Grant the same permissions on multiple buckets by using a resource group - Object Storage Service

A resource group is a resource-based access control method. You can add the buckets to which you want to grant the same permissions to the same resource group and then grant permissions to the resource group. This improves the efficiency of authorization.

Background information

Enterprise users may create multiple Alibaba Cloud accounts to isolate resources for different projects, subsidiaries, and departments. However, this makes it difficult for enterprise users to manage, monitor, and audit the resources that reside in these Alibaba Cloud accounts in a centralized manner.

account

Object Storage Service (OSS) allows users to create resource groups to classify resources in an Alibaba Cloud account based on business scenarios. This way, the users within an enterprise can use resource groups to efficiently manage resources in their projects.

Notes

A resource group can contain buckets in different regions. A bucket can belong only to one resource group.
Buckets can be transferred only between resource groups that are created by the same owner.

Methods

Use the OSS console

In the following example, test data of different departments in your company is stored in 20 buckets. You want to allow all your employees to write and read data stored in 10 of the buckets and only read data stored in other 10 buckets. If you do not use resource groups, you must separately configure required permissions for each bucket. If you use resource groups, you can add buckets that require the same permissions to a resource group and configure the required permissions for the resource group.

You also need to create user groups to grant the same permissions to multiple RAM users (your employees). A user group functions similarly to a resource group.

Create a user group and add RAM users to the user group.
Create a user group and name the group UserGroup1 in the RAM console. For more information, see Create a RAM user group. After you create the user group, add all the RAM users that need to access data in your buckets to the user group. For more information, see Add a RAM user to a RAM user group.
Create resource groups.
1. Log on to the Resource Management console.
2. In the left-side navigation pane, choose Resource Group > Resource Group.
3. On the Resource Group page, click Create Resource Group.
4. In the Create Resource Group panel, configure the Resource Group Name and Resource Group Identifier parameters. In this example, Resource Group Name is set to ResourcegroupA and Resource Group Identifier is set to Group1.
5. Click OK.
  The status of the resource group becomes Creating. Wait for approximately 3 seconds and click the icon. If the status of the resource group becomes Available, ResourcegroupA is created.
6. Repeat the preceding steps to create a resource group named ResourcegroupB.
Select resource groups for your buckets.
1. Log on to the OSS console.
2. Click Buckets, and then click the examplebucket1 bucket.
3. Choose Bucket Settings > Resource Group.
4. On the Resource Group page, click Settings.
5. Select ResourcegroupA for Resource Group and click Save.
6. Repeat the preceding steps to select ResourcegroupA for the buckets that you want to authorize all your employees only to read and select ResourcegroupB for the buckets that you want to authorize all your employees to read and write.

Configure the required permissions to access resource groups.

Log on to the Resource Management console. In the left-side navigation pane, choose Resource Group > Resource Group.
Find the resource group in the list and click Manage Permission in the Actions column.
On the Permissions tab, click Grant Permission.

In the Grant Permission panel, configure the parameters. The following table describes the parameters.

Parameter	Description
Authorized Scope	Select Specific Resource Group. Then, select ResourcegroupA from the drop-down list.
Principal	Enter UserGroup1.
Select Policy	Select System Policy. In the Authorization Policy Name column, click `AliyunOSSReadOnlyAccess` to authorize RAM users in UserGroup1 to only read objects in buckets in ResourcegroupA.

Click OK.
Click Complete.
Repeat the preceding steps to attach the AliyunOSSFullAccess policy to RAM users in UserGroup1 to authorize the RAM users to read and write objects in buckets in ResourcegroupB.

Use OSS SDKs

Only OSS SDKs for Java, Python and Go can be used to configure resource groups.

Java

import com.aliyun.oss.*;
import com.aliyun.oss.common.auth.*;
import com.aliyun.oss.model.SetBucketResourceGroupRequest;

public class Demo {
    public static void main(String[] args) throws Throwable {
        // In this example, the endpoint of the China (Hangzhou) region is used. Specify your actual endpoint. 
        String endpoint = "https://oss-cn-hangzhou.aliyuncs.com";
        // Obtain access credentials from environment variables. Before you run the sample code, make sure that the OSS_ACCESS_KEY_ID and OSS_ACCESS_KEY_SECRET environment variables are configured.
        EnvironmentVariableCredentialsProvider credentialsProvider = CredentialsProviderFactory.newEnvironmentVariableCredentialsProvider();
        // Specify the name of the bucket. Example: examplebucket. 
        String bucketName = "examplebucket";
        // Specify the ID of the resource group. If you do not specify a resource group ID, the bucket belongs to the default resource group. 
        String rgId = "rg-aekz****";
        // Specify the region in which the bucket is located. For example, if the bucket is located in the China (Hangzhou) region, set the region to cn-hangzhou.
        String region = "cn-hangzhou";
        
