Use resource groups to grant permissions on multiple buckets - Object Storage Service

Managing permissions bucket by bucket is tedious when you run many OSS buckets with shared access requirements. A resource group lets you group buckets that need the same permissions and authorize all of them at once.

When to use a resource group

Use a resource group when you manage multiple buckets under a single Alibaba Cloud account and need to apply the same permissions to a subset of those buckets without repeating configuration for each one.

For example, if your company stores test data in 20 buckets and you want all employees to have read-only access to 10 buckets and read-write access to the other 10, assign the first 10 to one resource group and the second 10 to another. Grant permissions once per group rather than once per bucket.

When a resource group is not the right fit:

You have only one or two buckets — grant permissions directly at the bucket level instead.
You need to grant access across multiple Alibaba Cloud accounts — resource groups operate within a single account.

Limits

Limit	Detail
Bucket membership	A bucket can belong to only one resource group
Cross-region	A resource group can contain buckets from different regions
Cross-account transfers	Buckets can only be moved between resource groups owned by the same Alibaba Cloud account

Prerequisites

Before you begin, make sure you have:

An Alibaba Cloud account with OSS buckets already created
Access to the RAM console and the Resource Management console
RAM (Resource Access Management) users added to your account (required for the console workflow)

Grant permissions by using the OSS console

This procedure uses the 20-bucket scenario described above. The goal is to grant all employees (RAM users) read-only access to ResourcegroupA (10 buckets) and read-write access to ResourcegroupB (10 buckets). A RAM user group, UserGroup1, applies the same permissions to all employees at once.

Step 1: Create a user group and add RAM users

Log on to the RAM console.
Create a user group named UserGroup1. For details, see Create a RAM user group.
Add all RAM users who need bucket access to UserGroup1. For details, see Add a RAM user to a RAM user group.

Step 2: Create resource groups

Log on to the Resource Management console.
In the left navigation pane, choose Resource Group > Resource Group.
On the Resource Group page, click Create Resource Group.
In the Create Resource Group panel, set Resource Group Name to ResourcegroupA and Resource Group Identifier to Group1.
Click OK. The status shows Creating. After about 3 seconds, click the icon to refresh. When the status changes to Available, the group is ready.
Repeat these steps to create ResourcegroupB.

Step 3: Assign buckets to resource groups

Log on to the OSS console.
Click Buckets, then click the bucket you want to assign (for example, examplebucket1).
Choose Bucket Settings > Resource Group.
On the Resource Group page, click Settings.
Select ResourcegroupA from the Resource Group dropdown and click Save.
Repeat for each bucket: assign the 10 read-only buckets to ResourcegroupA and the 10 read-write buckets to ResourcegroupB.

Step 4: Grant permissions to resource groups

Log on to the Resource Management console. In the left navigation pane, choose Resource Group > Resource Group.
Find ResourcegroupA in the list and click Manage Permission in the Actions column.
On the Permissions tab, click Grant Permission.
In the Grant Permission panel, configure the following parameters:
Parameter Value
Authorized scope Select Specific Resource Group, then select ResourcegroupA
Principal Enter UserGroup1
Select policy Select System Policy, then click AliyunOSSReadOnlyAccess
Click OK, then click Complete.
Repeat these steps for ResourcegroupB, but select the AliyunOSSFullAccess policy instead.

Parameter	Value
Authorized scope	Select Specific Resource Group, then select ResourcegroupA
Principal	Enter `UserGroup1`
Select policy	Select System Policy, then click `AliyunOSSReadOnlyAccess`

All RAM users in UserGroup1 now have read-only access to buckets in ResourcegroupA and read-write access to buckets in ResourcegroupB.

Assign a bucket to a resource group by using an SDK or CLI

Resource group configuration is supported in the OSS SDKs for Java, Python, and Go. All examples use the PutBucketResourceGroup operation and load credentials from the OSS_ACCESS_KEY_ID and OSS_ACCESS_KEY_SECRET environment variables.

For an SDK overview, see Overview.

Python

import argparse
import alibabacloud_oss_v2 as oss

parser = argparse.ArgumentParser(description="Assign a bucket to a resource group")
parser.add_argument('--region', help='The region where the bucket is located.', required=True)
parser.add_argument('--bucket', help='The name of the bucket.', required=True)
parser.add_argument('--endpoint', help='The OSS endpoint (optional)')
parser.add_argument('--resource_group_id',
                    help='The resource group ID (optional, defaults to the default resource group)',
                    default='')

def main():
    args = parser.parse_args()

