    "oss-cloudbox:Prefix": "foo"
                },
                "IpAddress": {
                    "acs:SourceIp": "192.168.0.1"
                }
            }
        },
        {
            "Action": [
                "oss-cloudbox:PutObject",
                "oss-cloudbox:GetObject",
                "oss-cloudbox:DeleteObject"
            ],
            "Resource": [
                "acs:oss-cloudbox:*:177530505652XXXX:cloudbox/cb-f8z7yvzgwfkl9q0h****/bucket/examplebucket/object/file*"
            ],
            "Effect": "Allow",
            "Condition": {
               "StringEquals": {
                    "acs:UserAgent": "java-sdk"
                },
                "IpAddress": {
                    "acs:SourceIp": "192.168.0.1"
                }
            }
        }
    ]
}