        // Create an OSSClient instance. 
        ClientBuilderConfiguration clientBuilderConfiguration = new ClientBuilderConfiguration();
        clientBuilderConfiguration.setSignatureVersion(SignVersion.V4);        
        OSS ossClient = OSSClientBuilder.create()
        .endpoint(endpoint)
        .credentialsProvider(credentialsProvider)
        .clientConfiguration(clientBuilderConfiguration)
        .region(region)               
        .build();

        try {
            // Create a setBucketResourceGroupRequest object. 
            SetBucketResourceGroupRequest setBucketResourceGroupRequest = new SetBucketResourceGroupRequest(bucketName,rgId);
            // Configure the resource group to which the bucket belongs. 
            ossClient.setBucketResourceGroup(setBucketResourceGroupRequest);
        } catch (OSSException oe) {
            System.out.println("Caught an OSSException, which means your request made it to OSS, "
                    + "but was rejected with an error response for some reason.");
            System.out.println("Error Message:" + oe.getErrorMessage());
            System.out.println("Error Code:" + oe.getErrorCode());
            System.out.println("Request ID:" + oe.getRequestId());
            System.out.println("Host ID:" + oe.getHostId());
        } catch (ClientException ce) {
            System.out.println("Caught an ClientException, which means the client encountered "
                    + "a serious internal problem while trying to communicate with OSS, "
                    + "such as not being able to access the network.");
            System.out.println("Error Message:" + ce.getMessage());
        } finally {
            if (ossClient != null) {
                ossClient.shutdown();
            }
        }
    }
}

Python

# -*- coding: utf-8 -*-
import oss2
from oss2.credentials import EnvironmentVariableCredentialsProvider

# Obtain access credentials from the environment variables. Before you run this sample code, make sure that you have configured environment variables OSS_ACCESS_KEY_ID and OSS_ACCESS_KEY_SECRET. 
auth = oss2.ProviderAuth(EnvironmentVariableCredentialsProvider())

# Specify the endpoint of the region in which the bucket is located. For example, if the bucket is located in the China (Hangzhou) region, set the endpoint to https://oss-cn-hangzhou.aliyuncs.com. 
endpoint = "https://oss-cn-hangzhou.aliyuncs.com"

# Specify the ID of the region that maps to the endpoint. Example: cn-hangzhou. This parameter is required if you use the signature algorithm V4.
region = "cn-hangzhou"

# Specify the name of your bucket.
bucket = oss2.Bucket(auth, endpoint, "yourBucketName", region=region)

# Specify the ID of the resource group. If you do not specify the ID of the resource group, the bucket belongs to the default resource group. 
resource_group_id = 'rg-aek27tc****'

# Configure the resource group to which the bucket belongs. 
result = bucket.put_bucket_resource_group(resource_group_id)
print ('Resource group configuration is successful. Returned status: ' + str(result.status))

package main

import (
	"context"
	"flag"
	"log"

	"github.com/aliyun/alibabacloud-oss-go-sdk-v2/oss"
	"github.com/aliyun/alibabacloud-oss-go-sdk-v2/oss/credentials"
)

// Specify the global variables.
var (
	region     string // The region in which the bucket is located.
	bucketName string // The name of the bucket.
)

// Specify the init function used to initialize command line parameters.
func init() {
	flag.StringVar(&region, "region", "", "The region in which the bucket is located.")
	flag.StringVar(&bucketName, "bucket", "", "The name of the bucket.")
}

func main() {
	// Parse command line parameters.
	flag.Parse()

	// Specify the ID of the resource group. If you do not specify a resource group ID, the bucket belongs to the default resource group.
	var groupId string = "rg-aekz****"

	// Check whether the bucket name is empty.
	if len(bucketName) == 0 {
		flag.PrintDefaults()
		log.Fatalf("invalid parameters, bucket name required")
	}

	// Check whether the region is empty.
	if len(region) == 0 {
		flag.PrintDefaults()
		log.Fatalf("invalid parameters, region required")
	}

	// Load the default configurations and specify the credential provider and region.
	cfg := oss.LoadDefaultConfig().
		WithCredentialsProvider(credentials.NewEnvironmentVariableCredentialsProvider()).
		WithRegion(region)

	// Create an OSSClient instance.
	client := oss.NewClient(cfg)

	// Create a request to configure the resource group for the bucket.
	request := &oss.PutBucketResourceGroupRequest{
		Bucket: oss.Ptr(bucketName), // The name of the bucket.
		BucketResourceGroupConfiguration: &oss.BucketResourceGroupConfiguration{
			ResourceGroupId: oss.Ptr(groupId),
		},
	}

	// Execute the request to configure the resource group for the bucket.
	result, err := client.PutBucketResourceGroup(context.TODO(), request)
	if err != nil {
		log.Fatalf("failed to put bucket resource group %v", err)
	}

	// Display the result of the request.
	log.Printf("put bucket resource group result:%#v\n", result)
}

Use ossutil

You can use ossutil to configure resource groups. For information about its installation, see Install ossutil.

Run the following command to configure a resource group whose ID is rg-123 for examplebucket.

ossutil api put-bucket-resource-group --bucket examplebucket --resource-group-configuration "{\"ResourceGroupId\":\"rg-123\"}"

For more information about this command, see put-bucket-resource-group.

Related API operation

The methods described above are fundamentally implemented based on the RESTful API, which you can directly call if your business requires a high level of customization. To directly call an API, you must include the signature calculation in your code. For more information, see PutBucketResourceGroup.