All Products
Document Center

Object Storage Service:Configure a resource group

Last Updated:Jul 19, 2023

A resource group is a resource-based access control method. You can group your buckets based on your business requirements and configure different permissions for different resource groups. This way, you can manage access to your buckets by group.

Background information

Enterprise users may create multiple Alibaba Cloud accounts to isolate resources for different projects, subsidiaries, and departments. However, this makes it hard for enterprise users to manage, monitor, and audit the resources that reside in these Alibaba Cloud accounts in a unified manner.


Object Storage Service (OSS) allows users to create resource groups to classify resources in an Alibaba Cloud account based on business scenarios. This way, the users within an enterprise can use resource groups to efficiently manage resources in their projects.


Usage notes

  • Resource groups are supported for buckets in the following regions: China (Hangzhou), China (Shanghai), China (Qingdao), China (Beijing), China (Zhangjiakou), China (Hohhot), China (Ulanqab), China (Shenzhen), China (Heyuan), China (Guangzhou), China (Chengdu), China (Hong Kong), US (Silicon Valley), US (Virginia), Japan (Tokyo), Singapore, Australia (Sydney), Malaysia (Kuala Lumpur), Indonesia (Jakarta), India (Mumbai), Germany (Frankfurt), UK (London), and UAE (Dubai).

  • A resource group can contain buckets in different regions. A bucket can belong to only one resource group.

  • Buckets can be transferred only between resource groups that are created by the same owner.

Use the OSS console

In the following example, the test data of different departments in your company is stored in 20 buckets. You want to allow all your employees to write and read data stored in 10 of the buckets and only read data stored in the other 10 buckets. If you do not use resource groups, you must separately configure required permissions for each bucket. If you use resource groups, you can add buckets that require the same permissions to a resource group and configure the required permissions for the resource group. This way, you can efficiently configure and manage access to all the buckets.

You can also create user groups to grant the same permissions to multiple RAM users (your employees). A user group functions similarly to a resource group.

  1. Create a user group named UserGroup1 and add RAM users to the group.

    Create a user group named UserGroup1 in the RAM console. For more information, see Create a user group. After UserGroup1 is created, add all RAM users that need to access data in your buckets to the user group. For more information, see Add a RAM user to a RAM user group.

  2. Create resource groups.

    1. Log on to the Resource Management console.

    2. In the left-side navigation pane, click Resource Group.

    3. On the Resource Group page, click Create Resource Group.

    4. In the Create Resource Group panel, configure the Display Name and Resource Group Identifier parameters. In this example, set Display Name to ResourcegroupA and set Resource Group Identifier to Group1.

    5. Click Submit.

      After you click OK, the status of the resource group is Creating. Wait for approximately 3 seconds and click the Resource Group - Refresh icon. If the status of the resource group becomes Available, ResourcegroupA is created.

    6. Repeat the preceding steps to create a resource group named ResourcegroupB.

  3. Select resource groups for all your buckets.

    1. Log on to the OSS console.

    2. Click Buckets, and then click the bucket examplebucket1.

    3. Choose Bucket Settings > Resource Group.

    4. Click Settings.

    5. Select ResourcegroupA for Resource Group and click Save.

    6. Repeat the preceding steps to select ResourcegroupA for the buckets that you want to authorize all your employees only to read and select ResourcegroupB for the buckets that you want to authorize all your employees to read and write.

  4. Configure permissions required to access resource groups.

    1. Log on to the Resource Management console, In the left-side navigation pane, click Resource Group.

    2. Click Manage Permission in the Actions column that corresponds to ResourcegroupA.

    3. On the page that appears, click Grant Permission.

    4. In the Grant Permission panel, configure the parameters described in the following table.



      Authorized Scope

      Select Specific Resource Group. Then, select ResourcegroupA from the drop-down list.


      Enter UserGroup1.

      Select Policy

      Select System Policy. In the Authorization Policy Name column, click AliyunOSSReadOnlyAccess to authorize RAM users in UserGroup1 to only read objects in buckets in ResourcegroupA.

    5. Click Submit.

    6. Repeat the preceding steps to grant the AliyunOSSFullAccess policy to RAM users in UserGroup1 to authorize the RAM users to read and write objects in buckets in ResourcegroupB.


You can use OSS SDK for Java and OSS SDK for Python to configure a resource group for a bucket.

import com.aliyun.oss.*;
import com.aliyun.oss.model.SetBucketResourceGroupRequest;

public class Demo {
    public static void main(String[] args) throws Throwable {
        // In this example, the endpoint of the China (Hangzhou) region is used. Specify your actual endpoint. 
        String endpoint = "";
        // We recommend that you do not save access credentials in the project code. Otherwise, access credentials may be leaked. As a result, the security of all resources in your account is compromised. In this example, access credentials are obtained from environment variables. You need to configure environment variables before you run the sample code. 
        EnvironmentVariableCredentialsProvider credentialsProvider = CredentialsProviderFactory.newEnvironmentVariableCredentialsProvider();
        // Specify the name of the bucket. Example: examplebucket. 
        String bucketName = "examplebucket";
        // Specify the ID of the resource group. If you do not specify a resource group ID, the bucket belongs to the default resource group. 
        String rgId = "rg-aekz****";

        // Create an OSSClient instance. 
        OSS ossClient = new OSSClientBuilder().build(endpoint, credentialsProvider);

        try {
            // Create a setBucketResourceGroupRequest object. 
            SetBucketResourceGroupRequest setBucketResourceGroupRequest = new SetBucketResourceGroupRequest(bucketName,rgId);
            // Configure the resource group to which the bucket belongs. 
        } catch (OSSException oe) {
            System.out.println("Caught an OSSException, which means your request made it to OSS, "
                    + "but was rejected with an error response for some reason.");
            System.out.println("Error Message:" + oe.getErrorMessage());
            System.out.println("Error Code:" + oe.getErrorCode());
            System.out.println("Request ID:" + oe.getRequestId());
            System.out.println("Host ID:" + oe.getHostId());
        } catch (ClientException ce) {
            System.out.println("Caught an ClientException, which means the client encountered "
                    + "a serious internal problem while trying to communicate with OSS, "
                    + "such as not being able to access the network.");
            System.out.println("Error Message:" + ce.getMessage());
        } finally {
            if (ossClient != null) {
# -*- coding: utf-8 -*-
import oss2

# The AccessKey pair of an Alibaba Cloud account has permissions on all API operations. Using these credentials to perform operations in OSS is a high-risk operation. We recommend that you use a RAM user to call API operations or perform routine O&M. To create a RAM user, log on to the RAM console. 
auth = oss2.Auth('yourAccessKeyId', 'yourAccessKeySecret')
# Specify the endpoint of the region in which the bucket is located. For example, if the bucket is located in the China (Hangzhou) region, set the endpoint to 
# Specify the name of the bucket. Example: examplebucket. 
bucket = oss2.Bucket(auth, '', 'examplebucket')

# Specify the ID of the resource group. If you do not specify the ID of the resource group, the bucket belongs to the default resource group. 
resource_group_id = 'rg-aek27tc****'

# Configure a resource group for the bucket. 
result = bucket.put_bucket_resource_group(resource_group_id)
print ('The resource group is configured. ' + str(result.status) is returned.)

Use RESTful APIs

If your business requires a high level of customization, you can directly call RESTful APIs. To directly call an API, you must include the signature calculation in your code. For more information, see PutBucketResourceGroup.