OSS assumes a Resource Access Management (RAM) role to replicate data between buckets. The permissions you attach to that role differ depending on whether the source and destination buckets belong to the same Alibaba Cloud account or to different accounts.
Prerequisites
Before you begin, ensure that you have:
A RAM role with OSS (
oss.aliyuncs.com) as the trusted entityAccess to both the source and destination bucket accounts (for cross-account replication, access to both Account A and Account B)
How it works
Each replication task requires OSS to assume a RAM role you create. The role must carry two types of policies:
Trust policy — authorizes OSS to assume the role
Permission policy — grants the minimum required actions on the source and destination buckets
Because a RAM policy's Resource field can only reference resources within the same Alibaba Cloud account, the policy structure differs between same-account and cross-account replication:
| Scenario | Source-side setup | Destination-side setup |
|---|---|---|
| Same-account | RAM policy on the role (covers both buckets) | — |
| Cross-account | RAM policy on Account A's role (source bucket only) | Bucket policy on the destination bucket in Account B |
Set up permissions for same-account replication
Trust policy
Attach the following trust policy to the RAM role. It authorizes OSS to assume the role.
{
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": [
"oss.aliyuncs.com"
]
}
}
],
"Version": "1"
}Permission policy
Attach the following RAM policy to the role. It grants the minimum actions required on both the source and destination buckets.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"oss:ReplicateList",
"oss:ReplicateGet"
],
"Resource": [
"acs:oss:*:*:src-bucket",
"acs:oss:*:*:src-bucket/*"
]
},
{
"Effect": "Allow",
"Action": [
"oss:ReplicateList",
"oss:ReplicateGet",
"oss:ReplicatePut",
"oss:ReplicateDelete"
],
"Resource": [
"acs:oss:*:*:dest-bucket",
"acs:oss:*:*:dest-bucket/*"
]
}
]
}Replace src-bucket and dest-bucket with your actual bucket names.
Actions reference
| Action | Scope | Description |
|---|---|---|
oss:ReplicateList | Source and destination buckets | Lists historical objects in the source bucket so OSS can replicate them to the destination |
oss:ReplicateGet | Source and destination buckets | Reads objects, parts, multipart upload tasks, and object metadata |
oss:ReplicatePut | Destination bucket | Writes objects, parts, multipart upload tasks, symbolic links, and object metadata to the destination |
oss:ReplicateDelete | Destination bucket | Performs DeleteObject, AbortMultipartUpload, and DeleteMarker operations on the destination |
oss:ReplicateDelete is required only if you set Replication Policy to Add/Delete/Change.
Set up permissions for cross-account replication
Cross-account replication uses Account A (source bucket) and Account B (destination bucket). The setup is similar to same-account replication, with two differences:
Account A's RAM policy covers only the source bucket, not the destination bucket.
Account B must add a bucket policy that grants Account A's RAM role access to the destination bucket.
Step 1: Attach policies to Account A's RAM role
Trust policy — identical to the same-account trust policy. Attach it to the RAM role in Account A.
Permission policy — grants Account A's role the minimum permissions on the source bucket only.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"oss:ReplicateList",
"oss:ReplicateGet"
],
"Resource": [
"acs:oss:*:*:src-bucket",
"acs:oss:*:*:src-bucket/*"
]
}
]
}Replace src-bucket with your actual source bucket name.
Step 2: Add a bucket policy to Account B's destination bucket
In Account B, add the following bucket policy to the destination bucket. It grants Account A's RAM role the permissions needed to write replicated data.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"oss:ReplicateList",
"oss:ReplicateGet",
"oss:ReplicatePut",
"oss:ReplicateDelete"
],
"Principal": [
"arn:sts::src-uid:assumed-role/role-name/*"
],
"Resource": [
"acs:oss:*:dest-uid:dest-bucket",
"acs:oss:*:dest-uid:dest-bucket/*"
]
}
]
}Replace the placeholders with the values for your environment:
| Placeholder | Description |
|---|---|
src-uid | UID of the Alibaba Cloud account to which the source bucket belongs |
role-name | Name of the RAM role created in Account A |
dest-uid | UID of the Alibaba Cloud account to which the destination bucket belongs |
dest-bucket | Name of the destination bucket |
For action descriptions, see Actions reference.