    # Load credentials from environment variables OSS_ACCESS_KEY_ID and OSS_ACCESS_KEY_SECRET
    credentials_provider = oss.credentials.EnvironmentVariableCredentialsProvider()

    cfg = oss.config.load_default()
    cfg.credentials_provider = credentials_provider
    cfg.region = args.region

    if args.endpoint is not None:
        cfg.endpoint = args.endpoint

    client = oss.Client(cfg)

    result = client.put_bucket_resource_group(oss.PutBucketResourceGroupRequest(
        bucket=args.bucket,
        bucket_resource_group_configuration=oss.BucketResourceGroupConfiguration(
            resource_group_id=args.resource_group_id,
        ),
    ))

    print(f'status code: {result.status_code}, request id: {result.request_id}')

if __name__ == "__main__":
    main()

Java

import com.aliyun.oss.*;
import com.aliyun.oss.common.auth.*;
import com.aliyun.oss.common.comm.SignVersion;
import com.aliyun.oss.model.SetBucketResourceGroupRequest;

public class Demo {
    public static void main(String[] args) throws Throwable {
        // Replace with your actual endpoint, for example: https://oss-cn-hangzhou.aliyuncs.com
        String endpoint = "https://oss-cn-hangzhou.aliyuncs.com";
        // Load credentials from environment variables OSS_ACCESS_KEY_ID and OSS_ACCESS_KEY_SECRET
        EnvironmentVariableCredentialsProvider credentialsProvider = CredentialsProviderFactory.newEnvironmentVariableCredentialsProvider();
        // Replace with your bucket name
        String bucketName = "examplebucket";
        // Replace with the resource group ID, for example: rg-aekz****
        String rgId = "rg-aekz****";
        // Replace with the region where your bucket is located
        String region = "cn-hangzhou";

        ClientBuilderConfiguration clientBuilderConfiguration = new ClientBuilderConfiguration();
        clientBuilderConfiguration.setSignatureVersion(SignVersion.V4);
        OSS ossClient = OSSClientBuilder.create()
            .endpoint(endpoint)
            .credentialsProvider(credentialsProvider)
            .clientConfiguration(clientBuilderConfiguration)
            .region(region)
            .build();

        try {
            SetBucketResourceGroupRequest setBucketResourceGroupRequest = new SetBucketResourceGroupRequest(bucketName, rgId);
            ossClient.setBucketResourceGroup(setBucketResourceGroupRequest);
        } catch (OSSException oe) {
            System.out.println("Error Message: " + oe.getErrorMessage());
            System.out.println("Error Code: " + oe.getErrorCode());
            System.out.println("Request ID: " + oe.getRequestId());
            System.out.println("Host ID: " + oe.getHostId());
        } catch (ClientException ce) {
            System.out.println("Error Message: " + ce.getMessage());
        } finally {
            if (ossClient != null) {
                ossClient.shutdown();
            }
        }
    }
}

Go

package main

import (
    "context"
    "flag"
    "log"

    "github.com/aliyun/alibabacloud-oss-go-sdk-v2/oss"
    "github.com/aliyun/alibabacloud-oss-go-sdk-v2/oss/credentials"
)

var (
    region     string
    bucketName string
)

func init() {
    flag.StringVar(&region, "region", "", "The region where the bucket is located.")
    flag.StringVar(&bucketName, "bucket", "", "The name of the bucket.")
}

func main() {
    flag.Parse()

    // Replace with your resource group ID. If you do not specify a resource group ID, the bucket belongs to the default resource group.
    var groupId string = "rg-aekz****"

    if len(bucketName) == 0 {
        flag.PrintDefaults()
        log.Fatalf("invalid parameters, bucket name required")
    }

    if len(region) == 0 {
        flag.PrintDefaults()
        log.Fatalf("invalid parameters, region required")
    }

    cfg := oss.LoadDefaultConfig().
        WithCredentialsProvider(credentials.NewEnvironmentVariableCredentialsProvider()).
        WithRegion(region)

    client := oss.NewClient(cfg)

    request := &oss.PutBucketResourceGroupRequest{
        Bucket: oss.Ptr(bucketName),
        BucketResourceGroupConfiguration: &oss.BucketResourceGroupConfiguration{
            ResourceGroupId: oss.Ptr(groupId),
        },
    }

    result, err := client.PutBucketResourceGroup(context.TODO(), request)
    if err != nil {
        log.Fatalf("failed to put bucket resource group: %v", err)
    }

    log.Printf("put bucket resource group result: %#v\n", result)
}

Use ossutil

Install ossutil before running the command. For installation instructions, see Install ossutil.

Run the following command to assign examplebucket to the resource group with ID rg-123:

ossutil api put-bucket-resource-group --bucket examplebucket --resource-group-configuration "{\"ResourceGroupId\":\"rg-123\"}"

For the full command reference, see put-bucket-resource-group.

API reference

All methods above call the PutBucketResourceGroup API operation. To call it directly, include signature calculation in your code. For details, see PutBucketResourceGroup.